EU court bans central storage of fingerprints

In an important ruling the European Court of Justice today gave short shrift to the desire of some EU member states (including the Netherlands) to use passports to store citizens' fingerprints in central or municipal databases for a variety of purposes. The Court ruled, inter alia, as follows:

"On this point, it should be noted that, on the one hand, [the European Passport Regulation] explicitly specifies that fingerprints may only be used to verify the authenticity of the passport and the identity of its holder.
(…)
In this context, it should be noted that fingerprints certainly play a special role in the field of identification of persons in general. For example, the techniques of identification by comparison of fingerprints taken at a particular place with those kept in a database make it possible, either in the context of a criminal investigation or for the purpose of exercising indirect surveillance of a particular person, to establish the presence of that person at that place.

However, it should be recalled that [the European Passport Regulation] provides that fingerprints may only be kept in the passport itself, which remains in the exclusive possession of its holder.

Since the aforementioned regulation does not provide for any other form or means of storage of those printouts, it (...) cannot be interpreted as providing, as such, a legal basis for any centralisation of collected data, or for the use of those data for purposes other than that of preventing the illegal entry of persons into the territory of the Union.

In these circumstances, the (...) arguments raised regarding the risks associated with possible centralisation cannot in any case affect the validity of that regulation. These arguments may, where appropriate, be raised in the context of an appeal lodged with the competent courts against a statutory scheme providing for a centralised database of fingerprints." (EU Court of Justice, Case C-291/12 (Schwarz), 17 October 2013, paras 56-62, emphasis Privacy First).

The EU Court's ruling thus provides strong support for the Civil Passport lawsuit by Privacy First and 19 co-claimants (citizens) against the Dutch State in order to declare the Dutch Passport Act unlawful. After all, Article 4b of the Passport Act still provides for a central biometric database with everyone's fingerprints for the purpose of investigation and prosecution, combating terrorism, disaster relief, intelligence work, etc. Despite a current legislative amendment to introduce an identity card without fingerprints, the current and revised Passport Act thus remains diametrically opposed to the right to privacy, the EU Court ruling revealed today. Privacy First therefore looks forward with confidence to an early decision by the Hague Court in our Passport Process.

At the same time, Privacy First notes with disappointment that the EU Court does not consider the mandatory fingerprinting under the European Passport Regulation to be unlawful. In the original version of this regulation, fingerprinting was rightly voluntary. However, after the Madrid bombings, this voluntariness was changed to an obligation by the European Council of Ministers. In doing so, the European Parliament was not (again) consulted, and thus unlawfully bypassed in the European decision-making process. However, the EU Court considers this procedural error 'repaired' by a subsequent amendment (in 2009) to the Passport Regulation with the consent of the European Parliament. The Court also considers the compulsory fingerprinting justified to combat passport fraud in illegal immigration to the European Union, but without having conducted any research into the exact extent of this type of fraud. In particular, this concerns so-called look-alike Passport fraud. From recent government statistics in Privacy First's possession shows that this type of fraud is on such a small scale that it cannot possibly justify mass fingerprinting under the European Passport Regulation: in the Netherlands in recent years, the cases detected have been in the order of several dozen per year (mainly asylum seekers). To take the fingerprints of the entire Dutch population to combat this, Privacy First considers completely disproportionate and thus unlawful. This apart from the sky-high costs of the associated biometric infrastructure. Moreover, this infrastructure does not appear to work: Minister Donner and State Secretary Teeven have in recent years, when asked, mentioned error rates of as much as 21-25% and 30%. Privacy First can therefore only conclude that the EU Court has deliberately ignored these fundamental questions and wanted to give the European Passport Regulation a green stamp in advance. It is up to other, national courts (including the Dutch Council of State and the Hague Court of Appeal) to still answer these questions and declare the Dutch Passport Act in violation of the right to privacy.

Update: read also http://webwereld.nl/beveiliging/79721-eu-hof-torpedeert-nederlandse-wet-vingerafdrukken.

See also the recent guest column "Fingerprints, essential or not“.