German court escalates ID card fingerprints requirement to European Court of Justice
A local court in Germany has referred a case involving legal action against the obligation to store fingerprint biometrics on ID documents to the European Court of Justice, announces the campaign group Digitalcourage, which brought the case.
In line with EU regulation, Germany amended its regulations on identity cards and electronic identification in August 2021 and has required all new applicants for ID cards to give biometric prints of their index fingers to be stored on a chip in the cards.
Digitalcourage does not believe the EU regulation underpinning this to be compatible with European law and brought a case spanning formal errors, lack of privacy impact assessment and incompatibility with European fundamental rights.
The Administrative Court of Wiesbaden in Hesse has accepted the arguments and referred the case to the European Court of Justice in Luxembourg although no date is set at the time of writing. The European Commission, Advocate General and EU Member States can also submit their opinions to the court.
If the ECJ were to uphold the case then it could nullify the EU regulation, according to Digitalcourage. The group wants a card without fingerprints to be issued.
The EDRi reports that the campaign group ran a long campaign against fingerprints in ID ahead of the case and this mobilized many Germans.
Errors, rights and a missing impact assessment
The campaign group argued that the obligation to store fingerprints is not compatible with the fundamental right to respect of private and family life and the right to the protection of personal data concerning them.
Personal data can only be processed with consent and as ID cards are compulsory in Germany, voluntary consent cannot be assumed. They argue too that there it is not proven that storing fingerprints on cards increases their protection against falsification. The biometrics only link the card to the holder and do not prove the card is genuine.
What is stored are full images of the fingerprints which the group argues contradicts the GDPR’s principle of data minimization, states the group, and argues that the RFID chips could potentially be read by unauthorized scanners.
The group argued that if the data processing creates a high risk for persons’ rights and freedoms, the GDPR requires a privacy data impact assessment. This was not taken into account in the legislation. The Administrative Court seems to have been most definitive in its accepting of this point. The campaign group quotes the court: “The failure to conduct an impact assessment must make the legal norm invalid, because ‘otherwise the norm’s creator would be rewarded for their malpractice’.”
Digitalcourage summarizes the formal errors element of their argument: “The EU Regulation was created using the so-called ordinary legislative procedure. But in this case, a special legislative procedure which imposes stricter requirements was needed.”