• No results found

Willems: giving Member States the prints and data protection the finger

N/A
N/A
Protected

Academic year: 2021

Share "Willems: giving Member States the prints and data protection the finger"

Copied!
5
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

Tijmen Wisman

1

Willems: giving Member States the prints and data protection the finger

Willems, Joined Cases C-446/12 to C-449/12, 16 April 2015.

'I won’t mince words: this judgment is appalling. It’s sensible enough as regards the scope of the passports Regulation itself, which clearly wasn’t intended to apply to any national identity cards or to the creation of government databases using biometric data. But the Court’s fundamental flaw is its failure to confirm and elaborate upon the application of the Charter and the data protection Directive to such databases.'

Steve Peers

I. Facts

The obligation to store digital fingerprints in passports and identity cards, pursuant to Regulation No 2252/2004, has met resistance in the Netherlands from the very start. Some citizens refused to provide fingerprints, some refused to provide fingerprints and a facial image. The refusal of the applicants was based on multiple grounds. First, the creating and storing of biometric data constitutes a serious breach of physical integrity and the right to privacy. In the Netherlands the biometric data was not only stored on the Radio Frequency Identification chip in the passport, but also in a

decentralized database and the Passport Law provided that all decentral databases will be merged into a central database in time. There are no provisions that indicate the people that get access to the data [para. 19]. Moreover, in the future the authorities might use the biometric data for other purposes than to protect against falsification. Especially the storage in the database created a risk that data might be used for judicial purposes or intelligence or security services [para. 20].

2

Article 4b of the Passport law articulated these intentions, despite the fact that this has not come into force, which provided that data stored in the central register could be used for the purpose of identifying victims of disasters and accidents, the detection and prosecution of criminal offenses and for the conduct of investigations of acts constituting a threat to State security. The citizens who applied for a passport and refused to provide the fingerprints got their application rejected. This had grave

consequences for their lives, since the possession of a passport or identity card became a condition in the Netherlands for any interaction with public authorities (including taxes), receiving healthcare, voting and so on. This rejection was the direct occasion for the citizens to appeal these decisions in court. It should be noted that only in 2012 the requirement for fingerprints in identity cards was dropped, well after these court cases were initiated. Among the most dire cases of people who refused to give their fingerprints was a woman who could not register her newly born child with the municipality, because she did not have a valid identity document. In the meantime there has been an amendment to the Passport Law which provided that fingerprints are only stored for the duration of the procedure for application and issue of the passport, after which they are erased [para. 15].The referring courts wanted to know whether the Dutch identity card falls under Regulation No 2252/2004 and the second preliminary question is:

1 Tijmen Wisman is researcher/lecturer at the Centre for Law and Internet (CLI) of Vrije Universiteit Amsterdam.

2 In 2011 the police started a test with a mobile fingerprint scanner to catch illegal immigrants. See

<http://www.binnenlandsbestuur.nl/openbare-orde-en-veiligheid/nieuws/politie-scant-vingerafdruk -op-straat.1411906.lynkx>, last seen 5th of November 2015. In 2014 there was already news about the new phones for the police and the possibility to include a fingerprint sensor to enable the police to execute mobile identity controls. <http://tweakers .net/nieuws/96157/politie-wil-vingerafdruksensor-op-nieuwe

-diensttelefoon-galaxy-s5-gaan-benutten.html>, last seen 5th of November 2015.

(2)

“…[M]ust Article 4(3) of Regulation [No 2252/2004], [read] in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union [“the Charter”], Article 8(2) of the European Convention on the Protection of Human Rights and Fundamental Freedoms…and Article 7(f) of [Directive 95/46], read in conjunction with Article 6(1)(b) of that directive, be interpreted as meaning that, when the Member States give effect to Regulation No 2252/2004, there should be a statutory guarantee that the biometric data collected and stored pursuant to that regulation may not be collected, processed and used for any purposes other than the issuing of the document concerned?”[para. 29]

II. Judgment

1. Identity cards and Regulation No 2252/2004

The first preliminary question was whether identity cards fell under the scope of Regulation No 2252/2004.

3

The Court decided that it was clear from the wording of Article 1(3) of Regulation No 2252/2004, which expressly provides it does not apply to identity cards, that these cards are excluded from the scope of the regulation. The fact that identity cards could be used to travel within the Union and to a limited number of non-Member States, did not change the conclusion of the Court.

2. The purposes for which biometric data collected and stored pursuant to Regulation No 2252/2004

The ECJ narrows the preliminary question down to “essentially whether Article 4(3) of Regulation No 2252/2004, read together with Articles 6 and 7 of Directive 95/46 and Articles 7 and 8 of the Charter, must be interpreted as meaning that it requires Member States to guarantee that the biometric data collected and stored pursuant to that regulation will not be collected, processed and used for purposes other than the issue of passports or other travel documents.” Article 4(3) of the regulation states that the biometric data collected and stored on the storage medium may only be used for verifying the authenticity of the document and the identity of the holder, when this is required to be produced by law. The Court refers to the case Schwarz

4

in which it determined that the use and storage of biometric data on the storage medium was compatible with Article 7 and 8 of the Charter (para. 46). The Court moves on in the next paragraph to recital 5 in the preamble to Regulation No 444/2009, which amended Regulation No 2252/2004, states that the requirement to collect and store biometric data in the storage medium of the passport and travel documents:

“is without prejudice to any other use or storage of these data in accordance with national legislation of Member States. Regulation (EC) No 2252/2004 does not provide a legal base for setting up or maintaining databases for storage of those data in Member States, which is strictly a matter of national law.”

5

The Court holds that it follows from this recital that Regulation No 2252/2004 does not impose a duty on the Member States to guarantee in its legislation that the biometric data shall not be used for other purposes than those provided in Article 4(3) of that regulation and refers to paragraph 61 of Schwarz (para. 48). The Court continues to argue that the Charter is applicable when EU law is

3 This not a matter of data protection and therefore is only treated shortly in this section and excluded from the

‘Comment’.

4 CJEU 17 October 2013, Schwarz, C-291/12, ECLI:EU:2013:670.

5 Para. 47.

(3)

applicable and then states that in the present case Regulation No 2252/2004 is not applicable, so

“there is no need to determine whether the storage and use of biometric data for purposes other than those referred to in Article 4(3) thereof are compatible with those articles of the Charter.”

6

The Court does point out that these findings do not preclude national courts to examine the compatibility of national measures relating to the use and storage of biometric with national law or the ECHR, which can be viewed as an implicitly rejection of its own competence in this matter (para. 51).

Finally, it dismisses the relevance of Directive 95/46 by arguing that the referring questions require the interpretation of Regulation No 2252/2004 and since this regulation is not applicable to the present case, there is no need to examine whether Article 6 and 7 of the directive affect the national framework relating to the storage and use of biometric data outside the scope of the regulation (para. 52) It concludes that:

“Regulation No 2252/2004 must be interpreted as meaning that it does not require the Member States to guarantee, in their legislation, that biometric data collected and store in accordance with that regulation will not be collected, processed and used for purposes other than the issue of the passport or travel document, since that is not a matter which falls within the scope of that regulation.”

7

Comment

8

1. Sticking to a question that limits its own competence

What is most notable about this case is the way the ECJ interprets the preliminary question, which allows it to stay away from the heart of the matter. This case is about purpose creep

9

: the use of biometric data, collected pursuant to EU legislation, for other purposes than they were originally collected for. The Court limits itself to the question whether statutory protection against this follows from Regulation No 2252/2004. Instead the Court could have rephrased the questionin a number of ways, e.g.: whether EU law protects citizens against national legislation that repurposes biometric data collected pursuant to the regulation.

10

This would have been in line with the preliminary question of the referring court, which explicitly refers to the impact of other (EU) legislation on the regulation.

2. Demanding no safeguards for biometric data

The Court refers to recital 5 of Regulation No 444/2009 to make the point that the national use of biometric data falls under the exclusive competence of the Member State (para. 47). The Court does not make a reservation between uses that fall under EU law and that do not, just all secondary use is excluded by the words of this recital. It is remarkable that the Court accepts this without questions.

Recital 22 of the data retention directive (Directive 2006/24) provided that this directive respected

6 Para. 50.

7 Para. 53.

8 In this comment I focus on the second preliminary question, which is relevant to data protection in the EU.

9 Usually this is referred to as function creep, yet I believe purpose creep is more accurate. See also T.H.A.

Wisman, Purpose and function creep by design: Transforming the face of surveillance through the Internet of Things, European Journal of Law and Technology 2013, Vol 4, nr. 2. See

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2486441.

10 Steve Peers also makes this point about the ECJ’s unwillingness to rephrase the question in this case, while in

other cases it does apply this technique. See http://eulawanalysis.blogspot.nl/2015/04/biometric-data-and-

data-protection-law.html, last seen 10

th

of October 2015.

(4)

fundamental rights and sought to ensure full compliance with citizens right to private life as

enshrined in the Charter. If the Court would resign to the statements of the EU legislator every time, it would have never reached its decision in Digital Rights Ireland.

11

There are other parallels to Digital Rights Ireland, one of which is that the Court in that case did find that the directive did not require the data to be stored in the EU, thereby it could be placed outside of the control of the data protection authority, which the Court held to be an essential component of the protection of individuals with regard to the processing of data (para. 67). A salient detail in the present case is that the production of passports in the Netherlands was outsourced to the French company Sagem, which merged with Safran Morpho, a company with a branch in the US. Therefore Safran Morpho fell under the Patriot Act, thus providing the US authorities the possibility to demand access to the databases with fingerprints. This possibility and risk was acknowledged by then Minister Spies.

12

3. Applicability of the regulation, or applicability of EU law

Next, the Court makes a funny jump in its line of argumentation. First, it formulates when the Charter is applicable: “applicability of EU law entails applicability of the fundamental rights guaranteed by the Charter.”

13

Second, it argues that since the regulation is not applicable, there is no need to determine whether the further processing of biometric data is compatible with the Charter (para. 50).This seems to be based on the logic that the applicability of the regulation determines the applicability of other EU law and therefore the Charter. Yet, the applicability of EU law is a much broader category than just the applicability of Regulation No 2252/2004. So on top of not rephrasing the question to come to the heart of the matter, the Court follows an arguably flawed line of reasoning which allows it not to go into the compatibility of the Dutch law with the Charter.

In the decision whether EU law applies, the Court could have held relevant that the collection of the fingerprints is a competence created by the EU legislator and their collection by Member States is based on this competence. From the legislative history of the Passport Law it can be concluded that this collection was based on the regulation and defended by the then responsible minister as such.

14

The collection of fingerprints is an obligation that follows from Regulation No 2252/2004 and is therefore a part of the implementation of that regulation. It is hard to see why the further processing of fingerprints would not fall under the scope of EU law. Without the EU competence there would be nothing to centralize. The contested provisions of the Passport Law could be viewed as a

perpetuation of the competence granted by Regulation No 2252/2004.

Furthermore, it could be argued that there are specific rules on data protection which follow from Directive 95/46, which is another argument to bring this further processing under the scope of EU law. In recent case law the Court formulated a set of criteria relevant for the applicability of the Charter: the nature of the Member State’s legislation as well as the existence of specific rules of EU law on the matter, were listed amongst these criteria.

15

Although it is true that Directive 95/46 allows 11 CJEU 8 April 2014, Digital Rights Ireland Ltd, C-293/12 and C-594/12, ECLI:EU:C:2014:238.

12 See https://zoek.officielebekendmakingen.nl/ah-tk-20112012-2710.html, last seen October 14

th

, 2015.

13 Para. 49 with referral to Åkerberg Fransson, C-617/10, ECLI:EU:C:2013:105, para. 20 and 22 and Textdata Software, C-418/11, EU:C:2013:588, para. 71 to 73.

14 Kamerstukken II, 2007-2008, 31 324 (R1844), nr. 3, p. 5.

15 CJEU 6 March 2014, Siragusa, C-206/13, ECLI:EU:C:2014:126, para. 25, references to cases Annibaldi, Iida

and Ymeraga omitted. Found in this case note of Laurens Ankersmit, see http://europeanlawblog.eu/?p=2253,

last seen October 10

th

2015.

(5)

for exemptions for national security and crime in Article 13, the Court did argue in the past that legislation which pursues a public interest through the processing of personal data still has to satisfy the requirement of proportionality that follows from Article 8 ECHR.

16

A peek in the kitchen of the ECtHR would have sufficed to conclude that the preemptive storing of fingerprints of the entire population (from 14 years and older) of a country is not considered a legitimate dish. In recent case law the ECtHR respectively found blanket retention of fingerprints of suspects who were not

convicted disproportionate and more recently it decided that it is impossible to justify the storage of fingerprints on the entire population of a country, because this “would most definitely be excessive and irrelevant”.

17

Giving data protection the finger

In the grand finale of the judgment the Court puts words in the mouth of the referring court, which actually conflict with what the Raad van State actually asked: “by its questions, the referring court requests the interpretation of Regulation No 2252/2004 and only that regulation”(para. 52). What the referring court asked whether Article 4(3) of the regulation read in the light of Article 7(f) of Directive 95/46 in conjunction with Article 6(1)(b) should be interpreted as providing a statutory guarantee (this on top of the Charter as well as the ECHR). The referring court could have hardly asked the interpretation of other “specific rules of EU law on the matter or capable of affecting it”

18

more explicitly than this. To cite Steve Peers on this matter: “the CJEU’s answer simply departs from reality”.

19

The Court sticks stubbornly to the scope of the regulation as relevant criterion, while steadily denying that this regulation might be affected by other EU laws. The contradicting result is that citizens their fingerprints are retained on the bases of EU legislation, yet EU law does not provide protection with regard to this retention. This is a disappointing and unsatisfying judgment, not to say a piece of judicial escapism.

16 CJEU 20 May 2003,C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk and Others, ECLI:EU:C::2003:294, para. 91.

17 ECtHR 4 December 2008, S. and Marper v. The United Kingdom, application nos. 30562 and 30566/04, 4 para. 125. ECtHR 18 April 2013, M.K. v. France, application no. 19522/09, para. 22.

18 The Court’s own formulation in Siragusa para. 25, when it talks about factors that might determine whether national legislation involves the implementation of EU law.

19 See http://eulawanalysis.blogspot.nl/2015/04/biometric-data-and-data-protection-law.html, last seen 10

th

of

October 2015.

Referenties

GERELATEERDE DOCUMENTEN

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of

However, even if the judge establishes that one of the principles of a fair trial was breached in a binding advice procedure, this will not necessarily mean that the decision may

Thus, on the one hand, hospitals are pressured by the EU government, causing them to form similar policies concerning data protection, but on the other hand, the ambiguity of the GDPR

States shall not impose any further security or notification re- quirements on digital service providers.” Article 1(6) reads as fol- lows: “This Directive is without prejudice to

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of

6 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee, the Committee of the Regions and the National Parliaments,

The researchers found that serious forms of victimisation most often occurred in case of discrimination on the ground of race, sex or disablement, where it concerned a case

An organisation that owns several centres which provide daycare for young children asked the Equal Treatment Commission to give its opinion about the organisation’s intention to