Implementing decision 2016/1345 - Minimum data quality standards for fingerprint records within the second generation Schengen Information System (SIS II) (notified under document C(2016) 4988)

1.

Legislative text

6.8.2016   

EN

Official Journal of the European Union

L 213/15

 

COMMISSION IMPLEMENTING DECISION (EU) 2016/1345

of 4 August 2016

on minimum data quality standards for fingerprint records within the second generation Schengen Information System (SIS II)

(notified under document C(2016) 4988)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (1), and in particular point (a) of Article 22 thereof,

Having regard to Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (2), and in particular point (a) of Article 22 thereof,

Whereas:

 

(1)

The second generation Schengen Information System (SIS II) started operation on 9 April 2013 when Regulation (EC) No 1987/2006 and Decision 2007/533/JHA became applicable.

 

(2)

SIS II enables competent authorities, such as police and border guards, to enter and consult alerts on certain categories of wanted or missing persons and objects. For alerts on persons the minimum data-set is name, sex, a reference to the decision giving rise to the alert, and the action to be taken. In addition, when available, photographs and fingerprints are to be added.

 

(3)

SIS II enables to store and process fingerprints in order to confirm the identity of the persons located as a result of an alphanumeric search. In addition, the inclusion of an Automated Fingerprint Identification System (AFIS) in SIS II should allow the identification of persons on the basis of their fingerprints.

 

(4)

Quality, accuracy and completeness of fingerprint records are key success factors for SIS II to reach its full potential. Due to the increasing input and processing of fingerprint records in SIS II, and the upcoming inclusion of an AFIS in SIS II, it is necessary to define the minimum data quality standards for fingerprint records used for biometric identification and verification.

 

(5)

Further specifications should be developed at a later stage when the detailed technical specifications of the future Automated Fingerprint Identification System (AFIS) is defined.

 

(6)

The SIS II fingerprint input format, which should be based on a National Institute of Standards and Technology standard, is not part of this decision. It should be defined in the Interface Control Document.

 

(7)

Provisions on the protection of personal data and security of data in SIS II are set out in Regulation (EC) No 1987/2006 and Decision 2007/533/JHA which equally apply for the processing of fingerprints in SIS II. In particular, any processing of fingerprints is confined to processing operation authorised under Articles 22(c) of Regulation (EC) No 1987/2006 and Decision 2007/533/JHA. The processing of fingerprints within SIS II must also comply with applicable national provisions on data protection implementing Directive 95/46/EC of the European Parliament and of the Council (3) which will be replaced by Regulation (EU) 2016/679 of the European Parliament and of the Council (4), and Council Framework Decision 2008/977/JHA (5) which will be replaced by Directive (EU) 2016/680 of the European Parliament and of the Council (6).

 

(8)

Given that Regulation (EC) No 1987/2006 builds upon the Schengen acquis, Denmark, in accordance with Article 5 of the Protocol on the position of Denmark annexed to the Treaty on European Union and the Treaty establishing the European Community, notified by letter of 15 June 2007 the transposition of this acquis into its national law. Denmark participates in Decision 2007/533/JHA. It is therefore bound to implement this Decision.

 

(9)

The United Kingdom does not take part in Regulation (EC) No 1987/2006 as a consequence of which it cannot search and enter alerts on refusal of entry or stay regarding third country nationals. The United Kingdom is taking part in this Decision to the extent that it does not concern the alerts based on Articles 24 and 25 of Regulation (EC) No 1987/2006, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and Article 8(2) of Council Decision 2000/365/EC (7).

 

(10)

Ireland does not take part in Regulation (EC) No 1987/2006 as a consequence of which it cannot search and enter alerts on refusal of entry or stay regarding third country nationals. Ireland is taking part in this Decision to the extent that it does not concern the alerts based on Articles 24 and 25 of Regulation (EC) No 1987/2006, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and Article 6(2) of Council Decision 2002/192/EC (8).

 

(11)

This Decision constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(2) of the 2003 Act of Accession, Article 4(2) of the 2005 Act of Accession and Article 4(2) of the 2011 Act of Accession.

 

(12)

As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis  (9), which fall within the area referred to in Article 1, point G of Council Decision 1999/437/EC (10).

 

(13)

As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement signed between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis  (11), which falls within the area referred to in Article 1, point G of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (12) and with Article 3 of Council Decision 2008/149/JHA (13).

 

(14)

As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis  (14), which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU (15) and Article 3 of Council Decision 2011/350/EU (16).

 

(15)

The European Data Protection Supervisor delivered an opinion on 27 June 2016.

 

(16)

The measures provided for in this Decision are in accordance with the opinion of the Committee set up by Article 51 of Regulation (EC) No 1987/2006 and Article 67 of Decision 2007/533/JHA,

HAS ADOPTED THIS DECISION:

Article 1

  • 1. 
    The minimum data quality standards set out in the Annex shall apply to all fingerprint records used within SIS II.
  • 2. 
    The fingerprint input format used within SIS II, which does not comply with the standards set out in the Annex, shall be rejected by the Central System of SIS II (CS-SIS) and shall not be used or stored.
  • 3. 
    Compliant fingerprint input format that contains fingerprints below the quality threshold shall not be inserted into the Automated Fingerprint Identification System to permit searching. These files shall be stored in SIS II and may be used only to confirm a person's identity in accordance with Articles 22(b) of Regulation (EC) No 1987/2006 and Decision 2007/533/JHA.

Article 2

This Decision is addressed to the Member States.

Done at Brussels, 4 August 2016.

For the Commission

Dimitris AVRAMOPOULOS

Member of the Commission

 

  • (3) 
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
  • (4) 
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
  • (5) 
    Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60).
  • (6) 
    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
  • (7) 
    Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (OJ L 131, 1.6.2000, p. 43).
  • (8) 
    Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).
  • Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).
  • Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).
  • Council Decision 2008/149/JHA of 28 January 2008 on the conclusion on behalf of the European Union of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 50).
  • Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis, relating in particular to judicial cooperation in criminal matters and police cooperation (OJ L 160, 18.6.2011, p. 1).
  • Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).
 

ANNEX

  • 1. 
    OBJECTIVE

This annex sets forth minimum requirements relating to standards and input formats which are to be met when capturing and transmitting biometric (fingerprint) data to SIS II.

  • 2. 
    FILE AND COMPRESSION FORMAT

The input format of fingerprint images (and their accompanying alphanumeric data) shall be compliant with the ANSI/NIST (1) binary format. The SIS II fingerprint input format shall be based on a NIST standard and shall become part of the SIS II Interface Control Document (SIS II ICD). Only the specific SIS NIST (based on one specific version of the ANSI/NIST format) definition shall be used and enforced.

  • 3. 
    DEVICES

The CS-SIS AFIS shall be compatible and interoperable with data captured using live-scan devices at the national level which are capable of capturing and segmenting up to 10 individual fingerprints; rolled, flat or both.

The CS-SIS AFIS shall be compatible and interoperable with ‘inked’ fingerprints, acquired before the date of this Decision; rolled, flat or both, which were then digitally scanned at the relevant quality and resolution.

3.1.   Image format and Resolution

The Central System of SIS II (CS-SIS) shall receive fingerprint images of a nominal resolution of either 1 000 dpi or of 500 dpi with 256 grey levels.

500 dpi images shall be sent using the WSQ format while 1 000 dpi images must be in JPEG2000 (JP2).

  • 4. 
    REQUIREMENTS

The following requirements, for use with live-scan and paper-scan devices, must be met:

4.1.   Quality

The CS-SIS AFIS shall establish quality thresholds for accepting fingerprints. A check on quality must be performed locally by Member States prior to sending the images to SIS II, which must meet the specifications that will be defined in accordance with Article 51 of Regulation (EC) No 1987/2006 and Article 67 of Decision 2007/533/JHA.

Fingerprint images that do not meet the quality threshold determined by the CS-SIS AFIS shall not be inserted for automated searching, but shall be stored in SIS to confirm the identity of a person pursuant to point (b) of Article 22 of Regulation (EC) No 1987/2006 and point (b) of Article 22 of Decision 2007/533/JHA.

If a non-compliant SIS NIST file is rejected, an automatic message shall be sent to the Member State explaining the issue.

If the SIS NIST file is compliant with the ICD, but the content is of insufficient quality for identification purposes in the AFIS, an automatic message shall be sent to the Member State clarifying that the fingerprints cannot be used for identification purposes (enrolment or search). This mechanism provides the opportunity for the Member State to re-capture the prints and send a new set to the central system.

The quality threshold may be modified in the future.

The management authority shall provide, maintain and update a tool for checking quality and deliver it to the Member States in order to ensure the same level of quality check and to avoid low-quality data.

  • 5. 
    USE OF FINGERPRINTS FOR STORING AND INSERTING

CS-SIS AFIS shall insert into the biometric database the fingerprint images above the quality threshold with at most one image per finger type (NIST identification 1 to 10), therefore meaning between 1 to 10 flat prints and 1 to 10 rolled fingerprints. Each fingerprint image shall be correctly labelled as to which finger it relates. Missing or bandaged fingerprints shall always be identified accordingly as specified by the SIS II ICD in compliance with the NIST standard. All fingerprint images shall be retained by CS-SIS, allowing rejected fingerprints to be used for verification purposes. As an exception, partial (low quality) fingerprint images may be used for storing and inserting where this concerns missing persons.

  • 6. 
    USE OF FINGERPRINTS FOR BIOMETRIC IDENTIFICATIONS AND SEARCHES

CS-SIS AFIS shall perform biometric searches (biometric identifications) using the fingerprint images above the quality threshold and with at most one image per finger type (NIST identification 1 to 10). Each fingerprint image shall be correctly labelled as to which finger it relates. Missing or bandaged fingerprints shall always be identified accordingly as specified by the SIS II ICD in compliance with the NIST standard.

  • 7. 
    USE OF FINGERPRINTS FOR BIOMETRIC VERIFICATIONS

CS-SIS AFIS shall be able to perform biometric verifications with any number of flat or rolled fingerprints between 1 and 10. Each NIST file shall contain at most one image per finger type (NIST identification 1 to 10). The use of ‘permutations’ (2) shall be performed for verifications by CS-SIS AFIS regardless of the fingerprint labelling. Missing or bandaged fingerprints shall always be identified accordingly as specified by the SIS II ICD in compliance with the NIST standard.

 

  • (1) 
    American National Standard for Information Systems / National Institute of Standards and Technology.
  • (2) 
    Permutations instruct CS-SIS AFIS to perform repetitive verification between the source fingerprint(s) and all candidate fingerprints available (mostly 10) until either a positive verification takes place or all candidate fingerprints have been searched without producing a positive verification.
 

This summary has been adopted from EUR-Lex.