ECJ Decision on the Storage of Fingerprints in Identity Cards
In a ruling on March 21, 2024, the European Court of Justice (ECJ) in Case C-61/22 evaluated the obligation to store fingerprints in German identity cards as compatible with EU law, thereby setting essential precedents in data protection and for identity documents within the European Union (Source: ECJ, Judgment of 21.03.2024, C-61/22). The decision was made upon a referral from the Federal Administrative Court, which sought clarification regarding the protection of personal data and the requirements of the Charter of Fundamental Rights of the European Union.
Background of the Case Formation
The lawsuit was directed against the obligation introduced on December 28, 2020, as part of the German ID issuance process, requiring the inclusion of two fingerprints as biometric features on the chip of the identity card. The aim is to unequivocally establish the identity of the cardholder when necessary and to complicate misuse of identity documents. The plaintiff argued that the obligation to submit and store fingerprints violated the principle of proportionality, Article 8 of the Charter of Fundamental Rights of the European Union (Data Protection), as well as the protection of private life.
Biometric Data and Data Protection Considerations
Scope of the Union’s Provisions
The contested regulation is based on an EU regulation (Regulation (EU) 2019/1157), which aims at the harmonized issuance and security of identity cards in all member states. It explicitly mandates the collection and storage of two fingerprints, supplemented by a photograph. The biometric data is stored in a highly secure chip, which can only be read by authorized state agencies for verification purposes.
Weighting of Fundamental Rights Protection
In its decision, the ECJ emphasized that the processing of fingerprints constitutes a serious intrusion into the personal rights and data protection of citizens, as biometric data is categorized as particularly sensitive personal data. Nevertheless, in the court’s view, this intrusion is outweighed by an overriding public interest, particularly the prevention of misuse and fraud, as well as increasing the security against counterfeiting of identity cards to protect the internal market.
Proportionality and Purpose Limitation
In its review, the court found that the measure is legally regulated and appropriate in terms of its purpose to enable unequivocal identification. The storage of fingerprints is limited to what is absolutely necessary – only the two index finger prints are recorded, or if this is not possible, prints from other fingers. Further use of the biometric data is not foreseen under the relevant Union regulation and is expressly prohibited under German law.
Practical Implications for Affected Individuals and Authorities
Data Security and Access Rights
Fingerprints are stored only in the security chip of the identity card and not centrally. Only authorized bodies – such as passport and ID authorities or border control agencies – have access in case of verification. After successful issuance, the fingerprints stored during the creation process are immediately deleted. Access by third parties or use for purposes other than identity verification is unlawful under data protection law.
Legal Remedies and Restrictions
Affected individuals cannot legally refuse the submission of fingerprints, as the regulation in the binding Union regulation applies directly. There is only an exception for individuals who cannot provide fingerprints for physical reasons. The ECJ has now confirmed the legitimacy of data collection as a last resort.
Assessment and Classification in the European Context
With this judgment, the ECJ establishes a uniform legal framework for handling particularly sensitive biometric data in identity documentation, which is intended to strengthen trust in the integrity of European travel documents and facilitate cross-border cooperation in the Schengen area. However, the court also sets clear limits by emphasizing purpose limitation, data security, and the rights of affected individuals – thereby ensuring the protection of personal data despite a significant expansion of authorized access powers.
Conclusion
The decision highlights the high importance given to balancing effective protection of public interests and safeguarding individual data protection rights within the European legal space. It also emphasizes that despite the necessity of modern security measures in identity documents, strict legal standards for data processing must be adhered to.
For questions concerning the implementation of biometric data requirements or data protection aspects related to official data collection, the attorneys at MTR Legal Rechtsanwälte are available.
