Estrella Gutiérrez, visiting professor at the Carlos III University (Madrid) has written an inspiring comment to the ECJ Judgment Schwarz v. Stadt Bochum, regarding biometric data an the rights to respect for private life. Many thanks, Estrella for your valuable contribution.
Pedro M. Herrera
ECJ rules that biometric-recognition in passports does not constitute an infringement of privacy and data protection
ECJ Judgment of 17 October 2013, Case C‑291/12, Schwarz v. Stadt Bochum. Biometric data, fingerprints, facial recognition, iris recognition, privacy, personal data.
Biometric data (fingerprints or iris) as they contain unique information which allows identifying individuals with precision may constitute a threat to the rights to respect for private life and the protection of personal data.
More specifically, collecting and storing biometric data of someone else constitute a processing of personal data in the sense established by article 2(b) of Directive 95/46, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the “Directive”). This provision sets forth that processing of personal data means any operation performed upon such data by a third party, such as the collecting, recording, storage, consultation or use thereof.
In the light of the foregoing, Regulation 2252/2004, of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (hereinafter, the “Regulation”), requires biometric data to be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents.
Applying the said Regulation means that national authorities shall take a person’s fingerprints to keep them in the storage medium available in that person’s passport. Such measures must therefore be viewed as a processing of personal data.
In this context, a German citizen applied to the Stadt Bochum for a passport, but refused at that time to have his fingerprints taken. After the Stadt Bochum rejected his application, the claimant brought an action before the Verwaltungsgericht Gelsenkirchen (the administrative domestic Court) in which he requested that the city be ordered to issue him with a passport without taking his fingerprints.
By referring a preliminary ruling, the administrative Court sought to establish whether this Regulation is valid, particularly in light of the Charter of Fundamental Rights of the European Union (hereinafter the “Charter”), in so far as it obliges any person applying for a passport to provide fingerprints to be stored therein.
The referring Court asked, in essence, whether article 1(2) of Regulation was invalid on the grounds such provision breached certain fundamental rights of the holders of passports, namely, the right to private life and the protection of personal data laid down in articles 7 and 8 of the Charter respectively.
The Court comes to the conclusion that the interference with privacy and personal data arising from the contested Regulation is justified by its aim of protecting against the fraudulent use of passports and preventing illegal entry to the European Union (hereinafter, “EU”).
Under article 7 and 8 of the Charter, neither shall privacy be hindered and nor personal data be processed except on the basis of the consent of the person concerned or some other legitimate basis laid down by law. In absence of consent of right holder or data subject, the Court has to asses to what extent measures interfering with such fundamental rights do meet the requirements of the three-fold test of (i) prescribed by law; (ii) necessity; (iii) proportionality.
In the present case, the ECJ observes firstly that collecting and storing fingerprints when issuing passports must be considered to be prescribed by law, since those operations are provided for by the contested Regulation.
Secondly, when assessing the necessity of the contested Regulation the Court finds that there is a legitimate interest justifying the interference with privacy and personal data, namely, preventing falsification of passports and illegal entry to the EU.
Thirdly, the ECJ analyses the proportionality of the Regulation. In doing so, it is important for the Court to examine whether processing of fingerprints by collecting and storing such information in passports does actually involve the less restrictive measures with the rights to privacy and personal data and does not go beyond what is necessary to achieve that legitimate aim in protecting EU borders from illegal entry pursued by the contested Regulation.
Notwithstanding the processing method does not prevent all unauthorised persons from being accepted, -observes the Court- it is enough that it significantly reduces the likelihood of such acceptance that would exist if that method were not used. In this sense, the ECJ holds that “the fact that the method is not wholly reliable is not decisive” to determine the invalidity of the processing.
Furthermore, the ECJ notes that the processing “is not an operation of an intimate nature”, given that it involves no more than the taking of prints of two fingers, which can, moreover, generally be seen by others. “Nor does it cause any particular physical or mental discomfort to the person affected anymore than when that person’s facial image is taken”, emphasizes the Court. In other words, the processing does not involve an intrusive means which may interfere unnecessarily with privacy.
The Court also wonders whether the fact that fingerprints and a facial image are taken at the same time would give rise to greater interference with those rights. The ECJ finds that the combination of two operations designed to identify persons may not a priori be regarded as giving rise in itself to a greater threat to the fundamental rights at stake than if each of those two operations were to be considered in isolation.
On the other hand, the Court notes that the only real alternative to the taking of fingerprints is an iris scan. But nothing suggests that the latter procedure would interfere less with the rights to privacy and personal data than the taking of fingerprints. Furthermore, with regard to the effectiveness of those two methods, the ECJ recognises that iris-recognition technology is not yet as advanced as fingerprint-recognition technology. In addition, the procedure for iris recognition is currently significantly more expensive than the procedure for comparing fingerprints and is, for that reason, less suitable for general use.
However, the referring Court was uncertain whether the Regulation is proportionate in view of the risk that, once fingerprints have been taken pursuant to that provision, the data will be stored, perhaps centrally, and used for purposes other than those provided for by that Regulation.
In that regard, the Court warns that the contested Regulation shall not be construed as “providing a legal basis for the centralised storage of data collected thereunder or for the use of such data for purposes other than that of preventing illegal entry into the European Union”. Had such centralised storage of data happened, it should be examined in the course of an action brought before the competent domestic Courts. Meanwhile, the ECJ considers that the possible risks linked to possible centralisation cannot, in any event, affect the validity of that Regulation.
In other words, the domestic legislation of State Members must ensure that there are specific guarantees that the processing of such data will be effectively protected from misuse and abuse and purposes other than preventing falsification of passports and protecting EU borders.
María Estrella Gutiérrez David
Visiting professor at the Carlos III University