Are the Dutch rules that require four fingerprints to be taken from people wishing to have a Dutch identity card compatible with EU privacy law?
Mr Kooistra applied to his local authority for a Dutch identity card (ID card). In December 2010, the mayor refused to issue one because Mr Kooistra had refused to provide four fingerprints and a photograph of his face. Mr Kooistra objected to the saving and storage of his biometric data; namely, the storage of two fingerprints onto a computer chip found within a Dutch ID card and photograph; plus the storage of four fingerprints and photograph onto a centralised register, and decentralised registers. To support these objections he pointed out the risks of this data being misused, or illegally appropriated, or illegally used. There were also dangers of the data being gathered for one purpose and then being used for another at a later point in time. These risks were increased by data mining and by connecting databases. And the security features for safeguarding the data were not the best available with the result that it was relatively easy to copy the data illegally. At the end of the day, it was not even clear what menace incorporating and using the data in a travel document was designed to combat.
In February 2011, Mr Kooistra brought administrative law proceedings against the mayor to issue an ID card. However, the District Court of Leeuwarden held that the mayor had not acted ultra vires and the restriction on the private life of citizens through the creation of decentralised storage and the use of fingerprints did not amount to an infringement of Article 8 ECHR.
On appeal to the Dutch Council of State [Raad van State], the Council admitted that it was not clear from the wording of the Regulation what constituted an ID card. Nor were the obligations clear in respect of an ID card which could be used as a travel document.
An unofficial translation of the questions asked by the Dutch Council of State reads:
1. Is Article 1(3) of Council Regulation (EC) No. 2252/2004 of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by No. Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009 to be understood as meaning that the Regulation does not apply to identity cards, such as the Dutch ID card, issued by Member States to their subjects irrespective of the time period of the card’s validity and irrespective of the possibilities to use this as a travel document?
2. If it follows from the answer to question 1 that Council Regulation (EC) No. 2252/2004 of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No. 444/2009 of the European Parliament and of the Council of 28 May 2009, is however applicable to identity cards such as the Dutch ID card, given the possibilities to use this as a travel document, is Article 1(2) of the Regulation valid in light of Articles 7 and 8 of the EU Charter of Fundamental Rights and Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms?
3. If the answer to question 2 entails that Article 1(2) of Council Regulation (EC) No. 2252/2004 of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No. 444/2009 of the European Parliament and of the Council of 28 May 2009 is valid, must Article 4(3) of the Regulation – in light of Articles 7 and 8 of the EU Charter of Fundamental Rights, Article 8(2) of the Convention for the Protection of Human Rights and Fundamental Freedoms, and Article 7(f) of the Privacy Directive when read together with Article 6(1)(b) of the Directive – be interpreted as meaning that for the purposes of implementing this Regulation by the Member States, it should be guaranteed by legislation that the biometric data collected and stored on the basis of this Regulation, must not be collected, processed and used for purposes other than the issuing of the document?
This reference forms one of four made to the CJEU concerning the Dutch passport and identity rules. The other 3 references from the Raad van State are docketed by the CJEU as: Case C-446/12, Willems; Case C-448/12, Roest; and Case C-449/12, van Luijk.
The Dutch Council of State has observed that it is not a priori clear whether the restriction on the right to privacy is proportionate to the importance of preventing the misuse of passports and travel documents.
These 4 references have been made in the full knowledge that the Verwaltungsgericht Gelsenkirchen had already made a reference to the CJEU questioning the legal validity of the EC Regulation.
The Dutch Council of State shares the doubts as to the validity of the Regulation which were expressed by the German court in Case C-291/12, Michael Schwarz, and requests that the CJEU consider the Dutch references together with the German reference.
For further information about the reference from the German court, see Case C-291/12, Michael Schwarz – No fingerprints? No passport. An invalid EC Regulation?
Update – 20 March 2015
This case was heard on 6 November 2014. The judgment of the Fourth Chamber is due on 16 April 2015.
Update – 16 April 2015
For the judgment, see further, Case C-446/12, Willems – No fingerprints? No Dutch passport. No travel outside the EU.