Case C-291/12, Michael Schwarz – No fingerprints? No passport. An invalid EC Regulation?

Is the EU’s biometric data Regulation 2252/2004 invalid because it is a disproportionate infringement of a person’s fundamental rights to privacy and data processing?

Michael Schwarz applied to the German City of Bochum for a passport. However, he refused to be fingerprinted. The City of Bochum therefore decided not to issue him with a passport. Article 1(2) of EC Regulation 2252/2004 requires that passports and travel documents, ‘shall also include two fingerprints taken flat in interoperable formats’. Mr Schwarz brought proceedings to force the issuance of a passport without the need to take his fingerprints. He claimed that the Regulation did not have a sufficient legal base, and that it was adopted without following the relevant procedure. Moreover, he claimed that the EC Regulation infringes privacy law and data processing law, as protected under Article 8 ECHR and Article 8 EU Charter.

The Administrative District Court of Gelsenkirchen was unsure whether the CJEU had already addressed the issue of the validity of the Regulation. Although the Grand Chamber of the CJEU had given its judgment in Case C-137/05, United Kingdom the Court had not given a definitive answer on the issue of whether Article 62(2)(a) EC Treaty provided a sufficient legal basis for the Regulation. It was an issue still debated in German language commentary by writers such as Selbmann and Zeh; Hornung and Möller; and Pallasky. These writers observe that the legal basis for the Regulation was Article 62(2)(a) EC Treaty. The Article concerns a special protection of the external borders of the EU. But passports apply to accessing every state that requires an identification by passport. Moreover, there is now the question of whether EC Regulation 44/2009, which amends Regulation 2252/2004, infringes Article 67(1) EC Treaty because the EU Parliament was not adequately consulted. And the CJEU had not provided any clarity in respect of the relation between Article 1(2) of EC Regulation 2252/2004 and the fundamental rights enshrined in Article 8 ECHR, and Article 8 EU Charter.

The Gelsenkirchen District Administrative Court pointed out that German commentators and German courts disagree about the validity of the EC legislation. On the one hand, a court in Dresden has held that Articles 4(3) and (4) of the German Passport Act, which implements this EC legislation, did not infringe the EU Charter. On the other hand, German writers such as Altmann; Pallasky; Selbmann and Zeh, have argued that the EC legislation is not legal. And other writers too have expressed their doubts as to the legality of the legislation.

The Gelsenkirchen District Administrative Court summarised the arguments that legal academics have raised to suggest that the EC Regulation is invalid. In essence, they argue that the requirement of two pieces of biometric data (passport photograph and fingerprints) is a serious infringement of a person’s fundamental right to privacy. Such an infringement must satisfy the proportionality test: it must be appropriate, necessary and reasonable in light of the aim to increase protection against passports being misused. However, a biometric passport is not an appropriate measure because of the rate of mistakes which are made at border controls. There are various ways of getting around passport control’s biometric checks, and the technology used in that respect can also be circumvented. Another problem is the durability of the RFID chips inside the passports, and their susceptibility to being read by people who have no legal authority to read them. Furthermore, if the goal of the measure is to prevent terrorist attacks, then these biometric passports are suitable only to a very limited degree. The primary problem is the security risk that arises from the use of real passports which incorporate a fraudulently obtained identity. Furthermore, the planned storage of excessive raw unprocessed data records contain associated information from which conclusions can be drawn about specific illnesses, and this cannot be said to be necessary for the purposes of guaranteeing recognition. Priority ought to be given to the use of limited records in the form of templates because, from a data processing perspective, this would be less invasive. Equally, a less invasive means of ensuring a high level of protection against the misuse of passports would be to avoid storing the biometric data in the passport – a normal passport could be used with all of the security features of the former German passport. Finally, the biometric method of iris scanning could also be considered to be a less invasive means for data protection. Having weighed all of these aspects, and in particular the marginal advantages for security, and the great importance attached to the fundamental right to data protection in a democracy, and the risk of data being misused, and the risk of data being manipulated by third parties; these legal provisions are as such not ‘proportionate’ in the literal sense of that word. This conclusion also follows from the fact that government bodies can select high-quality biometric characteristics, which have been put together even without the knowledge of the data subject, and this data can, in the future, come to be centrally stored. There is also the claim that EC Regulation 2252/2004 infringes the right of free movement, and infringes Article 17 ICCPR, and infringes the various legal principles of equality and non-discrimination.

Question Referred
According to the Curia website, the 17th Chamber of the Verwaltungsgericht Gelsenkirchen has asked:

Is Article 1(2) of Council Regulation (EC) No 2252/2004 [...] of 13 December 2004, as amended by Regulation (EC) No 444/2009  of the European Parliament and of the Council of 6 May 2009, valid?

This reference has been referred to in 4 references made by the Dutch Council of State:
Case C-446/12, Willems – No fingerprints? No Dutch passport. No travel outside the EU.
Case C-447/12, Kooistra – No fingerprints? No Dutch ID card.
Case C-448/12, Roest – No fingerprints? No Dutch passport. A proportionate EU measure?
Case C-449/12, van Luijk – No fingerprints? No Dutch passport.

The hearing of Case C-291/12, Schwarz before the Fourth Chamber is scheduled for 13 March 2013.

Update – 26 March 2014
According to the OJ [2013] C367/17, the operative part of the judgment reads:

Examination of the question referred has revealed nothing capable of affecting the validity of Article 1(2) of Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 6 May 2009.