Biometric data and data protection law: the CJEU loses the plot

 

Steve Peers

Many people are increasingly concerned about adequate protection of their biometric data. To this end, the proposed EU data protection Regulation would classify that data as sensitive data, ensuring an extra degree of protection for it. But in the meantime, before that proposal is adopted, there are other EU measures which regulate the issue. Unfortunately, yesterday’s judgment of the CJEU in Willems and others does an inadequate job, with great respect, in applying the current EU rules to such data.

Background

The Willems judgment concerns biometric data collected for passports, as provided for in an EU Regulation of 2004, as amended in 2009. In fact, the CJEU has ruled on this Regulation several times before. In UK v Council, it (unconvincingly) ruled that the UK could not participate in the Regulation, since it was closely linked to the parts of Schengen rules (the abolition of internal border controls) in which the UK didn’t participate. In Schwarz, it ruled that the Regulation was valid from two different angles, as it was correctly adopted using the ‘legal base’ allowing the EU to adopt measures on external border control, and the interference which it entailed with the right to privacy was justified by the interest in ensuring the identity of passport holders and the validity of the passport. Finally, the Court recently ruled on the privacy aspects of displaying names in passports (as discussed here).

Building on these judgments, the national court in Willems had two questions. First of all, did the Regulation apply to some types of identity cards, given that they can in effect be used as passports for travel within the EU? Secondly, the national court asked the CJEU to interpret the data protection rules applicable to the further use of biometric data after it was collected for the purposes of passports. The latter question stemmed from the concern of the litigants in this case that their biometric data would be stored on a centralised database with inadequate security, which would be used for other purposes without a clear identification of who would have access to it.

More precisely, the national court’s second question was whether ‘Article 4(3) of [the passport Regulation, read] in light of Articles 7 and 8 of the Charter of Fundamental Rights of the [EU], Article 8(2) of the [ECHR] and Article 7(f) of [the current data protection Directive], read in conjunction with Article 6(1)(b) of that Directive’, required a guarantee that when collecting biometric data under the Regulation, Member States had to apply a ‘purpose limitation’ rule that such data  could only be used for the original purpose for which the passport was issued.

Judgment

On the first question, the CJEU looked at the wording of the Regulation, which specified that it did not apply to ‘identity cards issued to [Member States’] nationals or to temporary passports and travel documents having a validity of 12 months or less’. The Court ruled that the words ‘having a validity of 12 months or less’ only set out the scope of the Regulation as regards ‘temporary passports and travel documents’, meaning that such documents were within the scope of the Regulation if they were valid for more than 12 months. On the other hand, the words ‘having a validity of 12 months or less’ did not set out the scope of the Regulation as regards national identity cards. So no identity cards fall within the scope of the Regulation, regardless of the period of their validity.

On the second question, the CJEU ruled that the passport Regulation only governed the use of data for the purposes of that Regulation. Any further use of that data, as specified in the preamble, was regulated by national law. It followed that the Regulation did not apply a purpose limitation rule upon Member States as regards biometric passport data. Because the Regulation did not apply to such uses by Member States, the EU Charter did not apply either, although such further use of data might be restricted by national law or the ECHR. Finally, as for the data protection Directive, the CJEU stated that ‘the referring court was requesting the interpretation of [the passport Regulation] and only that Regulation’, so there was no need to examine whether the data protection Directive affected national law on the further storage and use of biometric data collected for passport purposes.

Comments

I won’t mince words: this judgment is appalling.  It’s sensible enough as regards the scope of the passports Regulation itself, which clearly wasn’t intended to apply to any national identity cards or to the creation of government databases using biometric data. But the Court’s fundamental flaw is its failure to confirm and elaborate upon the application of the Charter and the data protection Directive to such databases.

Let’s examine those two points in turn. As regards the Charter, of course it’s true, as the Court says, that it only applies when a dispute falls within the scope of EU law. But the Court made that point only as regards the scope of the passports Regulation, before (not) answering the question about the data protection Directive. Logically the Court cannot conclude that this dispute is not linked to EU law before it assesses also whether the data protection Directive applies.

Anyway, if we apply the Court’s own case law, the link to the passports Regulation alone brings this issue within the scope of the Charter. In NS, a key judgment on the scope of the Charter, the EU’s Dublin Regulation left an option to Member States to decide in their national law whether to consider asylum applications which fell within the responsibility of another Member State. But the Court ruled that the Charter applied to such national discretion. More relevantly, in a line of cases starting with Promusicae, the Court applied the Charter in detail to a national option to provide for the collection of personal data on use of the Internet set out in EU law. And in last year’s Digital Rights judgment, the Court invalidated the EU’s data retention Directive for the very reason that this Directive failed to effectively regulate the further national use of personal data collected pursuant to it.

As regards the question about the data protection Directive, the CJEU’s answer simply departs from reality. It is quite clearly not true that the national court was ‘only’ asking for an interpretation of the passport Regulation. As we can see from the text of the question excerpted above, it also asked the CJEU to interpret the data protection Directive. Admittedly, it only asked the CJEU to interpret the Directive in the context of the Regulation. But the CJEU does not make that distinction clear; and more importantly, that distinction just doesn’t matter.

Why? Because the CJEU has frequently rephrased questions by national courts in order to give a full reply to the EU law issues which they are actually having to address in the relevant litigation. The examples are legion, but the most relevant one is the judgment in Promusicae. In that case, which concerned mass interception of Internet users’ activity for the purposes of enforcing intellectual property rights, the national court only asked questions about EU intellectual property law and the e-commerce Directive. The CJEU quite rightly redrafted the questions in order to give an answer about the relevant data protection rules (in that case, the e-privacy Directive) as well. In Willems, the national court had already identified the relevance of the data protection Directive, so a comparatively minor redraft of its questions would have sufficed in order to ensure a reply that was fully relevant to the national litigation.

The Court’s ruling is also unsatisfactory in the broader context of the legislation and case law on similar issues. When it asserted that national law applied to databases of biometric data, the CJEU only selectively quoted from the preamble to the passports Regulation. Recital 4 of the preamble to the 2004 Regulation states that access to the data collected as regards biometric passports is ‘subject to any relevant provisions of [EU] law’. Moreover, the CJEU interpreted the data protection Directive as regards a comparable national database (a collection of information on foreign nationals) in the Huber judgment. I should note that the data protection Directive also applies where the passport Regulation does not: to biometric information collected as regards identity cards, and to passport biometric information collected in the Member States that are not bound by the Regulation (the UK and Ireland). Finally, the Court’s indifference to the fate of biometric data collected by Member States as regards passports seriously undercuts its own rulinge in Schwarz, when it defended the validity of the passports Regulation on the basis of the limited scope of its interference with privacy rights (proportionality), and quoted the S and Marper judgment of the European Court of Human Rights to the effect that ‘the [EU] legislature must ensure that there are specific guarantees that the processing of such data will be effectively protected from misuse and abuse’.  

At first sight, these criticisms of the ruling may seem legalistic. But my concerns are about much more than the deep flaws in the Court’s legal reasoning here. As we all know, the scope of databases and mass surveillance of individuals (‘big data’) have increased exponentially in recent years. This raises huge human rights issues and EU law has a significant role to play. Last year, in its judgments in Digital Rights and Google Spain, the CJEU genuinely tried to grapple with these issues. Many aspects of these judgments have been criticised, but the Court is at its best when it fully engages in these important legal debates. When it avoids them, with the specious legalism it spouts in Willems, it is at its worst.

 

Image credit: Dailyalternative.co.uk

Barnard & Peers: chapter 9, chapter 26

Doktor U? The CJEU reconciles the right to a name with passport security

Steve Peers

Many people have a fluid sense of their personal identity. But this is anathema from the perspective of law enforcement bodies, who seek to fix individual identity in order to ensure certainty about each person they are collecting information on.

The CJEU had to reconcile these two conflicting principles in last week’s judgment in U. This was one of four separate CJEU judgments that week where the plaintiff was designated by a letter only (the others were E, Q and X). In my view, it’s long past time for the Court to borrow a good idea from journalism, and simply give the people in question assumed names. That’s because it’s harder to understand and recall a case which is designated by letters only, especially where the same letters are reused by the Court in other cases in the same field (such as asylum).

In particular, it’s confusing to use an initial only for the U case, because the whole point of the case is the designation of names. In fact, under German law Mr. U is also entitled to use ‘Doktor’ as part of his name. This makes it hard to resist the temptation to call him ‘Doktor U’. So I won’t resist it at all.
  

The judgment

Doktor U had the birth name ‘E’, but his official surname is now U. The German authorities placed in his passport that his name was ‘Dr. U, GEB E’. The ‘GEB’ stands for the German word ‘geboren’ (meaning ‘born’). In practice, this led to confusion about what his actual name was. So he challenged the authorities’ decision in the German courts, which asked the CJEU to interpret the EU’s passport security Regulation and the EU Charter of Rights.

According to the CJEU, first of all the EU legislation requires all passports to apply the recommendations of the ICAO on document security. This is an interesting example of EU law importing international soft law by reference (on the implications of this for EU external relations, see this week’s judgment in Germany v Council).

Secondly, the Court ruled that a Member State had flexibility to designate a person’s birth name as part of his name on a passport, even though the ICAO rules refer to national law, and the relevant German law on fixing of names (as distinct from the law on passports) does not include birth names as part of a person’s name. The rationale here was the interest of document security, which favoured the use of a fixed element (the name at birth).

Thirdly, the Court ruled that the birth name could not be included in the optional section of the passport. Finally, interpreting the Charter, it ruled that the right to a name, which forms part of the right to a private life set out in Article 7 of the Charter, means that any use of a birth name on a passport had to be clearly indicated. The abbreviation ‘GEB’ was not translated, so could not be comprehended by the authorities of other countries and was liable to lead to practical complications for the passport holder.  

Comments

It might be hard for some Germans to admit it, but their country’s enormous influence in the EU political system has not been accompanied by any predominance of the German language, either inside or outside the EU. So the insistence of a peculiar approach to inscribing names on passports, coupled with an absence of translation, will inevitably lead to complications for those German citizens whose name has changed since birth.

The CJEU goes some way to addressing that problem in this judgment, when it requires the German authorities to make it clear to the non-German speakers who make up most of the rest of the world that Doktor U’s birth name is just that, and that he now goes by a new name.  At least this will reduce the confusion about his name that the good Doktor experiences in practice.

But the Court could have gone much further. Doktor U didn’t merely want to reduce confusion about his current name; he wanted to be known only by his current identity. After all, his fictional namesake has not disclosed his Gallifreyan birth name in 50 years of screen time (or thousands of years in narrative time). And unlike that time-travelling Doctor, the real Doktor U has presumably not regenerated his body many times over, with consequent complications for using his passport.

While the Court was right to say that the EU legislation requires the application of ICAO soft law, it did not acknowledge the great ambiguity in those rules. Indeed, it is striking that the Advocate-General’s opinion arrives at precisely the opposite interpretation of them. The objective of ensuring passport security could still have been achieved by providing a precise record of Doktor U’s current identity. And the Court would have surely reached this conclusion if it had performed in this case – as it always ought to do – an assessment of whether the interference in Doktor U’s right to his private life was proportionate and necessary.

Barnard & Peers: chapter 9, chapter 26

Two Codes to rule them all: the Borders and Visa Codes

Steve Peers

In today’s judgment in Air Baltic, the Court of Justice of the European Union (CJEU) has taken the next logical step following its judgment late last year in Koushkaki, where it ruled that the EU’s visa code set out an exhaustive list of grounds for refusing a visa application.  Today the Court has confirmed that the same is true of the Schengen Borders Code. Moreover, the Court has clarified a number of general and specific points about the nature and interpretation of the two codes.

Facts and judgment

This case concerned an Indian citizen who flew from Moscow to Riga. He had a valid multiple-entry Schengen visa, which was attached to a cancelled Indian passport. He also had a second Indian passport, which was valid but which did not contain a visa. The Latvian border guards then refused him entry into Latvia, on the grounds that the valid visa had to be attached to the valid passport, not to the cancelled passport.

For good measure, the Latvian authorities also fined the airline, Air Baltic, for transporting him without the necessary travel documents. The airline appealed the fine, and lost at first instance. But an appeal court then sent questions to the Court of Justice to clarify the legal position.

The CJEU ruled first of all that the cancellation of a passport by a third country did not mean that the visa attached to the passport was invalid. This was because only a Member State authority could annul or revoke a visa, and because the visa code did not allow for the annulment of a visa in such cases anyway. The Court extended its ruling in Koushkaki to confirm that the grounds for annulling a visa were exhaustive; the same must be true of the grounds for revoking a visa.

Secondly, the Court ruled that the Schengen Borders Code did not require entry to be refused in cases like these. The different language versions of that code suggested different interpretations, but as always, the Court seeks a uniform interpretation of EU law regardless. In this case, the standard form to be given to persons who were refused entry at the border to explain why they were refused does not provide for refusal on the grounds that a valid visa was not attached to a valid passport.

Also, the Court pointed out that the idea of separate visas and passports was not unknown to EU law, since the visa code provides that in cases where a Member State refuses to recognise a passport as valid, a visa must be issued as a separate document. Checking two separate documents was not a huge burden for border guards, and refusing entry simply on the grounds that the valid passports and visas were in two separate documents would infringe the principle of proportionality.

Finally, the Court ruled that the national authorities of Member States do not have any residual powers to refuse entry to third-country nationals on grounds besides those listed in the Schengen Borders Code. The Court reached this conclusion, by analogy with Koushkaki, because: the standard form giving the grounds for refusing entry contains an exhaustive list of grounds for refusal; the nature of the Schengen system ‘implies a common definition of the entry conditions’; and this interpretation would support ‘the objective of facilitating legitimate travel’ referred to in the preamble to the visa code.

Comments

The Court’s ruling that the Schengen Borders Code provides for complete harmonisation of the rules on refusal of entry is not really surprising, particularly after the judgment in Koushkaki reaching the equivalent conclusion regarding the visa code. However, it should be noted that in today’s judgment, the Court does not repeat its qualification in Koushkaki that national authorities had wide discretion to interpret the common rules in question. Furthermore, the Schengen Borders Code is relevant not only to those third-country nationals who need visas for entry, but also those who do not, such as visitors from the USA, Canada and most of the Western Balkans.

In effect, the Court’s ruling confirms that the Schengen zone is in effect the equivalent of the EU’s customs union, as regards the movement of people. Of course, the customs union and the Schengen zone do not apply to the same countries, due to opt-outs from Schengen (UK and Ireland), the deferred admission to the Schengen system (Romania, Bulgaria, Cyprus and Croatia), and the rules on association with each system (Turkey is part of the EU’s customs union, while Norway, Iceland, Liechtenstein and Switzerland apply the Schengen rules). But the basic concept is the same, with the obvious implications as regards exclusive external competence of the EU (although a Protocol to the Treaties conserves some external competence over borders for Member States), and uniform interpretation of the rules in the respective codes.

As to the more detailed aspects of this case, the Court is surely right to rule against the pedantry of insisting that where a person holds a valid visa and a valid passport, the visa must always be attached to the passport. The underlying objective to ensure that the person concerned meets the conditions of entry is satisfied regardless of whether the visa is attached to the passport or not. Also, the Court’s ruling that the Borders Code has to be interpreted in accordance with the principle of proportionality, and in light of the objective of facilitating legitimate travel, could have broader implications in other cases.

Finally, the necessary corollary of the judgments in Koushkaki and Air Baltic is that a third-country national who meets the conditions to obtain a visa and/or cross the external borders has the right to that visa and/or to cross those borders. So these issues are not governed by national administrative discretion, but by uniform EU rules. The strengthening of the rule of law in this field is very welcome.

Barnard & Peers: chapter 26