Since 2011, PogoWasRight.org has been covering a case involving the use of fingerprints in Dutch passports (additional links on the legality of fingerprints in passports can be found here).
There’s been another development in the long-running dispute, and it doesn’t appear to be good news for those fighting the mandatory inclusion of biometric identifiers. If I’m understanding the translation of what happened as described in a press release, the EU Court of Justice wound up ruling that individual countries get to determine whether to require biometric data or not in ID cards, i.e., although biometrics in passports is an issue under EU regulations, biometrics in ID cards is a member state issue.
There’s also a second question raised for the court, also covered in the press release below. Again, if I’m understanding it, it says that individual member countries get to determine whether biometric data collected and/or stored for one purpose can then be used for other purposes.
All told, it looks like the EU Court of Justice is saying that these are not EU issues but individual member state issues.
A PogoWasRight.org reader sends in this response to the ruling from a spokesperson for the EU human rights community:
The ECHR Court of Strasburg’s case law is supposed to be included in current EU law. It’s clear that the collection of technically failing fingerprints in IDs can never be proportionate and is therefore illegal. But the court isn’t that brave. Chairman Larsen of the Fourth Chamber of the Court, an ex-Europol boss, again saves the #biometric industry. Of course the EU Court should’ve ruled that the mere fear of other (dbase) use of collected fingerprints is a reason by itself to declare any collection of these biometrics in IDs illegal.
You can read more about the case and issues here.
Reminder: the following is a translation, and I cannot vouch for the accuracy:
Official Press summary:
EU Court of JusticeThe Court today April 16, 2015 judgment in Joined Dutch Cases C-446/12 – C-449/12 Willems, Kooistra, Roest and Van Luijk
National identity cards are not covered by the European regulation on passports and travel documents
Databases for storage of biometric data fall within the exclusive competence of the Member States
Mr. Willems, Mrs. Roest and Mrs. Van Luijk have each submitted a passport application. The respective competent mayors (Nuth, Skarsterlân, Amsterdam and The Hague) have not be processed the applications because the parties refused to record their fingerprints. Mr. Kooistra has submitted an application for a Dutch identity card, which has not been not taken into consideration because he refused to provide fingerprints and a facial photograph.
Willems and Others contend that the input and storage of biometric data constitute a gross violation of their physical integrity and a restriction of their right to protection of their private lives. They point out that the data are not only stored in the storage medium on the passport or Dutch identity, but also in a register. Moreover, according to them provisions lack that
clearly mention which persons will have access to the biometric data. They also note that the authorities could use the biometric data in the future for purposes other than for which they are provided (for criminal purposes and by the intelligence and security services).The Dutch highest administrative court “Raad van State”, where the proceedings currently are pending, referred questions to the Court of Justice.
The Council first of all, asks the question whether the Dutch identity card falls under the scope of EU Regulation no. 2252/2004 on standards for security features and biometrics in passports and travel documents.
In its judgment today, the Court of Justice ruled that the European Union legislature has expressly decided to exclude national identity cards from the scope of this Regulation.
The fact that an identity card, such as the Dutch, can be used when traveling within the Union and from some third countries, does not entail that they fall within the scope of Regulation No. 2252/2004.
The State Council also seeks guidance from the Court whether the Member States, in accordance with the European regulations and the Charter of Fundamental Rights of the European Union should ensure that the stored biometric data will not be collected for other purposes, processed and used then for the issuance of the passport or travel document.
The Court refers in this respect to the judgment in Schwarz (C 291/12, EU: C:2013: 670), in which it ruled that the use and storage of biometric data for the purposes specified in the Regulation are consistent with the requirements of the Charter.
Any other use and any other storage are not covered by the regulation.
Regulation no. 2252/2004 allows other use or storage of these data in accordance with national legislation of Member States, and does not provide a legal basis for setting up or maintaining databases for storage of these data in Member States, because this aspect falls under the exclusive competence of the Member States.
Implication of this is that according to regulation no. 2252/2004 a Member State is not required by law to ensure that the biometric data that are stored will not be used for purposes other than those specified in the regulation.
The above considerations do not prejudge any review by the national courts of all national measures relating to the use and storage of biometric data in their national law and, where appropriate, to the European Convention on Human Rights and fundamental freedoms.
This summary does not bind the Court. The official text of the judgment will be available from 13 am on the site www.curia.europa.eu.
Correction: Well, I knew I was at risk understanding this. I’ve corrected the headline to reflect “ID cards” as it’s not passports, I’m told by an EU reader. I’ve also corrected the text a bit to clarify the ruling.
Update: Here’s some media coverage of today’s ruling.