Passport biometrics must stay protected

The government’s proposal to open the passport register’s biometric data for police use is extremely problematic — citizens have effectively been compelled to surrender their fingerprints, so the register must not be expanded beyond its original purpose. In 2006–2009, a fierce debate took place in Finland about the implementation of the EU passport regulation, which required fingerprints to be added to passport data. In the end, unlike most EU countries, Finland decided, in connection with implementing the regulation, to establish a national passport register in which the fingerprints and facial images of every Finnish passport or identity card holder are now stored. Germany and Sweden, for example, opted instead for a solution in which the data is stored only in the chip found in the passport.

Finland’s national passport register is an exception in the EU.

How did the passport register come about?

When the passport register was established, there were concerns about the expansion of the register’s purpose. The police would already at that time have liked to have access to the register’s data, but this possibility was ruled out during parliamentary processing. Since the passport register was established, citizens have therefore been able to trust, at least in principle, that the biometric data in the register is used only in connection with proving identity.

Discussion about opening the register’s data for broader police use has nevertheless continued over the years. Eventually, Prime Minister Orpo’s government programme included the goal of assessing and improving the conditions for the use of biometrics for law enforcement and crime prevention purposes. In September, the government’s proposal was sent to parliament, where it is currently under committee review.

The expansion of the use of biometric data in the passport register as proposed in the bill would be extremely problematic.

Why is expanding its use problematic?

Technological development has broadened the significance of fingerprints and facial images as means of identifying a person. To read this very text, a significant proportion of readers have shown their face or fingerprint to their computer, tablet or phone. A fingerprint or facial image has replaced the use of passwords in many people’s daily lives, and in principle they can be used to access a vast amount of private and sensitive information.

A fingerprint is nowadays like a password.

With this development, the importance of biometric identifiers in protecting privacy has grown substantially since the passport register was established. A biometric register covering all citizens is a problem in itself, and expanding its use increases the vulnerability of the data.

A more fundamental problem, however, is trust. For society to function, the majority of citizens must have sufficient trust in the exercise of public authority. When Finnish citizens have effectively been compelled to surrender their biometric data to the authorities, it is highly questionable to open up the use of this data beyond its original purpose. Even though the current proposal limits use to the investigation and prevention of only very serious crimes, a genie once out of the bottle is hard to put back in. It is quite likely that over the years there will be ever-growing desire to expand the police’s powers to make use of the passport register and to lower the threshold.

A genie that has escaped cannot simply be pushed back into the bottle.

What should be done instead?

Instead of expanding the use of biometric data in the passport register, Finland should move to handle this data in the way Germany does. In the German model, fingerprint data is destroyed from all systems after the passport has been created and thus cannot subsequently be misused or opened up for other purposes. The EU’s Fundamental Rights Agency has also stated, already in 2018, that everyone should follow this German model.

As long as sensitive data exists somewhere in a database, there is a temptation to expand its use. Moreover, as long as some electronic register exists, there is also the possibility of the data being stolen and misused. A register containing the fingerprints and facial images of nearly every Finnish citizen is therefore too tempting a target for both legitimate and illegitimate actors.

The expansion of the use of the passport register is part of an ongoing movement in which privacy protection is being eroded in the name of security in many different ways. In Finland, for example, new intelligence powers are being prepared for the police to use even without individualised criminal suspicion, and in the European Union there have been repeated attempts to push through the undermining of private communications protection in connection with the CSAM regulation.

Authorities must have sufficient means to guarantee the security of society. However, security must not be an overriding catch-all provision that bypasses fundamental rights. Finland and Europe should instead offer their citizens a value commitment of a strong right to privacy.

I have written more about digital rights and technology: about dismantling fundamental rights , about digital independence and about what AI can do in public services . Read more in my posts on technology .

Authors: Atte Harjanne and Lauri Lavanti.

_One version of the text published in Helsingin Sanomat on 14 January 2026 and in Atte Harjanne’s blog on 15 January 2026.*

Another version of the text published in Kirkkonummen Sanomat on 20 January 2026.