ECJ: no legal basis for biometric data in ID cards

Katarzyna Stachyra

What would you say if public authorities would ask you for providing fingerprints in order to issue ID card? Citizens from the Netherlands have refused. The Court of Justice of the European Union admitted they are right in judgement in joined cases C-446/12 to C-449/12[1].

Source: resources.infosecinstitute.com

Source: resources.infosecinstitute.com

Providing fingerprints – a serious breach of the physical integrity?

 

H.J. Kooistra, a citizen of the Netherlands, made an application for the issue of identity card. The Burgemeeste refused doing so because H.J. Kooistra did not agree for providing fingerprints and a facial image. He argued that fulfilling these duties constitutes a serious breach of physical integrity and right to privacy. Moreover, he was afraid of the security of his personal data, because they would be storaged in more than one medium, including decentralized database.

According to Netherlands law, providing fingerprints is one of the requirements in order to obtain ‘travel documents’, for example passports. Since ID cards allow EU citizens to move freely within the EU, the official authorities in the Netherlands apply law referred to ‘travel documents’ to them. The court in the Netherlands, before which this case was pending, decided to ask ECJ for preliminary ruling. The key point was to answer whether law concerning passports – at domestic law level as well as EU law – is applicable for ID cards.

Clear answer…

ECJ stated that ‘the fact that identity cards, such as Netherlands identity cards, may be used for the purposes of travel within the European Union and to a limited number of non-Member States, does not bring them within the scope of Regulation No 2252/2004’[2]. It means that according to EU law there is no requirement of providing fingerprints to obtain ID card.

Judgement of ECJ should remind us, that personal data protection, especially biometrics, is an issue that cannot be ignored. Public authorities, even they are acting on behalf of a state, are not allowed to demand providing data if there is no legal basis to do so. They have to act in compliance with law, which protect our fundamental rights. But those mechanisms will be useless without our care for security of personal data.

…and another issue

On the one hand, people’s awareness about their rights, such as right to privacy increase. Some of us are courageous and are ready to tell official authorities that their actions have no legal basis. On the other hand, there are a lot of people who are fascinated by new technologies. They share information about themselves, including biometric data, with private companies delivering ‘necessary’ services that make life easier, for example fingerprints reader instead of using PIN code. Unfortunately, people do not think about potential consequences of mentioned situations. You can change your PIN code many times, you can prove during court proceeding that sign under agreement is not yours, but you cannot change your fingerprints, iris recognition or hand geometry. When it comes to processing these data by private company, our agreement is sufficient basis. Every time before we agree we must consider advantages and risks and decide, whether we really want to say ‘yes’.

[1] Judgment Of The Court (Fourth Chamber), 16 April 2015, In Joined Cases C‑446/12 to C‑449/12.

[2] Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States.

The EU accession to the European Convention on Human Rights – one step back

Katarzyna Stachyra

It was believed that after entering into force of the Lisbon Treaty the accession of the EU to the Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter: the Convention) will be obvious. The Lisbon Treaty made accession admissible thanks to granting legal capacity to the EU. What is more, it even imposed obligation on EU to become party to the Convention. Negotiations, which have been conducted since 2010 by the European Commission and the Steering Committee for Human Rights Ad Hoc Negotiation Group, resulted in adoption of the draft agreement on accession[1]. This document was examined by the European Court of Justice (hereinafter: ECJ) and its opinion about compliance with the Treaties, released on 18 December 2014 (C-2/13)[2], is significantly negative. ECJ said that ‘the devil is, however, as so often, in the detail’ and pointed out legal issues which have to be solved in order to access to the Convention. Some of these problems are presented below.

photo 1(1)

The Convention and its influence on relation between ECJ and ECHR

After the accession, the Convention will become part of EU law. It means that the EU, namely all of its institutions as well as Member States, will be bound by provisions of the Convention. Therefore, actions of institutions could be controlled according to measures contained in the Convention. In other words, they would be under jurisdiction of the European Court of Human Rights (hereinafter: ECHR). In this light arises serious question concerning relation between ECJ and ECHR. Accession to the Convention will allow ECHR to assess judicial actions of ECJ or to impose interpretation of the law. Firstly, it is worth emphasizing that judicial independence is the most important feature of courts and tribunals. Secondly, as art. 2 of Protocol no 8[3] reads, ‘accession of the Union shall not affect the competences of the Union or the powers of its institutions’. ECJ as one of the EU institutions has its specific competences. Above all, ECJ has exclusive jurisdiction in disputes between Member States or Member States and institutions, related with interpretation or application of the Treaties. Hence ECJ stated, that possible jurisdiction of ECHR in mentioned matters should be distinctly excluded. Otherwise there is evident incompliance with EU law.

Coordination between the Convention and Charter of Fundamental Rights

The Convention and Charter of Fundamental Rights contain a catalogue of rights and freedoms. Despite the similarities between these catalogues, there are still certain differences which occur in provisions, as well as in interpretations given by ECJ and ECHR. Problem of coordination those two legal acts has significant meaning from the perspective of the level of human rights protection. It is necessary to avoid existing two different standards, because it could violate principle of primacy of the EU law. Because the Convention allows states to introduce higher standards than it presents itself it may lead to establishment of larger scope of protection than it is provided by Charter of Fundamental Rights. As a result, there would be a risk that Charter of Fundamental Rights would be ineffective, which would mean undermining the principle of the primacy of the EU law. According to ECJ opinion, agreement on accession shall include provisions which would prevent indicated situation.

Protocol no 16 – threat to the autonomy of the EU law

Problems with autonomy and primacy may occur after entering into force of Protocol no 16 to the Convention. This protocol introduces new function in ECHR system – advisory opinions, which may be given by ECHR at the request of highest courts and tribunals of state parties to the Convention. Generally speaking, advisory opinions may be compared to preliminary ruling given by ECJ, however they are not binding to national courts. Advisory opinions may infringe the autonomy of the procedure of request for preliminary ruling – use of the first solution may lead to resignation from the second one and, as a result, may constitute circumvention of the law. ECJ expressed in its opinion the concern about relation between those two procedures. It is on position that agreement on accession should clearly eliminate uncertainties in the application of those mechanisms.

Problems with control in the Common Foreign and Security Policy

Under provisions of draft agreement on accession, ECHR would be allowed to examine legal acts released in association with the Common Foreign and Security Policy (hereinafter: CFSP). Certainly, this examination would be conducted in the light of respecting fundamental rights. Since ECJ has no jurisdiction in certain matters related with CFSP, which results from EU law, after the accession to the Convention this jurisdiction will be granted to ECHR. ECJ emphasized that organ, which is not institution of EU, will be able to decide whether acts adopted in CFSP are in compliance with fundamental rights. In addition, it demonstrates that agreement does not follow the most important condition of accession, namely preserving the specific characteristics of the Union and Union law.

ECJ’s position – rationality or excessive precaution?

Undoubtedly we are witnesses of unprecedented event – as ECJ stated in opinion – ‘in which an international, supranational organisation — the EU — submits to the control of another international organisation — the Council of Europe — as regards compliance with basic standards of fundamental rights.’ Uniqueness lies in the fact that the EU is not a state but is pursuing to become the party to the Convention which is intended and formulated for states. Therefore there are various issues how to adjust legal mechanisms, suitable for states, for supranational organization. Opinion released by ECJ is very cautious. In certain aspects – too wary, for instance as regards of Protocol no 16. Draft agreement of accession does not contain provision concerning including this protocol in EU legal system – it would be possible in the future. Furthermore, Protocol no 16 has not even entered into force yet. However, general concern of ECJ about preserving features of the EU and its law is understandable. It is true that draft agreement on accession does not deal with all problems mentioned by ECJ. It seems that negative position of ECJ is intended to avoid confusion and uncertainty, which may occur after accession, if indicated issues will not be explained satisfactorily earlier. Problems with accession to the Convention, in the light of resistance against accession and duplication of similar systems of human rights protection, may provoke bold question – whether do we really need EU’s accession to the Convention?

[1]The full text of draft agreement is available on: http://www.coe.int/t/dghl/standardsetting/hrpolicy/Accession/Meeting_reports/47_1(2013)008rev2_EN.pdf
[2]The full text of opinion is available on: http://curia.europa.eu/juris/document/document.jsf?text=&docid=160929&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=145591
[3]Protocol No 8 Relating To Article 6(2) Of The Treaty On European Union On The Accession Of The Union To The European Convention On The Protection Of Human Rights And Fundamental Freedoms.

‘Right to be forgotten’ – Google case

Kamil Augustyniak

 

The Court of Justice of the European Union stated (Case C-131/12) that every EU Citizen has right to protect his/her private information that can be removed from search engine results if it is ‘inadequate, irrelevant, or no longer relevant’.

Globalization, technological progress and flow of information are, surely, the major advantages of contemporary world. Everyone can search an information in the Internet and find private data about his/her neighbors. In numerous cases we do not mind the information about us is commonly available because we posted it by ourselves. Everything is good till we can control what others read about us. The difficulty starts when the information appears without our knowledge or offend us somehow.

In response to cyber-world

On 25th January 2012, Viviane Reding (the European Commission Vice-President responsible for Justice, Fundamental Rights and Citizenship) proposed a new document – General Data Protection Regulation – that would be an amended EU Data Protection Directive 95/46/EC. In order to avoid breaching peoples’ privacy in cyberspace more efficiently than before, the document has to be transformed and catch up 21st century.That what distinguish a new suggested document will be a possibility to ask service providers to delete the personal data from a particular web-page or a list of results that is displayed following a search made on the basis of consumer’s name. When such request is reasonable, the links containing that information must be removed, unless applicant is a public person and the free access to a particular information is justified.

Personal data protection dispute: Google Spain v Mario Costeja González

In 2010 Mario Costeja González, a Spanish national, complaint against La Vanguardia Ediciones SL (the publisher of a daily newspaper with a large circulation in Spain) and Google Inc. The applicant found that after putting his name in search engine, the results display links to pages relating to La Vanguardia’s newspaper from 1998. The articles included an announcementabout real-estate auction for recovery of social security debts owed by Mr Costeja González. The two possible solutions of this dispute were proposed by applicant to each subject. The newspaper either removes or alters the page so that the applicant’s name will not appear anymore. Similarly with Google, personal details will be removed or covered in order to protect Mr Costeja González private interest. After all, the Spanish Data Protection Agency rejected the request against La Vanguardia because all these information has been published lawfully. However, the complaint against Google was upheld and requested to remove personal data from their index. As a result, the Google company appeal to Spanish National High Court which referred several questions to the Court of Justice of the EU that ruled that Mr Mario Costeja González has right to ask for such removal.

What Google says?goog

In view of Google company the decision is described as disappointing. People will tend to overuse this right to feel better. If they do not like the information, they will ask for removal and no legal oversight will be necessary to succeed. Failing to comply with the regulation will cause high fines.

Supranational effect

From the perspective of an ordinary citizen the changes are essential due to the fact that nobody in the Internet is anonymous so that faked information will disappear irretrievably. The EU legislation entered the higher level by readjusting problems of contemporary world. Since the judgment is officially approved, the new policy has to be transferred into all Member States’ laws, according to the rule of primacy of the EU law.

Read the judgment and official opinion:

http://curia.europa.eu/juris/documents.jsf?pro=&lgrec=pl&nat=or&oqp=&lg=&dates=&language=en&jur=C%2CT%2CF&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&num=C-131%252F12&td=%3BALL&pcs=Oor&avg=&page=1&mat=or&jge=&for=&cid=726021#

Read more about the primacy of the EU law over the laws of the Member States: https://europensblog.wordpress.com/2014/03/03/roots-of-primacy-of-the-eu-law-over-the-laws-of-member-states/