OPINION OF ADVOCATE GENERAL
MENGOZZI
delivered on 13 June 2013 (1)
Case C‑291/12
Michael Schwarz
v
Stadt Bochum
(Reference for a preliminary ruling from the Verwaltungsgericht Gelsenkirchen (Germany))
(Area of freedom, security and justice – Standards for security features and biometrics in passports and travel documents issued by Member States – Article 1(2) of Regulation (EC) No 2252/2004, as amended by Regulation (EC) No 444/2009 – Right to the protection of personal data)
Table of contents
I – Introduction
II – Legal context
A – Union law
B – German law
III – The dispute in the main proceedings and the question referred
IV – The procedure before the Court
V – Legal assessment
A – Alleged lack of a legal basis
1. The content and purpose of Regulation No 2252/2004, as amended
2. Whether Article 62(2)(a) EC is the appropriate legal basis for Regulation No 2252/2004, as amended.
B – Alleged breach of the obligation to consult the Parliament
C – Alleged infringement of the right to the protection of personal data
1. Preliminary remarks on the place of fundamental rights in the context of Regulation No 2252/2004, as amended
2. The obligation in Article 1(2) of Regulation No 2252/2004, as amended, constitutes an infringement of the fundamental right to the protection of personal data provided for by law and pursuing an objective of general interest recognised by the Union
3. Proportionality of the infringement
a) The limitation is appropriate for pursuing the objective of general interest recognised by the Union
b) Article 1(2) of Regulation No 2252/2004, as amended, is necessary to the attainment of the objective of general interest recognised by the Union
c) Final remarks
VI – Conclusion
I – Introduction
1. ‘Using biometrics in information systems is never an insignificant choice, especially when the system in question concerns such a huge number of individuals. … They change irrevocably the relation between body and identity, in that they make the characteristics of the human body ‘machine-readable’ and subject to further use. Even if the biometric characteristics are not readable by the human eye, they can be read and used by appropriate tools, forever, wherever the person goes.’
2. That warning by the European Data Protection Supervisor (2) is particularly relevant as the Court is now being asked to give a ruling on the validity, particularly in relation to the fundamental right to the protection of personal data, as laid down by the Charter of Fundamental Rights of the European Union (‘the Charter’), of the obligation imposed on the Member States by Council Regulation No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, (3) as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009 (4) (‘Regulation No 2252/2004, as amended’), to issue passports to their nationals only on the condition that they submit to having two of their fingerprints taken, the image of which is stored in the passport itself.
II – Legal context
A – Union law
3. Article 1(2) of Regulation No 2252/2004 stated that ‘passports and travel documents shall include a storage medium which shall contain a facial image. Member States shall also include two fingerprints taken flat in interoperable formats. The data shall be secured and the storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data.’
4. Article 1 of Regulation No 444/2009 amended Article 1(2) of Regulation No 2252/2004, which now reads as follows:
‘Passports and travel documents shall include a highly secure storage medium which shall contain a facial image. Member States shall also include two fingerprints taken flat in interoperable formats. The data shall be secured and the storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data.’
B – German law
5. Paragraph 4(3) of the Law on passports (Passgesetz) of 19 April 1986, as amended by the Law of 30 July 2009, (5) provides as follows:
‘In accordance with Regulation [No 2252/2004], passports, official passports and diplomatic passports shall include a storage medium which shall contain a facial image, fingerprints, information on which fingers were used for fingerprinting, the quality of the prints and the information listed in subparagraph (2), second sentence. The stored data shall be secured against unauthorised reading, alteration and deletion. No federal database of the biometric data referred to in the first sentence shall be established.’
III – The dispute in the main proceedings and the question referred
6. Mr Schwarz, a German national, applied to the competent department of Stadt Bochum (the city of Bochum) for a passport, but refused to have his fingerprints taken as required. On 8 November 2007, the department in question, citing Paragraph 4(3) of the Law on passports of 19 April 1986, last amended by the Law of 30 July 2009, refused to issue the passport on the ground that it could not be issued without the compulsory fingerprints.
7. The applicant in the main proceedings then brought an action for an order directing Stadt Bochum to issue a passport without taking his fingerprints. For that purpose, he submits that Article 1(2) of Regulation No 2252/2004, as amended, which is the origin of the Member States’ obligation to take the fingerprints of any person applying for a passport, is invalid.
8. The referring court, sharing the applicant’s uncertainty, doubts whether Article 62(2)(a) EC is a sufficient legal basis for the adoption of Article 1(2) of Regulation No 2252/2004, as amended. In addition, the referring court questions whether the fact that the European Parliament was not consulted after the Council of the European Union converted what was originally, in the draft regulation, the option of obtaining fingerprints, into an obligation, constitutes a procedural defect which may affect the validity of Article 1. Finally, the referring court observes that it may also be invalid because it infringes the fundamental right to the protection of personal data under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and laid down in Article 8 of the Charter.
9. Against that background, the Verwaltungsgericht Gelsenkirchen has decided to stay the proceedings and, by an order for reference received by the Registry of the Court on 12 June 2012, to refer the following question to the Court for a preliminary ruling in accordance with Article 267 TFEU:
‘Is Article 1(2) of Council Regulation [No 2252/2004 as amended by Regulation No 444/2009] to be considered valid?’
IV – The procedure before the Court
10. The applicant in the main proceedings, Stadt Bochum, the German and Polish Governments, the European Parliament and the Council of the European Union, and also the Commission, have lodged written observations before the Court.
11. At the hearing, which was held on 13 March 2013, the applicant in the main proceedings, the German Government, the European Parliament, the Council and the Commission made oral submissions.
V – Legal assessment
12. I shall examine in turn the three alleged grounds of invalidity, namely: the lack of a legal basis, the existence of a procedural defect vitiating the adoption of Regulation No 2252/2004, as amended, and the alleged infringement of Article 8 of the Charter.
A – Alleged lack of a legal basis
13. Regulation No 2252/2004, like Regulation No 444/2009, has as its legal basis Article 62(2)(a) EC, which provides that ‘the Council, acting in accordance with the procedure referred to in Article 67, shall … adopt … (2) measures on the crossing of the external borders of the Member States which shall establish (a) standards and procedures to be followed by Member States in carrying out checks on persons at such borders’.
14. The applicant in the main proceedings submits that, generally, Article 18(3) EC (6) prohibited the Member States from adopting legislation relating to passports held by European citizens. In any case, legislation concerning passports held by citizens of the Union cannot be validly based on Article 62, for the phrase ‘checks on persons at such borders’ within the meaning of that article excludes measures concerning Union citizens alone. In addition, passports issued to citizens of the Union are not specifically used for checks at the Union’s external borders. Finally, the obligation to take fingerprints laid down by Article 1(2) of Regulation No 2252/2004, as amended, does not fall within the scope of Article 62(2)(a) EC because it is not covered by the words ‘standards or procedures to be followed by Member States in carrying out checks on persons at such borders’.
15. The submission relating to Article 18(3) EC must be dismissed immediately, that provision’s only effect being to prevent measures concerning passports from being adopted on the basis of the Treaty provisions relating to European citizenship and, more particularly, on the basis of Article 18(2) EC. On the other hand, Article 18(3) EC did not generally prohibit the institutions from adopting any legislation at all concerning passports.
16. The dispute concerning the exclusive use of Article 62(2)(a) EC as a legal basis is more cogent. Admittedly, the Court has already dealt with an action for the annulment of Regulation No 2252/2004, brought by the United Kingdom. (7) In that action, the question of the legal basis was barely touched upon by the Court, and only in a very general way. (8) The Court appears to have been in no doubt that Regulation No 2252/2004 was adopted on a correct legal basis. Nevertheless, the same question clearly having been put to the Court in the present reference for a preliminary ruling and concerning the validity of Article 1(2) of Regulation No 2252/2004, as amended, it must be considered in more detail in this Opinion.
17. In order to determine whether Article 62(2)(a) EC is apt to constitute the legal basis for the measure in question, it is necessary to bear in mind the Court’s repeated statement that, in relation to the European Union’s distribution of powers, ‘the choice of legal basis for a Community measure must rest on objective factors amenable to judicial review, including in particular the aim and the content of the measure’. (9) To make sure that Article 62(2)(a) EC is a sufficient legal basis for Regulation No 2252/2004, as amended, therefore, it is necessary first of all to determine the purpose and the content of that regulation in order to ascertain whether such purpose and content could be adequately defined in the context of a regulation adopted on that legal basis.
1. The content and purpose of Regulation No 2252/2004, as amended
18. With regard to its purpose, it is clear from the very title of Regulation No 2252/2004 that it is intended to lay down standards for security features and biometrics in passports and travel documents issued by the Member States.
19. The purpose of adding biometric data, including two fingerprints, to passports, at the same time as harmonising security features, is to establish a more reliable link between the holder and the passport and to protect it against falsification and fraudulent use, (10) and that was found by the Court to be the purpose of Regulation No 2252/2004. (11)
20. Furthermore, harmonising the standards for biometric data included in passports is intended to render coherent the approach within the Union regarding such data, particularly with reference to the rules applicable to visas issued to third-country nationals, (12) in order that passports issued to Union citizens ‘should not lag behind those [security standards] already achieved by fixing the technical specifications for the uniform format for visas and for residence permits for third country nationals’. (13)
21. Finally, recital 9 to Regulation No 2252/2004 refers to ‘the basic objective of introducing common security standards and interoperable biometric identifiers’ which makes it necessary, according to the Union legislature, to lay down rules for all Member States giving effect to the Convention implementing the Schengen Agreement of 14 June 1985. (14) Therefore Regulation No 2252/2004, as amended, also has the objective of ‘simplifying border controls’ (15) by the harmonisation of common security standards.
22. In my view, the essential objective of Regulation No 2252/2004, as amended, can be understood only if it is placed in the wider context of the system of which its adoption forms part, and particular attention must be paid to its relationship with the system created by the Schengen Agreement. Indeed, recitals 10 to 14 state that the regulation constitutes a development of provisions of the Schengen acquis, which the Court has had occasion to confirm. (16) It is within the framework of the acquis that the policy of integrated management of the external borders of the Member States taking part in the Schengen Agreement system, and in particular the rules on the crossing of external borders, have taken shape. By harmonising the content and the technical characteristics of the travel documents that citizens of the Union must have in their possession when crossing external borders, the legislature’s objective in the context of Regulation No 2252/2004, as amended, obviously contributes to the broader objective of making those borders secure.
23. From the viewpoint of its content, and entirely consistently with its objective, Regulation No 2252/2004, as amended, contains, therefore, three types of provisions. First, there are those concerning the obligation to take fingerprints as such, the exemptions from that obligation and the cases in which fingerprinting is impossible. (17) Secondly, there are the provisions relating to the general system attaching to the particulars contained in passports. (18) The other provisions and the annex to the regulation relate to the purely technical aspects of the minimum security standards with which the Member States must comply when issuing passports. Without claiming to be exhaustive, I shall merely mention the technical specifications of the storage medium, the type of record, the actual fingerprinting procedure, the methods for making data secure, printing techniques and the methods of reading and conserving data. (19) Accordingly Regulation No 2252/2004, as amended, ‘harmonises and improves the minimum security standards with which passports … issued by the Member States must comply, and provides for a number of biometric features relating to the holders of such documents to be inserted in those documents’. (20)
2. Whether Article 62(2)(a) EC is the appropriate legal basis for Regulation No 2252/2004, as amended.
24. Could the factors described above be adopted on the basis of Article 62(2)(a) EC? I believe so.
25. First, the matters harmonised by Regulation No 2252/2004, as amended, are intended to standardise content and security standards with regard to the passports issued by the Member States to European citizens. Contrary to what is submitted by the applicant in the main proceedings, it is not correct to argue that Article 62(2)(a) EC can serve as a legal basis only for measures relating to checks at the external borders for nationals of non-member States. The wording of Article 62 contains no such limitation as it merely refers to ‘checks on persons’. It is also clear from the Schengen acquis that Union citizens too are subject to a minimal check when crossing the external borders of the Union. (21) Such checks, like the more general strengthening of the safeguards at external borders, are a necessary corollary of there being no checks at the Union’s internal borders and are, at the same time, a sine qua non of enjoying full freedom of movement in the territory of the Union. Regulation No 2252/2004, as amended, therefore does indeed concern ‘checks on persons’ at external borders within the meaning of Article 62(2)(a) EC. (22)
26. Secondly, Regulation No 2252/2004 imposes an obligation on the Member States to issue passports with harmonised content and technical characteristics. By so doing, the Union legislature ensures that checks on Union citizens at external borders are carried out on the same basis and that citizens’ identities are checked by the national authorities at intermediate points on the basis of the same data. Therefore, the policy for the management of the external borders has been integrated even more by the legislature. (23) Making a homogeneous set of securitised data available to the police at the borders of the Union when they check the passports of citizens of the Union is intended to raise the security level of checks while at the same time facilitating them.
27. It is true that the obligation to take two fingerprints gives rise to an operation that has to be carried out before the check itself. Nevertheless, it plainly has an influence on the performance of the check itself. I therefore think it somewhat artificial to claim that provisions concerning the data included in passports that have to be checked when the external borders of the Union are crossed cannot be adopted on the legal basis of the checks themselves. A rational approach to the content and the interpretation of Article 62(2)(a) EC must lead to the conclusion that the obligation to take two fingerprints as laid down by Article1(2) of Regulation No 2252/2004, as amended, in so far as it is an inseparable preliminary to checks on Union citizens at external borders, is indeed covered by the concept of ‘standards and procedures to be followed by Member States in carrying out checks on persons at such borders’.
28. For all the reasons given above, I consider that Article 62(2)(a) EC is an appropriate legal basis for the adoption of Regulation No 2252/2004, as amended.
B – Alleged breach of the obligation to consult the Parliament
29. The measures having Article 62(2)(a) EC as their legal basis had to be adopted by the Council in accordance with the procedure laid down by Article 67 EC. At the date when Regulation No 2252/2004 was adopted, that procedure required the Parliament to be consulted. (24) The applicant in the main proceedings submits that that procedure was not followed in so far as the Parliament was consulted concerning a proposal for a regulation which gave the Member States a mere option of taking fingerprints whereas, in the final proposal, the option was converted into an obligation and the Parliament did not have to express an opinion on it.
30. It must straight away be observed that the procedural defect alleged by the applicant in the main proceedings refers to the procedure leading to the adoption of Article 1(2) of Regulation No 2252/2004. The question of validity raised by the referring court clearly relates to the validity of Article 1(2) of Regulation No 2252/2004, as amended. (25) It is common ground that the latter was adopted, in accordance with the possibility provided by Article 67(2) EC, following the procedure referred to by Article 251 EC, that is to say, the joint decision procedure. The procedural defect alleged by the applicant in the main proceedings is therefore not capable of affecting the validity of Article 1(2) of Regulation No 2252/2004, as amended.
31. None the less, and to put an end to any dispute on this point, I wish to make a few brief observations to show that Article 1(2) of Regulation No 2252/2004, in its original version, was not vitiated by a procedural defect.
32. First, the Court has repeatedly held that ‘the requirement to consult the European Parliament in the legislative procedure, in the cases provided for by the Treaty, means that it must be freshly consulted whenever the text finally adopted, taken as a whole, differs in essence from the text on which the Parliament has already been consulted’. (26) While it is true that the proposal for a Council regulation submitted by the Commission merely made it possible for the Member States to add fingerprints to the other data stored in passports (27) and that that option was converted into an obligation in the final version of the regulation, that conversion cannot constitute a substantive amendment within the meaning of the Court’s case-law, necessitating a further consultation of the Parliament. Whether the taking of fingerprints was optional or compulsory was not therefore the main question arising, for the Parliament had in any case to take into account the possibility that all the Member States could decide to exercise that option.
33. Secondly, the chronological details given to the Court show that the proposal for a regulation was transmitted to the Parliament on 25 February 2004. The political agreement within the Council to change the option of taking fingerprints into an obligation was reached on 26 October 2004. A new document accompanied by an information letter was transmitted by the Council to the Parliament on 24 November 2004. The Parliament’s opinion (28) was delivered on 2 December 2004, admittedly very shortly after it was transmitted, but the presence of a reference to new guidelines of the Council in the citations tends to show that the Parliament, at the time when it delivered its opinion, was fully informed of the change in the Council’s approach, to which the Parliament did not give any response whatsoever. Furthermore, the Parliament did not complain of any breach of the obligation to consult it nor did it dispute, in the course of the hearing, the additional details concerning the conduct of the consultation procedure relating to Regulation No 2252/2004.
34. For those reasons, and although I remain sure that the question of the validity of the procedure for the adoption of Article 1(2) of Regulation No 2252/2004 is irrelevant to the main proceedings, it must be concluded that the fact that the Parliament was not consulted again after the option of taking fingerprints for the purpose of storage in passports was converted into an obligation did not have the consequence of vitiating that adoption by a procedural defect.
C – Alleged infringement of the right to the protection of personal data
35. The reference for a preliminary ruling stating only that Article 1(2) of Regulation No 2252/2004, as amended, infringes also ‘the right to enter and leave, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and various principles of equality and non-discrimination rules’, without giving any reasons why the validity of that article should be examined in the light of those freedoms and principles or even ascertaining whether they are relevant to such checks, and given that the interested parties taking part in the procedure before the Court, including the applicant in the main proceedings, concentrated their observations on the infringement of the fundamental right to the protection of personal data, the following reasoning relates exclusively to the question of the validity of Article 1(2) of Regulation No 2252/2004, as amended, in relation to that fundamental right.
36. Under Article 8(1) of the Charter, everyone has the right ‘to the protection of personal data concerning him or her’. Fingerprints are obviously personal data. (29) More particularly, Article 8(2) provides that personal data ‘must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.’
37. Any limitation of that right must observe the requirements of Article 52(1) of the Charter. It must be provided for in law, respect the essence of those rights, observe the principle of proportionality, be necessary and effectively meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
38. Before determining whether Article 1(2) of Regulation No 2252/2004, as amended, is valid in relation to Article 8 of the Charter, I wish to point out that the question of fundamental rights is by no means unconnected with the regulation. I shall then show that the infringement, in the form of the obligation to take and to store, for the purpose of reading them, the image of two fingerprints, of the fundamental right to the protection of personal data is provided for by law and pursues an objective of general interest recognised by the Union. Finally, I shall give my opinion on the proportionality of that infringement.
1. Preliminary remarks on the place of fundamental rights in the context of Regulation No 2252/2004, as amended
39. First of all, as recital 8 of Regulation No 2252/2004 states, with regard to the protection of data to be processed in the context of the issue of passports, Directive 95/46 applies. That directive, which is mentioned in the commentary on Article 8 of the Charter, lays down a number of fundamental principles, also laid down by the European Court of Human Rights. (30) For example, data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. Data must be adequate, relevant and not excessive in relation to the purposes for which they are collected. They must be accurate, kept up to date and not kept permanently. The directive also lays down the principle that the data subject’s consent is required for the processing of personal data, subject to a number of exceptions such as performance of a task carried out in the public interest or in the exercise of official authority or for the purpose of the legitimate interest pursued. (31) Another essential element is that the directive provides for a right of access for the persons concerned by the processing of personal data to information of various kinds, (32) a right to object, subject to certain conditions, (33) and a right to a judicial remedy. (34)
40. In addition, Article 1(a) of Regulation No 2252/2004, added by Regulation No 444/2009, expressly makes national procedures for the collection of biometric identifiers subject to observance of ‘the safeguards laid down in the [ECHR] and in the United Nations Convention on the Rights of the Child’ and requires those procedures to guarantee the dignity of the person concerned in the event of difficulties in collection.
41. The safeguards provided by Regulation No 2252/2004, as amended, must therefore be read in conjunction with those provided by Directive 95/46 and its references to the ECHR and to the dignity of individuals. The question of the validity of Article 1(2) of the regulation must therefore be considered bearing in mind those essential points.
2. The obligation in Article 1(2) of Regulation No 2252/2004, as amended, constitutes an infringement of the fundamental right to the protection of personal data provided for by law and pursuing an objective of general interest recognised by the Union
42. On the one hand, compulsory fingerprinting by the competent national authorities in the conditions described in Article 1(2) of Regulation No 2252/2004, as amended, their recording and storage in passports, and also the right of the border police to read the data without the consent of the person concerned, obviously constitute an infringement of the right conferred by Article 8 of the Charter. Applicants cannot oppose the taking and storage of their fingerprints unless they [are willing to] give up the possession of a passport and, consequently, to give up travel in most non-member states.
43. On the other hand, in the first place the infringement resulting from the compulsory taking of fingerprints must be regarded as ‘provided for by law’ within the meaning of Article 52(1) of the Charter, for fingerprinting is expressly provided for by Article 1(2) of Regulation No 2252/2004, as amended, which also meets the requirements of accessibility, clarity and foreseeability laid down by the case-law of the European Court of Human Rights. (35)
44. In the second place, as I have already said, (36) the essential general objective pursued by Regulation No 2252/2004, as amended, is to secure external borders by implementing a policy of integrated management of those borders. In addition, the inclusion of fingerprints stored in a secured support in passports is intended to make the connection between the holder of the document and the document itself more reliable and, thereby, to make forgery and fraudulent use, and therefore, illegal immigration, more difficult. The step taken by the legislature was all the more important in relation to the progressive establishment of an area of freedom, security and justice (37) and, as I have already said, because of there being no checks at the internal borders of the Union.
45. It seems clear to me that all those ‘secondary’ objectives contribute to the attainment of the general objective referred to above. It must therefore be concluded that, by making it compulsory to take two fingerprints for the purpose of recording and storage in passports, Article 1(2) of Regulation No 2252/2004, as amended, pursues an objective of general interest recognised by the Union.
3. Proportionality of the infringement
46. The limitation of the fundamental right to the protection of personal data must still observe the principle of proportionality, that is to say, it must be necessary and must actually serve the objective pursued.
(a) The limitation is appropriate for pursuing the objective of general interest recognised by the Union
47. On that point, the applicant in the main proceedings submits that the compulsory taking of the fingerprints of citizens of the Union applying for a passport is not a suitable means of attaining the objective pursued and doubts whether it makes an effective contribution to securing the external borders. In essence, the applicant submits that the biometric method chosen has been found particularly unsatisfactory and is any case of limited use to citizens of the Union whose fingerprints cannot be taken on grounds of illness, injury or yet burns. According to the applicant, the biometric method cannot guarantee attainment of the objective pursued because of the intrinsic fragility of the storage chip, whose life is much shorter than the period of validity of the passport. Finally, that method has a significant error rate and is not sure enough to guarantee an absolutely reliable connection between the legitimate holder of the passport and the document itself.
48. However, there seems to be little doubt that, in itself, the addition of biometric data in a passport necessarily, and not only, makes falsification of the passport more difficult, while the process of identification of the legitimate holder is made surer as the authorities responsible for checks at the Union’s external borders now have two biometric features at their disposal in addition to the facial image. (38) There is also no doubt that the biometric data in question are suitable for distinguishing and identifying individuals, save for rare exceptions.
49. With regard to the argument concerning the method’s fallibility, it is true that recognition by means of a comparison of fingerprints is not a 100% reliable method of identification and therefore it has an error rate above 0%. (39) Furthermore, nobody would venture to argue that the passport technically described by Regulation No 2252/2004, as amended, cannot be falsified. However, it is clear that the Union legislature played its part fully by seeking to make the forger’s task more complicated by adding two biometric features and by closer harmonisation of the security features. In other words, the fact that the biometric method chosen is fallible and does not have the effect of making the passport a document which cannot be falsified at all or which resists any attempt at destruction cannot result in making it unsuitable for the attainment of the objective pursued, for – let me repeat – no infallible method has yet been found. In certain ways, moreover, fallibility is offset by measures easing the obligation to take fingerprints. For example, where fingerprinting is not satisfactory for the purpose of identification, as is the case for children, the Union legislature has laid down a system of exemptions. (40)
(b) Article 1(2) of Regulation No 2252/2004, as amended, is necessary to the attainment of the objective of general interest recognised by the Union
50. Here it is necessary to ascertain whether the institutions ‘balanced the Union’s interest’ (41) in strengthening the security of its external borders against the infringement of the protection of the personal data of Union citizens wishing to obtain a passport. However, ‘derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary,’ (42) so that there must exist no measure that is as effective as, but less prejudicial than, that which derogates from the fundamental right to the protection of personal data.
51. In the arguments presented to the Court there was much discussion of, in particular, the justification for the legislature’s choice of the biometric method of comparing fingerprints. According to the applicant in the main proceedings, the legislature did not put forward and expound, particularly from the statistical viewpoint, the reasons why it found it necessary, when adopting Regulations No 2252/2004 and No 444/2009, to require the Member States to include two fingerprints in passports. Finally, the applicant challenges any use of a biometric method, except the facial image, and even the necessity of identifying citizens of the Union as accurately as possible at its external borders. (43) He is particularly concerned by the possibility of fingerprint images being appropriated unknown to their owners, which would make the images rather unsecure data (44) because every act in our daily life entails leaving behind our fingerprints. Furthermore, the inadequate security level of the storage chip does not ensure that biometric data will be read only by authorised authorities. Finally, the degree of prejudice to the fundamental right guaranteed by Article 8 of the Charter is not to be borne, because, first, it affects all citizens of the Union for a period of 10 years, that is to say, the whole of the period of validity of the passport; secondly, interference is repeated at every external border control; third, there is a real risk that biometric data would be kept in files and, fourth, identification by fingerprints could give rise to deviations and a risk of stigmatising of certain categories of persons. For all those reasons, the applicant considers that the interference with the fundamental right is disproportionate to the difficulties actually encountered in checks at the external borders of the Union, whether in relation to the identification of citizens of the Union or to the prevention of attempts to enter Union territory illegally with the aid of a forged passport.
52. Although the explanatory memorandum of Regulation No 2252/2004 does not show any particular reasons why the legislature chose to include fingerprint images, it explains clearly the need for a coherent approach to passports of citizens of the Union with reference to travel documents issued to nationals of non-member States. (45) With regard to the latter documents, the inclusion of fingerprints had already been provided for. (46) The explanatory memorandum also refers to the results of the work of the ICAO (International Civil Aviation Organisation), which ‘has also chosen the facial image as the primary interoperable biometric identifier and fingerprint and/or iris images’. (47) In any case, all the opinions which have been delivered on the subject of the inclusion of biometric data other than the facial image, whether by the European Data Protection Supervisor (48) or by the Article 29 Working Group, (49) have warned the institutions of the intrinsic risks in using biometrics generally, but have never called into question the actual choice of the fingerprint image. All the opinions unanimously pointed out that the character of biometric data, which are by nature sensitive, necessitates specific safeguards, but never claimed that the choice of fingerprints as an additional biometric feature to be included in travel documents is entirely irrelevant. Finally, taking into account the fact that, in principle, every individual can easily provide an image of his or her fingerprints and that fingerprints are unusual in that they are a person’s own, the legislature, legitimately, in my opinion, took the view that fingerprints are a biometric identification element capable of making the connection between the passport and its holder more reliable, while at the same time making it more difficult to attempt to make fraudulent use of a passport or falsify it.
53. Therefore it appears that the hypothesis of a manifest error on the part of the Union legislature – the only error that could give rise to a valid challenge when, as here, ‘in an area of evolving and complex technology … the European Union legislature has a broad discretion, in particular as to the assessment of highly complex scientific and technical facts in order to determine the nature and scope of the measures which it adopts’ (50) – must be dismissed, particularly because the Court may not, in such a context, substitute its own assessment for that of the legislature, to which that task has been assigned by the Treaty.
54. Regarding the existence of alternative measures less prejudicial to the fundamental right to the protection of personal data, the use of iris recognition cannot be considered less prejudicial. It has, in addition, a certain number of disadvantages connected both to the intrinsic cost of that method, which is patented, and to the risk to health arising from the process of scanning the iris and, also, with the fact that matching the iris slows down checks at the Union’s external borders. (51) The inclusion of the facial image alone is no doubt less prejudicial but, in view of changes in physical appearance which it cannot show, it is not as efficient when officers at border checks need to confirm a person’s identity and his or her legitimate connection with the passport presented.
55. As regards the argument that third parties or non-member States could possibly recover data, (52) I shall merely point out that, in relation to the former, the risks do not seem to me to be any less in the case of a system in which the check is based on the facial image alone. As regards non-member States, I do not agree with the applicant that Article 1(2) of Regulation No 2252/2004, as amended, causes citizens of the Union to be exposed to the risk of abuse in those states. On that point, it is sufficient to observe that the Union has no influence on the formalities with which its citizens are obliged to comply when entering non-member States.
(c) Final remarks
56. It is necessary to collect and store the image of only two fingerprints. Only those citizens of the Union who wish to travel outside the Union’s internal borders are obliged to have their fingerprints taken. Those data may be used only for strictly determined purposes: Regulation No 2252/2004, as amended, states that the biometric features are ‘only to be used for verifying’ the authenticity of the passport and the identity of the holder. (53) The data are contained in the single secure storage medium in the passport, which means that in principle the Union citizen is the only holder of the image of his fingerprints. That regulation cannot serve as the legal basis – and this is an essential point ‑ for the Member States to set up data bases storing information. (54) The period for which the image of fingerprints is stored in the passport also appears limited because it is the same as the period of validity of the passport.
57. In any case, checking whether fingerprints match is not done systematically but depending on contingencies, for example, if the check on the basis of the facial image alone and of the data in the passport does not eliminate all doubt as to the authenticity of the passport and/or the identity of the holder. The (secure) data are taken by qualified and duly authorised staff (55) and only the authorised authorities with appropriate equipment may have access to read the data. (56) The individual whose fingerprints have been taken and stored has a right of verification, rectification and erasure. (57) Finally, in order to limit the drawbacks that may arise from the flaws and limitations of the method and of the technology, it is provided that ‘the failure of the matching in itself shall not affect the validity of the passport … for the purpose of the crossing of external borders’ (58) and exemptions are laid down for children under the age of 12 and persons for whom fingerprinting is physically or temporarily impossible. (59) By providing such derogations and exemptions, the Union legislature took care to protect the dignity of individuals.
58. Therefore, yes, identification by comparison of fingerprints is a technique which has its limits and, no, I cannot say that Regulation No 2252/2004, as amended, established a system which makes it possible to rule out absolutely any risk, including risks of fraudulent use and forgery. However, I consider, bearing in mind all the foregoing considerations and the precautions that have been taken, that the legislature has taken all the measures necessary in order to ensure, so far as practically possible, the fair and lawful processing of personal data required for the issue of a passport. It cannot be denied that, by its measured attitude, the legislature has balanced the interests of the Union involved.
59. Consequently, the manifest infringement by Article 1(2) of Regulation No 2252/2004, as amended, of the fundamental right to the protection of personal data must be judged proportionate.
VI – Conclusion
60. In the light of the foregoing considerations I therefore propose that the Court give the following answer to the question submitted by the Verwaltungsgericht Gelsenkirchen:
Examination of the question referred has revealed nothing capable of affecting the validity of Article 1(2) of Council Regulation No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Article 1 of Regulation (EC) No 444/2009 of the European Parliament and of the Council of 28 May 2009.