Biometric Information Together With Information Protection Law: The Cjeu Loses The Plot

 

Steve Peers

Many people are increasingly concerned most adequate protection of their biometric data. To this end, the proposed European Union information protection Regulation would form that information every bit sensitive data, ensuring an extra bird of protection for it. But inward the meantime, earlier that proposal is adopted, at that spot are other European Union measures which regulate the issue. Unfortunately, yesterday’s judgment of the CJEU inward Willems together with others does an inadequate job, amongst keen respect, inward applying the electrical current European Union rules to such data.

Background

The Willems judgment concerns biometric information collected for passports, every bit provided for inward an European Union Regulation of 2004, every bit amended inward 2009. In fact, the CJEU has ruled on this Regulation several times before. In UK v Council, it (unconvincingly) ruled that the U.K. could non participate inward the Regulation, since it was closely linked to the parts of Schengen rules (the abolition of internal edge controls) inward which the U.K. didn’t participate. In Schwarz, it ruled that the Regulation was valid from 2 dissimilar angles, every bit it was correctly adopted using the ‘legal base’ allowing the European Union to adopt measures on external edge control, together with the interference which it entailed amongst the right to privacy was justified past times the involvement inward ensuring the identity of passport holders together with the validity of the passport. Finally, the Court latterly ruled on the privacy aspects of displaying names inward passports (as discussed here).

Building on these judgments, the national courtroom inward Willems had 2 questions. First of all, did the Regulation apply to roughly types of identity cards, given that they tin inward resultant endure used every bit passports for move inside the EU? Secondly, the national courtroom asked the CJEU to translate the information protection rules applicable to the farther usage of biometric information later it was collected for the purposes of passports. The latter query stemmed from the trouble organisation of the litigants inward this instance that their biometric information would endure stored on a centralised database amongst inadequate security, which would endure used for other purposes without a clear identification of who would accept access to it.

More precisely, the national court’s instant query was whether ‘Article 4(3) of [the passport Regulation, read] inward calorie-free of Articles vii together with 8 of the Charter of Fundamental Rights of the [EU], Article 8(2) of the [ECHR] together with Article 7(f) of [the electrical current information protection Directive], read inward conjunction amongst Article 6(1)(b) of that Directive’, required a guarantee that when collecting biometric information nether the Regulation, Member United States had to apply a ‘purpose limitation’ dominion that such information  could only endure used for the master copy usage for which the passport was issued.

Judgment

On the outset question, the CJEU looked at the wording of the Regulation, which specified that it did non apply to ‘identity cards issued to [Member States’] nationals or to temporary passports together with move documents having a validity of 12 months or less’. The Court ruled that the words ‘having a validity of 12 months or less’ only laid out the orbit of the Regulation every bit regards ‘temporary passports together with move documents’, pregnant that such documents were inside the orbit of the Regulation if they were valid for to a greater extent than than 12 months. On the other hand, the words ‘having a validity of 12 months or less’ did not laid out the orbit of the Regulation every bit regards national identity cards. So no identity cards autumn inside the orbit of the Regulation, regardless of the menstruum of their validity.

On the instant question, the CJEU ruled that the passport Regulation only governed the usage of information for the purposes of that Regulation. Any farther usage of that data, every bit specified inward the preamble, was regulated past times national law. It followed that the Regulation did non apply a usage limitation dominion upon Member United States every bit regards biometric passport data. Because the Regulation did non apply to such uses past times Member States, the European Union Charter did non apply either, although such farther usage of information mightiness endure restricted past times national police or the ECHR. Finally, every bit for the information protection Directive, the CJEU stated that ‘the referring courtroom was requesting the interpretation of [the passport Regulation] together with only that Regulation’, together with thence at that spot was no demand to attempt whether the information protection Directive affected national police on the farther storage together with usage of biometric information collected for passport purposes.

Comments

I won’t mince words: this judgment is appalling.  It’s sensible plenty every bit regards the orbit of the passports Regulation itself, which clearly wasn’t intended to apply to whatever national identity cards or to the creation of authorities databases using biometric data. But the Court’s fundamental flaw is its failure to confirm together with elaborate upon the application of the Charter together with the information protection Directive to such databases.

Let’s attempt those 2 points inward turn. As regards the Charter, of course of teaching it’s true, every bit the Court says, that it only applies when a dispute falls inside the orbit of European Union law. But the Court made that indicate only every bit regards the orbit of the passports Regulation, before (not) answering the query most the information protection Directive. Logically the Court cannot conclude that this dispute is non linked to European Union police earlier it assesses besides whether the information protection Directive applies.

Anyway, if nosotros apply the Court’s ain instance law, the link to the passports Regulation alone brings this number inside the orbit of the Charter. In NS, a key judgment on the orbit of the Charter, the EU’s Dublin Regulation left an selection to Member United States to hit upwardly one's heed in their national law whether to consider asylum applications which roughshod inside the responsibleness of roughly other Member State. But the Court ruled that the Charter applied to such national discretion. More relevantly, inward a describe of cases starting amongst Promusicae, the Court applied the Charter inward special to a national option to supply for the collection of personal information on usage of the Internet laid out inward European Union law. And inward final year’s Digital Rights judgment, the Court invalidated the EU’s information retentiveness Directive for the rattling argue that this Directive failed to effectively regulate the farther national usage of personal information collected pursuant to it.

As regards the query most the information protection Directive, the CJEU’s reply just departs from reality. It is quite clearly not true that the national courtroom was ‘only’ asking for an interpretation of the passport Regulation. As nosotros tin run into from the text of the query excerpted above, it besides asked the CJEU to translate the information protection Directive. Admittedly, it only asked the CJEU to translate the Directive inward the context of the Regulation. But the CJEU does non brand that distinction clear; together with to a greater extent than importantly, that distinction just doesn’t matter.

Why? Because the CJEU has ofttimes rephrased questions past times national courts inward lodge to give a amount reply to the European Union police issues which they are really having to address inward the relevant litigation. The examples are legion, but the most relevant i is the judgment inward Promusicae. In that case, which concerned volume interception of Internet users’ action for the purposes of enforcing intellectual belongings rights, the national courtroom only asked questions most European Union intellectual belongings police together with the e-commerce Directive. The CJEU quite rightly redrafted the questions inward lodge to give an reply most the relevant information protection rules (in that case, the e-privacy Directive) every bit well. In Willems, the national courtroom had already identified the relevance of the information protection Directive, together with thence a comparatively pocket-size fry redraft of its questions would accept sufficed inward lodge to ensure a reply that was fully relevant to the national litigation.

The Court’s ruling is besides unsatisfactory inward the broader context of the legislation together with instance police on like issues. When it asserted that national police applied to databases of biometric data, the CJEU only selectively quoted from the preamble to the passports Regulation. Recital four of the preamble to the 2004 Regulation states that access to the information collected every bit regards biometric passports is ‘subject to whatever relevant provisions of [EU] law’. Moreover, the CJEU interpreted the information protection Directive every bit regards a comparable national database (a collection of information on unusual nationals) inward the Huber judgment. I should banking company annotation that the information protection Directive besides applies where the passport Regulation does not: to biometric information collected every bit regards identity cards, together with to passport biometric information collected inward the Member United States that are non fountain past times the Regulation (the U.K. together with Ireland). Finally, the Court’s indifference to the fate of biometric information collected past times Member United States every bit regards passports seriously undercuts its ain rulinge inward Schwarz, when it defended the validity of the passports Regulation on the ground of the express orbit of its interference amongst privacy rights (proportionality), together with quoted the S together with Marper judgment of the European Court of Human Rights to the resultant that ‘the [EU] legislature must ensure that at that spot are specific guarantees that the processing of such information volition endure effectively protected from misuse together with abuse’.  

At outset sight, these criticisms of the ruling may seem legalistic. But my concerns are most much to a greater extent than than the deep flaws inward the Court’s legal reasoning here. As nosotros all know, the orbit of databases together with volume surveillance of individuals (‘big data’) accept increased exponentially inward recent years. This raises huge human rights issues together with European Union police has a important role to play. Last year, inward its judgments inward Digital Rights together with Google Spain, the CJEU really tried to grapple amongst these issues. Many aspects of these judgments accept been criticised, but the Court is at its best when it fully engages inward these of import legal debates. When it avoids them, amongst the specious legalism it spouts inward Willems, it is at its worst.

 

Image credit: Dailyalternative.co.uk

Barnard & Peers: chapter 9, chapter 26

Share this post