ECJ: no legal basis for biometric data in ID cards

Katarzyna Stachyra

What would you say if public authorities would ask you for providing fingerprints in order to issue ID card? Citizens from the Netherlands have refused. The Court of Justice of the European Union admitted they are right in judgement in joined cases C-446/12 to C-449/12[1].

Source: resources.infosecinstitute.com

Source: resources.infosecinstitute.com

Providing fingerprints – a serious breach of the physical integrity?

 

H.J. Kooistra, a citizen of the Netherlands, made an application for the issue of identity card. The Burgemeeste refused doing so because H.J. Kooistra did not agree for providing fingerprints and a facial image. He argued that fulfilling these duties constitutes a serious breach of physical integrity and right to privacy. Moreover, he was afraid of the security of his personal data, because they would be storaged in more than one medium, including decentralized database.

According to Netherlands law, providing fingerprints is one of the requirements in order to obtain ‘travel documents’, for example passports. Since ID cards allow EU citizens to move freely within the EU, the official authorities in the Netherlands apply law referred to ‘travel documents’ to them. The court in the Netherlands, before which this case was pending, decided to ask ECJ for preliminary ruling. The key point was to answer whether law concerning passports – at domestic law level as well as EU law – is applicable for ID cards.

Clear answer…

ECJ stated that ‘the fact that identity cards, such as Netherlands identity cards, may be used for the purposes of travel within the European Union and to a limited number of non-Member States, does not bring them within the scope of Regulation No 2252/2004’[2]. It means that according to EU law there is no requirement of providing fingerprints to obtain ID card.

Judgement of ECJ should remind us, that personal data protection, especially biometrics, is an issue that cannot be ignored. Public authorities, even they are acting on behalf of a state, are not allowed to demand providing data if there is no legal basis to do so. They have to act in compliance with law, which protect our fundamental rights. But those mechanisms will be useless without our care for security of personal data.

…and another issue

On the one hand, people’s awareness about their rights, such as right to privacy increase. Some of us are courageous and are ready to tell official authorities that their actions have no legal basis. On the other hand, there are a lot of people who are fascinated by new technologies. They share information about themselves, including biometric data, with private companies delivering ‘necessary’ services that make life easier, for example fingerprints reader instead of using PIN code. Unfortunately, people do not think about potential consequences of mentioned situations. You can change your PIN code many times, you can prove during court proceeding that sign under agreement is not yours, but you cannot change your fingerprints, iris recognition or hand geometry. When it comes to processing these data by private company, our agreement is sufficient basis. Every time before we agree we must consider advantages and risks and decide, whether we really want to say ‘yes’.

[1] Judgment Of The Court (Fourth Chamber), 16 April 2015, In Joined Cases C‑446/12 to C‑449/12.

[2] Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States.

The future of personal data protection in the EU – should we be afraid of it?

Katarzyna Stachyra

larson-jewelers-fingerprint-engraving-ringCurrently binding Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data celebrates its 20 birthday. Let’s imagine, how during last 20 years our lifestyle has changed. Today we have full of doubts, when we entrance fitness club thanks to fingerprint scanning. Then, after that without any resistance, we take selfie and share it with our friends. It is hard to believe but two decades ago there was no social media! Therefore questions about the future of personal data protection are valid as never before. The EU tries to face new challenges and work on new legal act on personal data protection – regulation, which would replace directive mentioned above. But it’s too early to celebrate success.

What is worth supporting

‘Google case’ (https://europensblog.wordpress.com/2014/05/19/right-to-be-forgotten-google-case/) showed how works differentiate between two legal orders. Certainly, from legal point of view it is clear why judgment of the Court of Justice of the European Union is binding only for EU member states. However, Google’s position, expressed outright, that ‘right to be forgotten’ may be enjoyed only by some of Europeans, not by clients living in the USA, arouses disgust. Despite the EU can’t improve their situation, it may do it with ours. Project of new regulation assumes, that even if company is registered in the third state it has to act in compliance with EU law, if its processing activities are related to the offering of goods or services to such data subjects in the EU. As a results, protection of our data will be strengthened. Moreover, regulation contains new terms, such as ‘biometric data’ and also refers to children’s personal data protection.

What is criticized

Skeptics remind us, that work on content of regulation lasts too long – 3 years. During this time, draft was changed many times and lost its original character. There were arguments between EU member states, EU institutions, which take part in legislative procedures, between NGO’s in member states, etc. It is said that Council of the EU’s amendments lead to weaken standards of protection, especially ‘sacred’ principles connected with purposes of processing and individual’s consent for processing.

Source: viaresource.com

Source: viaresource.com

People awareness and their freely, explicit consent for processing is, in opinion of a lot of NGOs focused on right to privacy , the key point of all personal data protection issues. In addition, some of them are against solutions which would empower entrepreneurs through liberalization of new law. According to NGOs, it creates a risk of abuse and increase of disparities between company and natural person. On the other side, we can’t ignore entrepreneurs’ reasons – their claim that reduction of formalities is needed in order to accomplish functioning of the EU’s single market.

Is it really the future?

Despite some advantages and disadvantages mentioned above, the question is, whether this is a real reform or rather just an introduction of a few changes. European Commission at the very beginning in 2012, sought to propose legal act, which would be an answer to current problems with personal data protection. Now there are doubts, not only if planned changes are revolutionary, but also if they would have adverse effects and weaken relatively high, in contrast to the USA, European standards of protection. It is uncertain, how long will we have to wait for entering into force new regulation and which other, now unfamiliar problematic issues will arise.