Case C-448/12, Roest – No fingerprints? No Dutch passport. A proportionate EU measure?

Are the Dutch rules that require people to be fingerprinted if they want a Dutch passport compatible with EU law?

Facts
In 2010, Ms Roest applied for a passport but refused to be fingerprinted because of the unforeseen consequences of supplying this biometric data. That is to say, it was not clear which third parties would have access to this data. The data could be accessed by hackers and others who had no legitimate access to it. Furthermore, she pointed out that under Article 65(2)and (3) of the Dutch Passport Act, there was the potential for central government to use the biometric data at some point in the future and for purposes other than those for which she was now obliged to provide the biometric data. Ms Roest also claimed to need a passport in order to work legally, to obtain social assistance payments, to follow education courses and training, and even to receive normal medical health care.

On appeal to the Amsterdam District Court, it was held that the mayor was right to refuse a passport and it pointed out that the EC Regulation made no exception for reasons of conscience.

On appeal to the Dutch Council of State, the matter of the security features of the passport was raised. One aspect of this was the link between a document and its bearer. On hearing the evidence, the Dutch Council of State held that any failed attempts to verify the link between a passport or travel document and its lawful holder would lead to doubts as to that link.

In that context, the Council of State wondered what significance should be attached to a provision in Regulation (EC) No. 444/2009 that amends Council Regulation (EC) No. 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States. That is to say, the final sentence in Article 4(3) of the amending Regulation declares: ‘The failure of the matching in itself shall not affect the validity of the passport or travel document for the purpose of the crossing of external borders’. The Dutch Council of State interpreted this to mean that a failed check has in principle no effects. But if that was right, then this raised the question as to the necessity of the measure, particularly when taking into account the far-reaching potential and inherent restrictions on the exercise of the rights such as those enshrined in Articles 7 and 8 of the EU Charter.

Furthermore, the Council of State doubted whether, given the current state of the art, verification on the basis of biometric data and characteristics really served the very aim of the Regulation. The Council was unable to make a finding as to the degree of risk attached to the fact that biometric data was on the microchip, and the misuse or manipulation of data by hacking or jail-breaking. However, it was common knowledge that digital data carriers such as chips could be hacked, even if the chips were secure. Accordingly, the Council of State was of the view that any and every risk of manipulation and misuse of biometric data should be taken into account when considering whether the legal measure was appropriate to the interest that was to be protected.

In light of this, the Council observed that it was not a priori clear whether the restriction on the right to a private life which results from this processing of biometric characteristics was proportionate and in keeping with the interest that was to be protected by preventing the misuse of passports and travel documents.

Questions Referred
An unofficial translation of the questions asked by the Raad van State reads:

1. Is Article 1(2) of Council Regulation (EC) No. 2252/2004 of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No. 444/2009 of the European Parliament and of the Council of 28 May 2009 (OJ L142, p.1), valid in light of Articles 7 and 8 of the EU Charter of Fundamental Rights and Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms?

2. If the answer to question 1 entails that Article 1(2) of Council Regulation (EC) No. 2252/2004 of 13 December 2004, on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No. 444/2009 of the European Parliament and of the Council of 28 May 2009 (OJ L142, p.1) is valid, must Article 4(3) of the Regulation – in light of Articles 7 and 8 of the EU Charter of Fundamental Rights, Article 8(2) of the Convention for the Protection of Human Rights and Fundamental Freedoms, and Article 7(f) of the Privacy Directive when read together with Article 6(1)(b) of the Directive – be interpreted as meaning that for the purposes of implementing this Regulation by the Member States, it should be guaranteed by legislation that the biometric data collected and stored on the basis of this Regulation, must not be collected, processed and used for purposes other than the issuing of the document?

Comment
This reference forms one of four made to the CJEU concerning the Dutch rules for passports. The other 3 references from the Raad van State are docketed by the CJEU as: Case C-446/12, Willems; Case C-447/12, Kooistra; and Case C-449/12, van Luijk.

The Dutch Council of State has observed that it is not a priori clear whether the restriction on the right to privacy is proportionate to the importance of preventing the misuse of passports and travel documents.

These 4 references from the Dutch Council of State have been made in the full knowledge that the Verwaltungsgericht Gelsenkirchen had already made a reference to the CJEU questioning the legal validity of the EC Regulation.

The Dutch Council of State shares the doubts as to the validity of the EC Regulation expressed by the German court in Case C-291/12, Michael Schwarz, and requests that the CJEU consider the Dutch references together with the German reference.

For further information about the reference from the German court, see Case C-291/12, Michael Schwarz – No fingerprints? No passport. An invalid EC Regulation?

Update – 11 October 2014
The Fourth Chamber is scheduled to hear this case on 6 November 2014. The case will be heard together with the other above-mentioned references from the Dutch Council of State: Case C-446/12, Willems; Case C-447/12, Kooistra; and Case C-449/12, van Luijk.

Update – 20 March 2015
This case was heard on 6 November 2014. The judgment of the Fourth Chamber is due on 16 April 2015.

Update – 16 April 2015
For the judgment, see further, Case C-446/12, Willems – No fingerprints? No Dutch passport. No travel outside the EU.