ECJ: no legal basis for biometric data in ID cards

Katarzyna Stachyra

What would you say if public authorities would ask you for providing fingerprints in order to issue ID card? Citizens from the Netherlands have refused. The Court of Justice of the European Union admitted they are right in judgement in joined cases C-446/12 to C-449/12[1].

Source: resources.infosecinstitute.com

Source: resources.infosecinstitute.com

Providing fingerprints – a serious breach of the physical integrity?

 

H.J. Kooistra, a citizen of the Netherlands, made an application for the issue of identity card. The Burgemeeste refused doing so because H.J. Kooistra did not agree for providing fingerprints and a facial image. He argued that fulfilling these duties constitutes a serious breach of physical integrity and right to privacy. Moreover, he was afraid of the security of his personal data, because they would be storaged in more than one medium, including decentralized database.

According to Netherlands law, providing fingerprints is one of the requirements in order to obtain ‘travel documents’, for example passports. Since ID cards allow EU citizens to move freely within the EU, the official authorities in the Netherlands apply law referred to ‘travel documents’ to them. The court in the Netherlands, before which this case was pending, decided to ask ECJ for preliminary ruling. The key point was to answer whether law concerning passports – at domestic law level as well as EU law – is applicable for ID cards.

Clear answer…

ECJ stated that ‘the fact that identity cards, such as Netherlands identity cards, may be used for the purposes of travel within the European Union and to a limited number of non-Member States, does not bring them within the scope of Regulation No 2252/2004’[2]. It means that according to EU law there is no requirement of providing fingerprints to obtain ID card.

Judgement of ECJ should remind us, that personal data protection, especially biometrics, is an issue that cannot be ignored. Public authorities, even they are acting on behalf of a state, are not allowed to demand providing data if there is no legal basis to do so. They have to act in compliance with law, which protect our fundamental rights. But those mechanisms will be useless without our care for security of personal data.

…and another issue

On the one hand, people’s awareness about their rights, such as right to privacy increase. Some of us are courageous and are ready to tell official authorities that their actions have no legal basis. On the other hand, there are a lot of people who are fascinated by new technologies. They share information about themselves, including biometric data, with private companies delivering ‘necessary’ services that make life easier, for example fingerprints reader instead of using PIN code. Unfortunately, people do not think about potential consequences of mentioned situations. You can change your PIN code many times, you can prove during court proceeding that sign under agreement is not yours, but you cannot change your fingerprints, iris recognition or hand geometry. When it comes to processing these data by private company, our agreement is sufficient basis. Every time before we agree we must consider advantages and risks and decide, whether we really want to say ‘yes’.

[1] Judgment Of The Court (Fourth Chamber), 16 April 2015, In Joined Cases C‑446/12 to C‑449/12.

[2] Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States.