According to leaked internal European Union documents, the EU could soon be creating a network of national police facial recognition databases. A report drawn up by the national police forces of 10 EU member states, led by Austria, calls for the introduction of EU legislation to introduce and interconnect such databases in every member state. The report, which The Intercept obtained from a European official who is concerned about the network’s development, was circulated among EU and national officials in November 2019. If previous data-sharing arrangements are a guide, the new facial recognition network will likely be connected to similar databases in the U.S., creating what privacy researchers are calling a massive transatlantic consolidation of biometric data.

A police investigator in Spain is trying to solve a crime, but she only has an image of a suspect’s face, caught by a nearby security camera. European police have long had access to fingerprint and DNA databases throughout the 27 countries of the European Union and, in certain cases, the United States. But soon, that investigator may be able to also search a network of police face databases spanning the whole of Europe and the U.S.

The report was produced as part of discussions on expanding the Prüm system , an EU-wide initiative connecting DNA, fingerprint, and vehicle registration databases for mutual searching. A similar system exists between the U.S. and any country that is part of the Visa Waiver Program, which includes the majority of EU countries; bilateral agreements allow U.S. and European agencies to access one another’s fingerprint and DNA databases.

“This is concerning on a national level and on a European level, especially as some EU countries veer towards more authoritarian governments.”

Although new legislation following the report’s recommendation is not yet on the table, preparatory work is ongoing. Information provided by the European Commission to the European Parliament last November shows that almost 700,000 euros (about $750,000) are going to a study by consultancy firm Deloitte on possible changes to the Prüm system, with one part of the work looking at facial recognition technology. The European Commission has also, separately, paid 500,000 euros to a consortium of public agencies led by the Estonian Forensic Science Institute to “map the current situation of facial recognition in criminal investigations in all EU Member States,” with the aim of moving “towards the possible exchange of facial data,” according to a project presentation sent to national representatives in Brussels.

“This is concerning on a national level and on a European level, especially as some EU countries veer towards more authoritarian governments,” said Edin Omanovic, advocacy director for Privacy International. Omanovic worries about a pan-European face database being used for “politically motivated surveillance” and not just standard police work. The possibility of pervasive, unjustified, or illegal surveillance is one of many critiques of facial recognition technology. Another is that it is notoriously inaccurate, particularly for people of color.

“Without the transparency and legal safeguards for facial recognition technology to be lawful,” said Omanovic, “there should be a moratorium on it.”

The EU has taken big steps to connect a host of migration and security databases in recent years. New legislation passed last April established a database that will hold the fingerprints, facial images, and other personal data of up to 300 million non-EU nationals, merging data from five separate systems. According to the report by 10 police forces, Deloitte consultants proposed doing the same with police facial images, but the idea was met with unanimous opposition from law enforcement officials.

Nonetheless, the report recommends linking all of EU member states’ facial databases, which would seem to have the same practical effect. In another internal EU police report — this one from a working group on Prüm that looked at the exchange of drivers’ license data — police note that “a network of interconnected national registers can be regarded as a virtual European register.”

To the police, the advantages of interlinked facial recognition databases are clear. The Austria-led report views the technology as a “highly suitable” biometric tool for identifying unknown suspects and suggests that the databases should be created and linked “as quickly as possible.” It also recognizes the need for data protection safeguards, such as human verification of any automated matches, but privacy experts argue that the creation of any such system is the first step toward greater sharing and linking of data where such controls are inadequate.

European moves to consolidate police facial recognition data closely resembles similar efforts in the U.S., said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. Many U.S. law enforcement agencies work out of “fusion centers,” where they are co-located and able to share data. If you have an information-sharing agreement with the FBI or the Department of Homeland Security, said Guliani, “there’s a risk that functionally the information may be shared with additional levels of U.S. law enforcement.”

“It raises many questions,” she added. “How police are using facial recognition and gathering images, as well as in the U.S. with regard to due process and First Amendment expression. Given existing information sharing relationships, it’s very likely that the U.S. would want access to that information.”

As far back as 2004, the U.S. Embassy in Brussels was calling for a relationship with the EU that allowed “expansive exchanges and sharing all forms of data, including personal data.” In recent years, efforts toward that goal have intensified. According to a Government Accountability Office report, in 2015, the Department of Homeland Security began demanding the implementation of the data-sharing agreements required of Visa Waiver Program countries. This has included the FBI providing assistance to other states to set up the necessary computer networks.

Austria, to take one example, began checking fingerprints against the FBI’s criminal fingerprint databases in October 2017, explained Reinhard Schmid, a senior official in the Austrian criminal intelligence service. Since then, about 12,000 individuals’ prints have been cross-checked, leading to 150 matches. “Around 20 of these identified persons were under investigation and suspected of membership of terrorist organizations,” while in 56 cases individuals had attempted to use a false identity, said Schmid.

“Their logic here is, ‘When I have a serious crime and I want to run someone’s photo against a database, why shouldn’t I have this?’” said Guliani. Yet, she added, the privacy implications were enormous. “Once you have the access, you ultimately have the ability to identify almost anyone, anywhere.”

The report by 10 police forces calls for Europol, the EU agency for police information and intelligence sharing, to play a role in exchanging facial recognition and other biometric data with non-EU states. This echoes recommendations from European governments themselves: A July 2018 declaration called for the commission to consider “broadening the scope” of the Prüm network and for Europol to take the lead on data sharing with third countries.

The FBI and Europol did not respond to questions about data-sharing agreements between the EU and the U.S. A spokesperson for the European Commission acknowledged the prospect of adding facial recognition data to the Prüm network, but declined to go into more detail.

This article was developed with the support of Journalismfund.eu.