Considerations on COM(2018)212 - Strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and family members exercising their right of free movement

Please note

This page contains a limited version of this dossier in the EU Monitor.

 
 
table>(1)The Treaty on the European Union (TEU) resolved to facilitate the free movement of persons while ensuring the safety and security of the peoples of Europe, by establishing an area of freedom, security and justice, in accordance with the provisions of the TEU and of the Treaty on the Functioning of the European Union (TFEU).
(2)Citizenship of the Union confers on every citizen of the Union the right of free movement, subject to certain limitations and conditions. Directive 2004/38/EC of the European Parliament and of the Council (3) gives effect to that right. Article 45 of the Charter of Fundamental Rights of the European Union (the Charter) also provides for freedom of movement and residence. Freedom of movement entails the right to exit and enter Member States with a valid identity card or passport.

(3)Pursuant to Directive 2004/38/EC, Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. Furthermore, that Directive provides that Member States may require Union citizens and their family members to register with the relevant authorities. Member States are required to issue registration certificates to Union citizens under the conditions set out therein. Pursuant to that Directive, Member States are also required to issue residence cards to family members who are not nationals of a Member State and, on application, to issue documents certifying permanent residence and to issue permanent residence cards.

(4)Directive 2004/38/EC provides that Member States may adopt the necessary measures to refuse, terminate or withdraw any right conferred by that Directive in the case of abuse of rights or fraud. Document forgery or false presentation of a material fact concerning the conditions attached to the right of residence have been identified as typical cases of fraud under that Directive.

(5)Considerable differences exist between the security levels of national identity cards issued by Member States and residence permits for Union nationals residing in another Member State and their family members. Those differences increase the risk of falsification and document fraud and also give rise to practical difficulties for citizens when they wish to exercise their right of free movement. Statistics from the European Document Fraud Risk Analysis Network show that incidents of fraudulent identity cards have increased over time.

(6)In its Communication of 14 September 2016 entitled ‘Enhancing security in a world of mobility: improved information exchange in the fight against terrorism and stronger external borders’, the Commission stressed that secure travel and identity documents are crucial whenever it is necessary to establish without doubt a person's identity, and announced that it would be presenting an action plan to tackle travel document fraud. According to that Communication, an improved approach relies on robust systems to prevent abuses and threats to internal security arising from failings in document security, in particular related to terrorism and cross-border crime.

(7)According to the Commission's Action Plan of 8 December 2016 to strengthen the European response to travel document fraud (the 2016 Action Plan), at least three quarters of fraudulent documents detected at the external borders, but also in the area without controls at internal borders, purport to have been issued by Member States and the Schengen associated countries. Less secure national identity cards issued by Member States are the most frequently detected false documents used for intra-Schengen travel.

(8)In order to deter identity fraud, Member States should ensure that the falsification and counterfeiting of identification documents and the use of such falsified or counterfeit documents are adequately penalised by their national law.

(9)The 2016 Action Plan addressed the risk from fraudulent identity cards and residence documents. The Commission, in the 2016 Action Plan, and in its 2017 EU Citizenship Report, committed itself to analysing policy options to improve the security of identity cards and residence documents.

(10)According to the 2016 Action Plan, issuing authentic and secure identity cards requires a reliable identity registration process and secure ‘breeder’ documents to support the application process. The Commission, the Member States and the relevant Union agencies should continue to work together to make breeder documents less vulnerable to fraud, given the increased use of false breeder documents.

(11)This Regulation does not require Member States to introduce identity cards or residence documents where they are not provided for under national law, nor does it affect the competence of the Member States to issue, under national law, other residence documents which fall outside the scope of Union law, for example residence cards issued to all residents on the territory regardless of their nationality.

(12)This Regulation does not prevent Member States from accepting, in a non-discriminatory manner, documents other than travel documents, for identification purposes, such as driving licences.

(13)Identification documents issued to citizens whose rights of free movement have been restricted in accordance with Union or national law, and which expressly indicate that they cannot be used as travel documents, should not be considered as falling within the scope of this Regulation.

(14)Travel documents compliant with part 5 of International Civil Aviation Organization (ICAO) Document 9303 on Machine Readable Travel Documents, (seventh edition, 2015) (‘ICAO Document 9303’), which do not serve identification purposes in the issuing Member States, such as the passport card issued by Ireland, should not be considered as falling within the scope of this Regulation.

(15)This Regulation does not affect the use of identity cards and residence documents with eID function by Member States for other purposes, nor does it affect the rules laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council (4), which provides for Union-wide mutual recognition of electronic identifications in access to public services and which helps citizens who are moving to another Member State, by requiring mutual recognition of electronic identification means subject to certain conditions. Improved identity cards should ensure easier identification and contribute to better access to services.

(16)Proper verification of identity cards and residence documents requires that Member States use the correct title for each type of document covered by this Regulation. In order to facilitate the checking of documents covered by this Regulation in other Member States, the document title should also appear in at least one additional official language of the institutions of the Union. Where Member States already use, for identity cards, well-established designations other than the title ‘identity card’, they should be able to continue to do so in their official language or languages. However, no new designations should be introduced in the future.

(17)Security features are necessary to verify if a document is authentic and to establish the identity of a person. The establishment of minimum security standards and the integration of biometric data in identity cards and in residence cards of family members who are not nationals of a Member State are important steps in rendering their use in the Union more secure. The inclusion of such biometric identifiers should allow Union citizens to fully benefit from their rights of free movement.

(18)The storage of a facial image and two fingerprints (‘biometric data’) on identity and residence cards, as already provided for in respect of biometric passports and residence permits for third-country nationals, represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity and residence cards.

(19)As a general practice, Member States should, for the verification of the authenticity of the document and the identity of the holder, primarily verify the facial image and, where necessary to confirm without doubt the authenticity of the document and the identity of the holder, Member States should also verify the fingerprints.

(20)Members States should ensure that, in cases where a verification of biometric data does not confirm the authenticity of the document or the identity of its holder, a compulsory manual check is carried out by qualified staff.

(21)This Regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in Member States, which is a matter of national law that needs to comply with Union law regarding data protection. Moreover, this Regulation does not provide a legal basis for setting up or maintaining a centralised database at Union level.

(22)Biometric identifiers should be collected and stored in the storage medium of identity cards and residence documents for the purposes of verifying the authenticity of the document and the identity of the holder. Such a verification should only be carried out by duly authorised staff and only when the document is required to be produced by law. Moreover, biometric data stored for the purpose of the personalisation of identity cards or residence documents should be kept in a highly secure manner and only until the date of collection of the document and, in any case, no longer than 90 days from the date of issue of the document. After that period, those biometric data should be immediately erased or destroyed. This should be without prejudice to any other processing of these data in accordance with Union and national law regarding data protection.

(23)The specifications of ICAO Document 9303 which ensure global interoperability including in relation to machine readability and use of visual inspection should be taken into account for the purpose of this Regulation.

(24)Member States should be able to decide whether to include a person's gender on a document covered by this Regulation. Where a Member State includes a person's gender on such a document, the specifications of ICAO Document 9303 ‘F’, ‘M’ or ‘X’ or the corresponding single initial used in the language or languages of that Member State should be used, as appropriate.

(25)Implementing powers should be conferred on the Commission in order to ensure that future security standards and technical specifications adopted pursuant to Council Regulation (EC) No 1030/2002 (5) are duly taken into account, where appropriate, for identity cards and residence cards. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (6). To that end, the Commission should be assisted by the Committee established by Article 6 of Council Regulation (EC) No 1683/95 (7). Where necessary, it should be possible for the implementing acts adopted to remain secret in order to prevent the risk of counterfeiting and falsifications.

(26)Member States should ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that such procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe and the United Nations Convention on the Rights of the Child. Member States should ensure that the best interest of the child is a primary consideration throughout the collection procedure. To that end, qualified staff should receive appropriate training on child-friendly practices for the collecting of biometric identifiers.

(27)Where difficulties are encountered in the collection of biometric identifiers, Member States should ensure that appropriate procedures are in place to respect the dignity of the person concerned. Therefore, specific considerations relating to gender, and to the specific needs of children and of vulnerable persons should be taken into account.

(28)The introduction of minimum security and format standards for identity cards should allow Member States to rely on the authenticity of those documents when Union citizens exercise their right of free movement. The introduction of reinforced security standards should provide sufficient guarantees to public authorities and private entities to enable them to rely on the authenticity of identity cards when used by Union citizens for identification purposes.

(29)A distinguishing sign in the form of the two-letter country code of the Member State issuing the document, printed in negative in a blue rectangle and encircled by 12 yellow stars, facilitates the visual inspection of the document, in particular when the holder is exercising the right of free movement.

(30)While the option to provide for additional national features is maintained, Member States should ensure that those features do not diminish the efficiency of the common security features or negatively affect the cross-border compatibility of the identity cards, such as the capability that the identity cards can be read by machines used by Member States other than those which issue the identity cards.

(31)The introduction of security standards in identity cards and in residence cards of family members who are not nationals of a Member State should not result in a disproportionate increase in fees for Union citizens or third-country nationals. Member States should take this principle into consideration when issuing calls for tender.

(32)Member States should take all necessary steps to ensure that biometric data correctly identify the person to whom an identity card is issued. To this end, Member States could consider collecting biometric identifiers, particularly the facial image, by means of live enrolment by the national authorities issuing identity cards.

(33)Member States should exchange with each other such information as is necessary to access, authenticate and verify the information contained on the secure storage medium. The formats used for the secure storage medium should be interoperable, including in respect of automated border crossing points.

(34)Directive 2004/38/EC addresses the situation where Union citizens, or family members of Union citizens who are not nationals of a Member State, who do not have the necessary travel documents are to be given every reasonable opportunity to prove by other means that they are covered by the right of free movement. Such means can include identification documents used on a provisional basis and residence cards issued to such family members.

(35)This Regulation respects the obligations set out in the Charter and in the United Nations Convention on the Rights of Persons with Disabilities. Therefore, Member States are encouraged to work with the Commission to integrate additional features that render identity cards more accessible and user-friendly to people with disabilities, such as visually impaired persons. Member States are to explore the use of solutions, such as mobile registration devices, for the issuance of identity cards to persons incapable of visiting the authorities responsible for issuing identity cards.

(36)Residence documents issued to citizens of the Union should include specific information to ensure that they are identified as such in all Member States. This should facilitate the recognition of the Union citizen's use of the right of free movement and of the rights inherent to this use, but harmonisation should not go beyond what is appropriate to address the weaknesses of current documents. Member States are free to select the format in which these documents are issued and could issue them in a format complying with the specifications of ICAO Document 9303.

(37)As regards residence documents issued to family members who are not nationals of a Member State, it is appropriate to make use of the same format and security features as those provided for in Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954 of the European Parliament and of the Council (8). In addition to proving the right of residence, those documents also exempt their holders who are otherwise subject to a visa obligation from the requirement to obtain a visa when accompanying or joining the Union citizen within the Union territory.

(38)Directive 2004/38/EC provides that documents issued to family members who are not nationals of a Member State are to be called ‘Residence card of a family member of a Union citizen’. In order to facilitate their identification, residence cards of a family member of a Union citizen should bear a standardised title and code.

(39)Taking into account both the security risk and the costs incurred by Member States, identity cards as well as residence cards of a family member of a Union citizen with insufficient security standards should be phased out. In general, a phasing-out period of ten years for identity cards and five years for residence cards should be sufficient to strike a balance between the frequency with which documents are usually replaced and the need to fill the existing security gap within the Union. However, for cards which do not have important security features, or are not machine readable, a shorter phasing-out period is necessary on security grounds.

(40)Regulation (EU) 2016/679 of the European Parliament and of the Council (9) applies with regard to the personal data to be processed in the context of the application of this Regulation. It is necessary to further specify safeguards applicable to the processed personal data and in particular to sensitive data such as biometric identifiers. Data subjects should be made aware of the existence in their documents of the storage medium containing their biometric data including its accessibility in contactless form as well as of all instances where the data contained in their identity cards and residence documents are used. In any case, data subjects should have access to personal data processed in their identity cards and residence documents and should have the right to have them rectified by way of issuance of a new document where such data is erroneous or incomplete. The storage medium should be highly secure and effectively protect personal data stored on it from unauthorised access.

(41)Member States should be responsible for the proper processing of biometric data, from collection to integration of the data on the highly secure storage medium, in accordance with Regulation (EU) 2016/679.

(42)Member States should exercise particular caution when cooperating with an external service provider. Such cooperation should not exclude any liability of the Member States arising under Union or national law for breaches of obligations with regard to personal data.

(43)It is necessary to specify in this Regulation the basis for the collection and storage of data on the storage medium of identity cards and residence documents. In accordance with Union or national law and respecting the principles of necessity and proportionality, Member States should be able to store other data on a storage medium for electronic services or for other purposes relating to the identity card or residence document. The processing of such other data including their collection and the purposes for which they can be used should be authorised by Union or national law. All national data should be physically or logically separated from biometric data referred to in this Regulation and should be processed in accordance with Regulation (EU) 2016/679.

(44)Member States should apply this Regulation at the latest 24 months after the date of its entry into force. As from the date of application of this Regulation, Member States should only issue documents which respect the requirements set out in this Regulation.

(45)The Commission should report on the implementation of this Regulation two years, and 11 years, respectively, after its date of application, including on the appropriateness of the level of security, taking into account its impact on fundamental rights and data protection principles. In accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (10), the Commission should, six years after the date of application of this Regulation, and every six years thereafter, carry out an evaluation of this Regulation on the basis of information gathered through specific monitoring arrangements, in order to assess the actual effects of this Regulation and the need for any further action. For the purpose of monitoring, Member States should collect statistics on the number of identity cards and residence documents which they issued.

(46)Since the objectives of this Regulation, namely to enhance security and to facilitate the exercise of the rights of free movement by Union citizens and their family members cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(47)This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter including human dignity, the right to the integrity of the person, the prohibition of inhuman or degrading treatment, the right to equality before the law and non-discrimination, the rights of children, the rights of the elderly, respect for private and family life, the right to the protection of personal data, the right of free movement and the right to an effective remedy. Member States should comply with the Charter when implementing this Regulation.

(48)The European Data Protection Supervisor and the Fundamental Rights Agency issued opinions on 10 August 2018 (11) and on 5 September 2018 (12) respectively,