Biometric data of all individuals who have applied for or own Estonian identity cards, irrespective of whether they are national identity documents or digital identity documents meant exclusively for e-identification, are stored in digital database, archived and retained for 50 years (in case of e-residency, this is done to avoid conferring duplicate identities to one person).

From the perspective of e-residents, this is immaterial — the digital identity documents issued do not serve as travel documents, as has been established above. Nevertheless, due to the fact that under the Estonian Identity Documents Act the term “digital identity card” denotes both the e-IDs of nationals as well as e-residents’ e-ID cards, the requirement of biometric identifiers also applies to both.

Drawing on the aforementioned, the authors of the given chapter claim that the failure to differentiate between the two types of documents leads to unnecessary collection of biometric data that is in contradiction with the Data Protection Directive Article 6 principles of purpose and proportionality.

Biometrics as security technology cannot be “thrown in” for good measure, as Estonia seems to have done, without proper analysis of risks for the protection of fundamental rights and freedoms, not considering whether the purpose to be achieved could not be achieved by less intrusive means.

The practice is indeed questionable, since in case EU citizen applies for Estonian residency, the objective of “avoiding conferring duplicate identities to one person” is achieved by less intrusive means without fingerprints being collected.

Links:
http://link.springer.com/chapter/10.1007%2F978-3-319-26896-5_4