ECJ rules against EU law on fingerprints in national IDs

The European Court of Justice (ECJ) ruled on Thursday (21 March) that a 2019 EU regulation obliging EU citizens to give their fingerprints for national identification cards was founded on the wrong legal basis, declaring the EU law entirely invalid.

The court in Luxemburg also ruled that the obligation to include two fingerprints, despite affecting fundamental rights, is justified.

Even though the legislation was overturned, the ECJ judge ruled that the EU regulation from 2019 remains effective until a new regulation enters into force, at the latest in December 2026. Otherwise, it will expire.

EU regulators required that national ID cards use fingerprints to increase the security of the identification documents.

Germany implemented the regulation in 2021 and has since required fingerprints for ID cards. But human rights groups argued that the mandatory collection of fingerprints is disproportionate, ineffective, and open to government abuse.

Digitalcourage, a German organisation advocating for fundamental rights and data protection, challenged the EU regulation, initially in the German courts.

They said the fingerprint requirement in identity cards is a disproportionate restriction of the European Charter of Fundamental Rights to respect private life and the protection of personal data.

“I can change a password if it is compromised. But you can’t do that with biometric data. So I can’t change a fingerprint and a fingerprint can easily be obtained by other people,” Rena Tangens, founder and board member of Digitalcourage, explained during a press conference on 19 March.

Implications

EU lawmakers can now use this timeframe until December 2026 to draft a new regulation based on the correct legal basis.

Previously, the regulation was adopted in ordinary legislative procedure but according to the ECJ, the regulation should have required a special legislative procedure, meaning unanimity in the Council.

In 2019, the Czech Republic and Slovakia voted against the regulation introducing the fingerprint requirement.

“If the member states do not reach an agreement, the legal basis for the continued storage and mandatory new collection of fingerprints would no longer apply,” Anja Hoffmann, an expert on digital economy at the Center for European Policy (cep), told Euractiv.

“This would mean that national authorities would have to issue ID cards without taking fingerprints and ID card holders could request the deletion of fingerprints already stored on ID cards,” Hoffmann added.

A long court fight

In 2021, Detlev Sieber, managing director of Digitalcourage, filed a lawsuit at the Administrative Court in Wiesbaden after he requested an identity card with an electronic function without submitting his fingerprints. 

Digitalcourage argued that the EU fingerprints requirement interferes with fundamental rights established in European law.

In January 2022, the Wiesbaden court followed Digitalcourage’s argument as to why a fingerprint requirement is incompatible with fundamental rights, referring the lawsuit to the ECJ.

One month later, the Hamburg Administrative Court suspended the fingerprint requirement for ID cards for the time being, pending the proceedings before the ECJ.

Prior to Thursday’s final ruling, the Advocate General of the ECJ Laila Medina declared last June that the compulsory fingerprinting on identity cards is valid, in what was seen as a preliminary decision for the judgment. 

Wider attack surface

According to the German Ministry of Interior, fingerprints are locally stored on a chip integrated into the ID card.

However, a spokesperson for Digitalcourage told Euractiv that “a storage method that is still considered safe by authorities today can be easy to crack in just a few years”, a spokesperson for Digitalcourage told Euractiv.

Storing entire fingerprints also increases the risk of identity theft if a data leak occurs and contradicts the principle of data minimization set out in the General Data Protection Regulation (GDPR), the data rights organisation argued.

In Digitalcourage’s opinion, a particularly large risk arises from the fact that the fingerprints are stored by local issuing authorities and the companies that subsequently manufactures the ID card. Although the data should ideally be deleted when the ID card is collected, it can be stored for up to 90 days.

Regional authorities might be lacking the cybersecurity measures to keep the fingerprints from hackers’ hands, so in that time frame the fingerprints are particularly vulnerable.

The EU regulation also leaves it up to member states to decide fingerprints can be used for purposes other than creating ID cards. This means that the fingerprints taken for identification can then be accessed for search warrants or other law enforcement purposes, depending on national government’s relevant regulations.

As such, the obligation to collect fingerprints for ID cards ceases to fulfil the original purpose of the EU regulation, namely the promotion of freedom of movement, said the German organisation in its lawsuit.

While the data rights organisation also argued that fingerprints are not an efficient tool to avoid forgery, the ECJ ruled that a facial image alone would be a less effective means of identification than two fingerprints in addition to the image.

[Edited by Eliza Griktsi/Zoran Radosavljevic]

Read more with Euractiv

France fines Google for failing to pay media companies

French regulators said Wednesday (20 March) they were fining Google €250 million for breaching commitments on paying media companies for reproducing their content online and for using their material for its AI chatbot without telling them.