CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document : ECLI:EU:C:2023:520

OPINION OF ADVOCATE GENERAL

MEDINA

delivered on 29 June 2023(1)

Case C‑61/22

Landeshauptstadt Wiesbaden

(Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany))

(Reference for a preliminary ruling – Regulation (EU) 2019/1157 – Strengthening the security of identity cards of EU citizens – Article 3(5) – Obligation to collect fingerprints and store them on a highly secure storage medium – Validity – Legal basis – Article 21(2) TFEU – Article 77(3) TFEU – Charter of Fundamental Rights of the European Union – Articles 7 and 8 – Respect for private and family life – Protection of personal data – Article 52(1) – Principle of proportionality – General Data Protection Regulation – Article 35(10) – Data protection impact assessment)

I. Introduction

1. This request for a preliminary ruling concerns the validity of Article 3(5) of Regulation 2019/1157, (2) which sets out the obligation to include, on a highly secure storage medium, an image of the fingerprints of the holder in any identity card newly issued by the Member States. (3) The request has been made in the course of a dispute between RL and the Landeshauptstadt Wiesbaden (State Capital Wiesbaden, Germany), concerning an administrative decision by which the latter refused to issue an identity card without a fingerprint image being stored in its chip.

2. By its request, the referring court wishes to ascertain, first, whether the appropriate basis for the adoption of Regulation 2019/1157 was Article 21(2) TFEU, second, whether Article 3(5) of that regulation is compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’), read in conjunction with Article 52(1) thereof, and, third, whether the said regulation is in conformity with the obligation to carry out a data protection impact assessment under Article 35(10) GDPR. (4)

3. Notwithstanding the differences between identity cards and passports, the case represents a thematic extension of the judgment in Schwarz. (5) In that judgment, the Court examined the validity of Article 1(2) of Regulation No 2252/2004, (6) which provides for the mandatory collection and storage of fingerprints on passports and other travel documents issued by Member States. (7)

II. Legal framework

A. European Union law

1. Regulation 2019/1157

4. Recitals 1, 2, 3, 4, 5, 15, 17, 18, 21 and 28 of Regulation 2019/1157 state:

‘(1) The Treaty on the European Union (TEU) resolved to facilitate the free movement of persons while ensuring the safety and security of the peoples of Europe, by establishing an area of freedom, security and justice, in accordance with the provisions of the TEU and of the Treaty on the Functioning of the European Union (TFEU).

(2) Citizenship of the Union confers on every citizen of the Union the right of free movement, subject to certain limitations and conditions. [Directive 2004/38] [(8)] gives effect to that right. Article 45 of [the Charter] also provides for freedom of movement and residence. Freedom of movement entails the right to exit and enter Member States with a valid identity card or passport.

(3) Pursuant to [Directive 2004/38], Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. …

(4) [Directive 2004/38] provides that Member States may adopt the necessary measures to refuse, terminate or withdraw any right conferred by that Directive in the case of abuse of rights or fraud. Document forgery or false presentation of a material fact concerning the conditions attached to the right of residence have been identified as typical cases of fraud under that Directive.

(5) Considerable differences exist between the security levels of national identity cards issued by Member States and residence permits for Union nationals residing in another Member State and their family members. Those differences increase the risk of falsification and document fraud and also give rise to practical difficulties for citizens when they wish to exercise their right of free movement. …

…

(15) … Improved identity cards should ensure easier identification and contribute to better access to services.

…

(17) Security features are necessary to verify if a document is authentic and to establish the identity of a person. The establishment of minimum security standards and the integration of biometric data in identity cards … are important steps in rendering their use in the Union more secure. The inclusion of such biometric identifiers should allow Union citizens to fully benefit from their rights of free movement.

(18) The storage of a facial image and two fingerprints (“biometric data”) on identity and residence cards, as already provided for in respect of biometric passports and residence permits for third-country nationals, represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity and residence cards.

…

(21) This Regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in Member States, which is a matter of national law that needs to comply with Union law regarding data protection. Moreover, this Regulation does not provide a legal basis for setting up or maintaining a centralised database at Union level.

…

(28) The introduction of minimum security and format standards for identity cards should allow Member States to rely on the authenticity of those documents when Union citizens exercise their right of free movement. The introduction of reinforced security standards should provide sufficient guarantees to public authorities and private entities to enable them to rely on the authenticity of identity cards when used by Union citizens for identification purposes.’

5. Article 1 of Regulation 2019/1157, under the title ‘Subject matter’, provides:

‘This Regulation strengthens the security standards applicable to identity cards issued by Member States to their nationals … when exercising their right to free movement.’

6. Article 3 of Regulation 2019/1157, under the title ‘Security standards/format/specifications’, stipulates:

‘1. Identity cards issued by Member States shall be produced in ID-1 format and shall contain a machine-readable zone (MRZ). Such identity cards shall be based on the specifications and minimum security standards set out in ICAO Document 9303 and shall comply with the requirements set out in points (c), (d), (f) and (g) of the Annex to Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954.

…

5. Identity cards shall include a highly secure storage medium which shall contain a facial image of the holder of the card and two fingerprints in interoperable digital formats. For the capture of biometric identifiers, Member States shall apply the technical specifications as established by Commission Implementing Decision C(2018) 7767. [(9)]

6. The storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data. The data stored shall be accessible in contactless form and secured as provided for in Implementing Decision C(2018) 7767. Member States shall exchange the information necessary to authenticate the storage medium and to access and verify the biometric data referred to in paragraph 5.

7. Children under the age of 12 years may be exempt from the requirement to give fingerprints.

Children under the age of 6 years shall be exempt from the requirement to give fingerprints.

Persons in respect of whom fingerprinting is physically impossible shall be exempt from the requirement to give fingerprints.

…’

7. Article 10 of Regulation 2019/1157, entitled ‘Collection of biometric identifiers’, provides:

‘1. The biometric identifiers shall be collected solely by qualified and duly authorised staff designated by the authorities responsible for issuing identity cards or residence cards, for the purpose of being integrated into the highly secure storage medium provided for in Article 3(5) for identity cards …

With a view to ensuring the consistency of biometric identifiers with the identity of the applicant, the applicant shall appear in person at least once during the issuance process for each application.

2. Member States shall ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that those procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms and the United Nations Convention on the Rights of the Child.

…

3. Other than where required for the purpose of processing in accordance with Union and national law, biometric identifiers stored for the purpose of personalisation of identity cards or residence documents shall be kept in a highly secure manner and only until the date of collection of the document and, in any case, no longer than 90 days from the date of issue. After this period, these biometric identifiers shall be immediately erased or destroyed.’

8. Article 11 of Regulation 2019/1157, entitled ‘Protection of personal data and liability’, reads as follows:

‘1. Without prejudice to [the GDPR], Member States shall ensure the security, integrity, authenticity and confidentiality of the data collected and stored for the purpose of this Regulation.

2. For the purpose of this Regulation, the authorities responsible for issuing identity cards and residence documents shall be considered as the controller referred to in Article 4(7) of [the GDPR] and shall have responsibility for the processing of personal data.

3. Member States shall ensure that supervisory authorities can fully exercise their tasks as referred to in [the GDPR], including access to all personal data and all necessary information as well as access to any premises or data processing equipment of the competent authorities.

…

5. Information in machine-readable form shall only be included in an identity card … in accordance with this Regulation and the national law of the issuing Member State.

6. Biometric data stored in the storage medium of identity cards and residence documents shall only be used in accordance with Union and national law, by the duly authorised staff of competent national authorities and Union agencies, for the purpose of verifying:

(a) the authenticity of the identity card or residence document;

(b) the identity of the holder by means of directly available comparable features where the identity card or residence document is required to be produced by law.

…’

2. The GDPR

9. Article 6 GDPR, under the heading ‘Lawfulness of processing’, reads as follows:

‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:

…

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

…’

10. Article 35 GDPR, under the title ‘Data protection impact assessment’, provides:

‘1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

…

10. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.’

3. Directive 2004/38

11. Article 4 of Directive 2004/38, under the heading ‘Right of exit’, provides:

‘1. Without prejudice to the provisions on travel documents applicable to national border controls, all Union citizens with a valid identity card or passport and their family members who are not nationals of a Member State and who hold a valid passport shall have the right to leave the territory of a Member State to travel to another Member State.

…’

12. Article 5 of Directive 2004/38, under the title ‘Right of entry’, stipulates:

‘1. Without prejudice to the provisions on travel documents applicable to national border controls, Member States shall grant Union citizens leave to enter their territory with a valid identity card or passport and shall grant family members who are not nationals of a Member State leave to enter their territory with a valid passport.

…’

B. National law

13. The Gesetz über Personalausweise und den elektronischen Identitätsnachweis (Law on identity cards and electronic proof of identity) (10) transposes the obligation laid down in Article 3(5) of Regulation 2019/1157 into German law.

14. Paragraph 1(1) of the PAuswG, under the title ‘Duty of identification; right of identification’, provides:

‘Germans as defined in Article 116(1) of the Basic Law shall be required to possess an identity card once they have reached the age of 16 and are subject to the general registration requirement, or if not subject to this requirement, then if they mainly reside in Germany. They must present their identity card at the request of an authority entitled to check identification. Identity card holders may not be required to deposit their identity card or otherwise surrender possession. This shall not apply to authorities entitled to check identification nor in case of withdrawal or confiscation.’

15. Paragraph 5(9) of the PAuswG, headed ‘Issuance of the identity card’, provides:

‘The two fingerprints of the applicant to be stored on the electronic storage medium pursuant to [Regulation 2019/1157] shall be stored on the electronic storage and processing medium of the identity card in the form of the flat print of the left and right index fingers. If an index finger is missing, if the quality of the fingerprint is insufficient or if the fingertip is injured, the flat print of either the thumb, the middle finger or the ring finger shall be stored as a substitute. Fingerprints shall not be stored if the taking of fingerprints is impossible for medical reasons which are not of a temporary nature.’

III. The facts in the main proceedings and the question referred

16. In November 2021, RL applied to the Landeshauptstadt Wiesbaden for the issuance of a new identity card, claiming that the chip in his old identity card was defective. In his application, RL specifically asked for that card to be issued without the inclusion of a fingerprint image in its chip.

17. The Landeshauptstadt Wiesbaden refused RL’s application, on the ground, first, that, according to German law, an identity card remains valid even if its chip is defective. As RL was already in possession of a valid identity document, he was not entitled to the issuance of a new identity card. Second, the Landeshauptstadt Wiesbaden considered that, in any case, the identity card could not be issued without the holder’s fingerprint image, given that, since 2 August 2021, it had become mandatory under Article 5(9) of the PAuswG to store a fingerprint image in the chip of new identity cards.

18. RL brought an action before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), the referring court in the present case, seeking an order requiring the competent authority to issue him a new identity card without a fingerprint image stored in it.

19. The referring court harbours doubts as to the validity of Article 3(5) of Regulation 2019/1157, which constitutes the basis for Article 5(9) of the PAuswG and, therefore, for the mandatory nature of the collection and storage of fingerprints in German identity cards. In that respect, that court recalls that, according to Article 3(5) of Regulation 2019/1157, identity cards issued by Member States must include a highly secure storage medium containing a facial image of the holder of the card and two fingerprints in interoperable digital formats.

20. In particular, the referring court cites three grounds of invalidity of Article 3(5) of Regulation 2019/1157.

21. First, the referring court questions whether Regulation 2019/1157 ought to have been adopted on the basis of Article 77(3) TFEU, which provides for the application of a special legislative procedure under which the Council decides unanimously, rather than on the basis of Article 21(2) TFEU, which pertains to the ordinary legislative procedure, involving the co-decision of the European Parliament and the Council of the European Union. The referring court points out that, in the judgment in Schwarz, the Court considered that Article 62(2)(a) TEC, that is to say, the provision which subsequently became Article 77(3) TFEU, was an appropriate legal basis for adopting Regulation No 2252/2004, which prescribes the compulsory collection and storage of EU citizens’ fingerprints in passports. That court wonders therefore whether the same legal basis should have been used for the adoption of Regulation 2019/1157.

22. Second, the referring court has doubts as to the compatibility of Article 3(5) of Regulation 2019/1157 with Articles 7 and 8 of the Charter. That court notes that the mandatory collection and storage of fingerprints in identity cards constitute, in the light of the judgment in Schwarz, a limitation of the rights recognised by those two provisions. In addition, in its view, that limitation would not satisfy the conditions laid down in Article 8(2) and Article 52(1) of the Charter and would thus not be justified. More specifically, the referring court questions whether Article 3(5) of Regulation 2019/1157 pursues a legitimate interest and whether the obligation arising from that provision can be considered as appropriate, necessary and proportionate.

23. Third, the referring court expresses concerns regarding the obligation to conduct a data protection impact assessment, laid down in Article 35(10) GDPR. In particular, that court notes, by reference to the opinion issued by the European Data Protection Supervisor on the proposal of a regulation, (11) that that provision applies to the processing of fingerprints prescribed in Regulation 2019/1157. However, such an assessment was not carried out by the EU legislature when adopting that regulation.

24. It is in those circumstances that the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Does the obligation to take fingerprints and store them in identity cards in accordance with Article 3(5) of [Regulation 2019/1157] infringe higher-ranking EU law, in particular

(a) Article 77(3) TFEU

(b) Articles 7 and 8 of the Charter

and is it therefore invalid on one of those grounds?’

25. The request for a preliminary ruling was lodged at the Registry of the Court of Justice on 1 February 2022. Written observations were submitted by the German, Spanish and Polish Governments, the Parliament, the Council and the European Commission, as well as by the applicant in the main proceedings. A hearing was held on 14 March 2023.

IV. Assessment

26. By its question, the referring court seeks to ascertain whether Regulation 2019/1157 is valid in the light of EU law. It asks, in particular:

– first, whether Article 21(2) TFEU was an appropriate legal basis for the adoption of Regulation 2019/1157 and, in particular, Article 3(5) thereof, in accordance with the ordinary legislative procedure referred to therein;

– second, whether Article 3(5) of Regulation 2019/1157 is compatible with Articles 7 and 8 of the Charter, read in combination with Article 52(1) thereof; and,

– third, whether Article 3(5) of Regulation 2019/1157 is in conformity with the obligation to carry out a data protection impact assessment under Article 35(10) GDPR.

27. I shall assess each of those various grounds of invalidity in turn.

A. Legal basis for the adoption of Regulation 2019/1157

28. The first ground of invalidity relates to the legal basis for the adoption of Regulation 2019/1157. In essence, the referring court has doubts as to whether that regulation ought to have been adopted on the basis of Article 77(3) TFEU rather than Article 21(2) of the same Treaty. Beyond the choice, from a formal perspective, of the appropriate legal basis for Regulation 2019/1157 stands the alternative legislative procedure that is applicable under either provision.

29. Article 21 TFEU is contained in Part Two thereof, dedicated to ‘Non-discrimination and citizenship of the Union’. In paragraph 1, that article provides that every citizen of the Union must have the right to move and reside freely within the territory of the Member States, subject to the limitations and conditions laid down in the Treaties and by the measures adopted to give them effect. In turn, Article 21(2) TFEU provides for the possibility for the Union to adopt provisions with a view to facilitating the exercise of that right if action to attain that objective proves necessary and the Treaties have not provided the necessary powers. In that case, the ordinary legislative procedure, which involves co-decision by the Parliament and the Council, applies.

30. By contrast, Article 77(3) TFEU, which relates to ‘Policies on border checks, asylum and immigration’, is to be found in Title V of Part Three of the same Treaty, dedicated to ‘Area of freedom, security and justice’. It stipulates that, if action by the Union should prove necessary to facilitate the exercise of the right referred to in Article 20(2)(a) TFEU – the right to move and reside freely within the territory of the Member States – the Council may adopt provisions concerning, inter alia, passports and identity cards. The application of Article 77(3) TFEU is also dependant, according to its wording, on the absence of the necessary powers provided by the Treaties. In that case, a special legislative procedure applies, in which the Council acts unanimously after consultation of the Parliament.

31. The settled case-law of the Court of Justice holds that the choice of legal basis for an EU measure must rest on objective factors that are amenable to judicial review; these include the aim and content of that measure. (12) In addition, the Court has established that, to determine the appropriate legal basis for an EU measure, the legal framework within which new rules are situated may be taken into account, in particular in so far as that framework is capable of shedding light on the purpose of those rules. (13)

32. As to the present case, I would like to point out, from the outset, that the circumstance that, in the judgment in Schwarz, Article 77(3) TFEU was considered the appropriate legal basis for Regulation No 2252/2004, which establishes the mandatory collection and storage of fingerprints in passports of EU citizens, (14) is not in itself conclusive, contrary to the view taken by the referring court, for the purposes of determining whether the adoption of Regulation 2019/1157 was correctly based on Article 21(2) TFEU. Indeed, the Court has consistently held, in line with the case-law cited above, that it is the aim and content of the measure under examination that must be taken into account in order to ascertain its correct legal basis, and not the legal basis of other EU measures that might display similar characteristics. (15)

33. Regarding, on the one hand, the aim of Regulation 2019/1157, I observe that Article 1 thereof, under the heading ‘Subject matter’, provides that that regulation strengthens the security standards applicable, inter alia, to identity cards issued by Member States to their nationals when exercising their right to free movement. That provision gives normative expression to recitals 1 to 5 of that regulation, which, by reference to the Treaty on EU, the Treaty on FEU, Article 45 of the Charter and Directive 2004/38, evoke the aim of facilitating the exercise of the right of EU citizens to free movement in a secure environment. (16)

34. In particular, recital 4 of Regulation 2019/1157 notes that document forgery or false presentation of a material fact concerning the conditions attached to the right of residence have been identified as typical cases of fraud related to free movement. Moreover, recital 5 of Regulation 2019/1157 declares that document forgery and fraud results from the considerable differences existing between the security levels of national identity cards issued by the Member States. Those differences, according to that same recital, increase the risk of falsification and document fraud and give rise to practical difficulties for citizens when they wish to exercise their right to free movement. Last, recital 28 of Regulation 2019/1157 states that the introduction of reinforced security standards should provide sufficient guarantees to public authorities and private entities to enable them to rely on the authenticity of identity cards when used by EU citizens for identification purposes.

35. Regarding, on the other hand, the content of Regulation 2019/1157, the mandatory collection and storage of a fingerprint image provided for by that regulation, which is at issue in the present case, is part of a wider group of measures applicable to newly issued national identity cards, which are, for the most part, listed in Article 3 under the heading ‘Security standards/format/specifications’.

36. When read in the light of recital 17 of Regulation 2019/1157, it is apparent that those measures are intended to serve security purposes necessary for verifying whether a document is authentic and to establish the identity of a person. (17) Recital 18 of Regulation 2019/1157 further explains, in that regard, that the storage of biometric data in identity cards – a facial image and an image of two fingerprints – represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity cards.

37. It follows from the foregoing that the aim envisaged by the Parliament and the Council for Regulation 2019/1157 was essentially to facilitate the right of EU citizens to travel to and reside in any Member State with their identity card and to rely on that card as an authentic and reliable proof of identity. Those are also the terms used by the Commission in its proposal for a regulation, (18) which emphasises, as does Regulation 2019/1157, the need to reduce the risk of falsification and document fraud in order to improve the acceptance of those cards in Member States other than that issuing them. (19) That aim was to be achieved, in view of the provisions contained in Regulation 2019/1157, by incorporating, into national identity cards, common security features, categorised by that same regulation as (i) minimum security standards and formats and (ii) reinforced security standards. (20) The latter category included the compulsory collection of fingerprints and the storage of an image of them on a highly secure medium.

38. The question remains whether, in the light of the aim and content of Regulation 2019/1157, as I have already described, the EU legislature was right to consider Article 21(2) TFEU as the appropriate legal basis for the adoption of that regulation. Bearing in mind the wording of that provision, referred to in point 29 above, that question would require the Court to examine, first, whether Regulation 2019/1157 can be considered as having been correctly adopted with a view to facilitating the exercise of the right to move and reside freely within the territory of the Member States; second, whether action by the Union was necessary to attain that objective; and, third, whether the Treaties did not provide the necessary powers.

1. Facilitation of the exercise of the right to free movement

39. As regards, in the first place, whether Regulation 2019/1157 was correctly adopted with a view to facilitating the exercise of the right to free movement, it is important to recall that, according to Article 4 of Directive 2004/38, all EU citizens have the right to leave the territory of a Member State to travel to another Member State (‘right of exit’). Similarly, according to Article 5 of that directive, Member States must grant EU citizens leave to enter their territory (‘right of entry’). As has been made apparent by Directive 2004/38 – and reiterated by recital 2 of Regulation 2019/1157 – both rights constitute the essence of the right to free movement and, as such, one of the pillars of EU citizenship.

40. Under those provisions, however, exercise of the right of exit and the right of entry is dependent on the requirement of presenting a valid identity card or a valid passport. As the Court has indicated in its case-law, that requirement aims to simplify the resolution of problems relating to evidence of the right of residence, for EU citizens as well as for national authorities. (21) Consequently, the trust of the Member States in welcoming an EU citizen to their respective territories and, ultimately, the exercise of the right to free movement by that citizen depends on the reliability of his or her identity card or passport in terms of authenticity and identification. (22) That is all the more true, as it results from recital 4 of Regulation 2019/1157, since Directive 2004/38 allows Member States to refuse, terminate or withdraw any right conferred by that directive in the case of fraud. (23)

41. Moreover, it is important to bear in mind that the exercise of the right to free movement is not limited to border checks (24) or administrative registration, as the applicant primarily argues. The right to free movement and residence allows EU citizens to immerse themselves in the daily life of the other residents of the host Member State. National identity cards thus display the same functions as they do for those residents, which means that only a reliable and authentic proof of identity, issued in accordance with common security standards and formats, facilitates full enjoyment of free movement. Without such common standards and formats, and given the lack of homogeneity of current national identity cards within the European Union, as I shall address later, (25) obstacles and difficulties may arise more easily, which is the main concern described in recital 5 of Regulation 2019/1157.

42. Illustrative in that regard is the use of national identity cards for accessing services provided by public or private entities in the host Member State, especially where a piece of identification is required by national law for such identification purposes. That is the case, for instance, when accessing public services such as health care or when dealing with banks, airlines, entertainment venues, hotels and other hospitality establishments, and so on. Moreover, the use of national identity cards is essential for enjoying rights closely connected to the right of free movement and residence, such as the right to vote and stand as a candidate in European and municipal elections. (26)

43. In that context, I find it difficult to argue, in the light of the aim and content of Regulation 2019/1157, that that regulation bears no relation to the objective of facilitating the exercise of the right to free movement. Quite the opposite: homogenisation of the format of national identity cards and improvement of their reliability through security standards, including those introduced by Article 3(5) of Regulation 2019/1157, directly impact the exercise of that right, by rendering those cards more trustworthy – both from a technical point of view and in terms of public perception, as the Commission quite rightly notes – and, as such, more easily accepted by the authorities of the Member States and entities providing services. (27) In the end, it amounts to a reduction in inconvenience, costs and administrative barriers for mobile EU citizens.

44. I would briefly add that, even though passports, which are already subject to the mandatory collection and storage of fingerprints under Regulation No 2252/2004, are documents which can alternatively be employed for the exercise of the right to free movement by EU citizens, that does not exclude national identity cards from serving that same purpose by virtue of Directive 2004/38 (28) and that, from the perspective of the EU legislature, those cards could require more harmonised formats and more robust security standards in order to make them more reliable and, consequently, more easily accepted.

45. The first condition of Article 21(2) TFEU, that is to say, the requirement for Regulation 2019/1157 to have been correctly adopted with a view to facilitating the exercise of the right to move and reside freely within the territory of the Member States, is therefore, in my view, satisfied.

2. Whether action should prove necessary

46. As regards, in the second place, whether action by the European Union was necessary to attain the objective of facilitating the exercise of the right to free movement, I must point out that that is not an element specifically raised by the referring court or called into question by the applicant in the main proceedings. In any event, I would draw the Court’s attention to the impact assessment carried out by the Commission, which accompanies that institution’s proposal for a regulation. (29)

47. In that assessment, the Commission explains that European citizens are increasingly mobile – within and outside the European Union – which is, undoubtedly, a major achievement of European integration. (30) In that connection, the Commission points out that, whereas Directive 2004/38 established the conditions for the exercise of the right of free movement and residence, that directive did not regulate the format and security standards for national identity cards, which is why more than 250 versions of those cards are in valid circulation in the European Union. (31) In those circumstances, the Commission’s impact assessment identifies, as problems for the exercise of the right of free movement, insufficient acceptance of national identity cards by Member States, increasing levels of document fraud and lack of authentication in relation to those cards and complexity of their issuance and administration. (32) The Commission’s assessment concludes that, while there is an increasing need to use national identity cards, considerable difficulties in exercising free movement rights would remain or increase in the absence of appropriate action. (33)

48. To my mind, the previous matters, expanded upon in the Commission’s impact assessment, illustrate the increasing use of free movement rights by EU citizens, which is a well-known fact. At the same time, those matters make apparent the current difficulties and risks which emerge in the exercise of those rights owing to the lack of homogeneity regarding the formats and security features of national identity cards. Considering the broad discretion afforded to the EU legislature when called upon to undertake complex assessments, (34) there should be no doubt as to the absence of any error by the Parliament and the Council when they contemplated that action by the European Union would be necessary to attain the objective of facilitating the exercise of free movement.

49. The second condition of Article 21(2) TFEU is also therefore, in my view, satisfied.

3. Necessary powers

50. In the third place, the adoption of an EU measure on the basis of Article 21(2) TFEU is subject to the condition that ‘the Treaties have not provided the necessary powers’. In the order for reference, the referring court takes the view that Article 77(3) TFEU constitutes a more specific legal basis for the purposes of introducing new security features to the national identity cards of the Member States. For that reason, that court considers that Article 77(3) TFEU should have been used as a legal basis instead of Article 21(2) TFEU in the adoption of Regulation 2019/1157.

51. As a preliminary point, I would like to recall that, according to settled case-law, recourse to a dual legal basis is precluded where the procedures laid down for each legal basis are incompatible with each other. (35) In the present case, the legislative procedures applicable by virtue of Article 21(2) TFEU, on the one hand, and Article 77(3) TFEU, on the other, are mutually exclusive, which means that reliance on the first of those provisions for the adoption of Regulation 2019/1157 could not be validated were the Court to conclude that Article 77(3) TFEU ought to have been the correct legal basis for that adoption.

52. In any event, when account is taken of the wording and systematisation of Article 77(3) TFEU, together with the scheme of the same Treaty, I do not think that the view taken by the referring court should be upheld.

53. First, as indicated in point 30 of the present Opinion, Article 77(3) TFEU appears in Title V of Part Three of the TFEU, dedicated to ‘Area of freedom, security and justice’, in particular in Chapter 2 thereof, which relates to ‘Policies on border checks, asylum and immigration’. That provision follows Article 77(1) TFEU, which provides that the European Union is to develop a policy with a view to attaining certain objectives regarding, in essence, border checks. It also follows Article 77(2) TFEU, which allows the Parliament and the Council to adopt measures, via the ordinary legislative procedure, concerning that same policy.

54. The overall content and systematisation of Article 77 TFEU thus invites one to consider that, even though paragraph 3 thereof confers competence on the Council to adopt provisions relating to passports and identity cards, for the purposes of facilitating the exercise of the right to move and reside freely, that competence must be understood as referring to the context of border check policy. An EU measure extending beyond that specific content, irrespective of the requirements of the applicable legislative procedure, would not fall within the scope of Article 77(3) TFEU.

55. In the present case, the introduction of uniform standards, formats and specifications concerning the security of national identity cards, including those defined in Article 3(5) of Regulation 2019/1157, may certainly be capable of having an impact on border checks. (36) However, as I have argued in the present Opinion, that regulation covers a wider area of EU citizens’ lives, which precludes it from being confined solely to the field of border checks. In that regard, it might be useful to recall that, if the examination of an EU measure reveals that it pursues several purposes and if one of those can be identified as the main or predominant purpose, whereas the others are merely incidental, the measure must then be founded on a single legal basis, namely that corresponding to the main purpose. (37) As to Regulation 2019/1157, it is obvious to me that it affects the right to move and to reside freely in many different respects, while having only a partial impact on border checks.

56. Second, it is important to note that, according to Article 77(3) TFEU, that provision applies only if the powers necessary for attaining its objective are not provided for by other provisions of the Treaties, which is a subsidiary clause drafted in terms analogous to those of Article 21(2) TFEU. The question that emerges is whether Article 21(2) TFEU or Article 77(3) TFEU constitutes a more specific provision with respect to the other, regarding, in particular, the right to move and reside freely within the territory of the Member States.

57. In that regard, I would like to point out, on the one hand, that Article 77(3) TFEU refers expressly to Article 20 of the same Treaty, which establishes EU citizenship and, more specifically, to paragraph (2)(a) thereof, which provides that that citizenship encompasses the right to move and reside freely within the territory of the Member States. Article 77(3) TFEU then provides that the Council has the competence to adopt provisions concerning, inter alia, identity cards for the purposes of facilitating the right referred to in Article 20(2)(a) TFEU, if the Treaties have not provided the necessary powers. In turn, as I have already noted, Article 21 TFEU expands upon the content of Article 20(2)(a) TFEU by providing, inter alia, that the right referred to in that provision is subject to the limitations and conditions laid down in the Treaties and by the measures adopted to give them effect, specifically by means of paragraph 2 thereof. In that context, I would therefore be inclined to consider that, as regards Article 20(2) TFEU, Article 21 of the same Treaty constitutes a more specific provision, which has the effect of rendering inapplicable the subsidiary clause of Article 77(3) TFEU and thus the special legislative procedure provided for in that provision.

58. On the other hand, as the Commission submits, the scope of the subsidiary clause resulting from Article 21(2) TFEU, which allows for the adoption of provisions to facilitate the free movement of persons unless the Treaties have provided the necessary powers, seems to be circumscribed to those articles of the Treaty on FEU contained in Title IV of Part Three thereof, namely Article 45, on the free movement of workers, and Articles 49 and 56, on the right of establishment and the right to provide services in the territory of another Member State. That is apparent, from a systematic point of view, given the risk of overlap arising from the provisions of the Treaty concerning, on the one hand, the right of EU citizens to move and reside freely within the European Union and, on the other hand, the rights of free movement as essential elements of the internal market. The case-law of the Court indeed supports that understanding, (38) inasmuch as it holds that Article 21 TFEU finds specific expression in the provisions guaranteeing free movement, suggesting, furthermore, that, if a case falls under the scope of one of those provisions, Article 21 TFEU relinquishes its position as the appropriate legal basis for the adoption of provisions to facilitate the right to move and reside freely. (39)

59. Last, I would briefly note that the circumstance that Article 77(3) TFEU refers specifically to identity cards in its wording, as the referring court points out, is not conclusive for that provision to be considered a more specific provision with respect to Article 21(2) TFEU. After all, Article 77(3) TFEU also refers, for instance, to residence permits, the uniform format of which, in particular for third-country nationals, was established in Regulation No 1030/2002, (40) including minimum security features and the storage obligation of biometric data. That regulation and the amendments thereto, however, were adopted by means of the ordinary legislative procedure on the basis of Article 63, point 3, TEC, which later became Article 79 TFEU, and not on the basis of the forebear of Article 77(3) TFEU. That is because residence permits are documents to be used internally within the issuing Member State and not for border checks, which is also the case, for the most part, of national identity cards.

60. It follows that Article 77(3) TFEU does not constitute a more specific provision for the purpose of facilitating the exercise of the right to move and reside freely within the territory of the Member States with respect to Article 21(2) TFEU, and, consequently, that the third condition set out in that latter provision is satisfied.

61. In the light of the foregoing, and as my proposed analysis reveals that the three conditions apparent from the wording of Article 21(2) TFEU are fulfilled, I would conclude that, by using that provision as a legal basis for Regulation 2019/1157, the Parliament and the Council correctly adopted that regulation.

62. The first ground raised by the referring court should not lead the Court to declare the invalidity of Regulation 2019/1157 and, in particular, of Article 3(5) thereof.

B. Articles 7 and 8 of the Charter

63. The second ground of invalidity set out in the reference for a preliminary ruling relates to whether the obligation to collect and store an image of two fingerprints in identity cards newly issued by the Member States, under Article 3(5) of Regulation 2019/1157, constitutes an unjustified limitation of Articles 7 and 8 of the Charter, read in conjunction with Article 52(1) thereof.

1. Limitation

64. Article 7 of the Charter provides that everyone has the right to respect for his or her private and family life, home and communications. Under Article 8(1) thereof, everyone has the right to the protection of personal data concerning him or her. Even though the two provisions are devoted to two different fundamental rights, the Court has traditionally applied them simultaneously when examining, as in the present case, the conformity, with the Charter, of European or national provisions on the processing of personal data. (41)

65. The Court has also declared that respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual. (42) That is clearly the case with biometric identifiers and, in particular, digital fingerprints, at issue in Regulation 2019/1157, which contain unique information about individuals allowing them to be identified with precision. (43)

66. Further, in the judgment in Schwarz, the Court ruled that the compulsory inclusion of digital fingerprints in passports newly issued by Member States, as prescribed by Regulation No 2252/2004, was to be viewed as a processing of personal data and that that inclusion constituted a limitation of the rights guaranteed by Articles 7 and 8 of the Charter. (44) In line with the view taken by all of the parties in the present proceedings, that ruling leads one to consider that Regulation 2019/1157, which introduces similar measures concerning national identity cards, introduces a limitation of both of the fundamental rights protected under those articles.

67. More specifically, that limitation should be defined by reference to the twofold measures set out in Article 3(5) of Regulation 2019/1157, namely the collection of the fingerprints in itself – the procedure for which is further set out in Article 10(1) of that regulation – and the definitive inclusion of those fingerprints on a highly secure storage medium in every identity card newly issued by Member States. (45)

68. Additionally, as the Parliament indicates, account should be taken of the measure which is set out in Article 10(3) of Regulation 2019/1157. In essence, that provision establishes that biometric identifiers stored for the purpose of the personalisation of identity cards must be kept by public authorities until the date of collection of the identity card by its holder and, in any event, no longer than 90 days from the date of issue. Storing those identifiers in that manner increases the risk of undue access by public authorities to the biometric identifiers captured pursuant to Article 3(5) of Regulation 2019/1157 and should not therefore be disregarded when considering the limitation introduced by that provision of the rights guaranteed by Articles 7 and 8 of the Charter.

69. Finally, Article 11 of Regulation 2019/1157, under the heading ‘Protection of personal data and liability’, paragraph 6 thereof in particular, allows competent national authorities and EU agencies to use national identity cards with stored fingerprints for the purposes of verifying the authenticity of the card and the identity of the holder. Again, it is in the context of that use that a threat might arise regarding the biometric identifiers collected pursuant to Article 3(5) of Regulation 2019/1157.

70. It follows from the foregoing that, in order to define the limitation of the rights guaranteed by Articles 7 and 8 of the Charter introduced in the present case, and to ascertain whether that limitation can be justified, the Court’s examination should be conducted not only by reference to the collection of fingerprints and their inclusion in national identity cards newly issued by Member States, but also by reference to the two additional measures which, due to their close connection to the biometric identifiers concerned by Article 3(5) of Regulation 2019/1157 in terms of storage and further use, should not be left in isolation during that examination.

2. Justification of the limitation

71. Regarding whether the limitation resulting from Regulation 2019/1157, as previously described, can be justified, it should be noted from the outset that Article 8(2) of the Charter allows personal data to be processed if the person concerned so consents or where some other legitimate basis laid down by law applies. Here, it is evident that Member State citizens who request the issuance of a national identity card cannot object, by virtue of the compulsory nature of the measures provided for by Article 3(5) of Regulation 2019/1157, to the processing of their fingerprints. (46) Consequently, it is necessary to ascertain whether that processing can be justified on the basis of some other legitimate legal basis.

72. The Court has consistently held that the rights recognised by Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society. (47) In that regard, Article 52(1) of the Charter provides, in the first sentence thereof, that any limitation on the exercise of the rights and freedoms recognised by that Charter must be provided for by law and respect the essence of those rights and freedoms. The second sentence of Article 52(1) further provides that, subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. (48)

73. In the present case, as the referring court concedes, no issue arises in relation to the requirements set by the first sentence of Article 52(1) of the Charter. After all, the limitations to Articles 7 and 8 thereof stemming from Regulation 2019/1157 are provided for by law in the form of a regulation, which, in the case of the Federal Republic of Germany, has even been transposed into national law. (49) Moreover, given the various guarantees provided by Article 3(5), Article 10(1) and (3) and Article 11(6) of Regulation 2019/1157, specifically regarding the collection, storage and use of fingerprints in newly issued national identity cards, as I shall describe later, (50) the essence of the rights embodied by both provisions is respected.

74. The question remains whether those limitations are in conformity with the principle of proportionality and, in particular, whether they are necessary and genuinely meet objectives of general interest recognised by the European Union, in accordance with the second sentence of Article 52(1) of the Charter.

75. As regards whether the limitations resulting from Regulation 2019/1157 satisfy an objective of general interest, I have already explained, as part of my analysis of the first ground of invalidity, (51) that that regulation seeks to facilitate the right to free movement of EU citizens by making national identity cards more reliable in terms of authenticity and identification. In essence, it follows from Article 1 of Regulation 2019/1157, read in the light, inter alia, of recitals 4, 5, 18 and 28 thereof, that the lack of homogeneity regarding the formats and security features of national identity cards increases the risk of falsification and document fraud, the prevention of which thus constitutes an objective of that regulation as a way to promote the acceptance of those cards in Member States other than the one issuing them.

76. I would therefore consider that, inasmuch as the collection and storage of fingerprints in newly issued national identity cards, as is provided for in Article 3(5) of Regulation 2019/1157, is intended to prevent those cards from becoming targets for falsification or fraudulent use by persons other than their genuine holder – and thereby facilitate exercise of the right to free movement as enshrined, inter alia, in Article 45 of the Charter – the limitations introduced by Regulation 2019/1157 pursue an objective of general interest within the meaning of Article 52(1) of the Charter. (52) A similar interpretation was adopted by the Court in the judgment in Schwarz, (53) which, in my view, is analogous to the present case.

77. As regards the proportionality of the limitations created by Regulation 2019/1157, it follows from the settled case-law of the Court that the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives. (54)

78. Moreover, where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference. (55)

79. In the present case, it is true that the capture of fingerprints and their storage in newly issued national identity cards are not, in themselves, measures of particular intensity in terms of their limitation of the rights guaranteed by Articles 7 and 8 of the Charter. After all, on the one hand, the capture of fingerprints is not an operation of an intimate nature (56) and, on the other, the biometric identifiers stored in a newly issued card remain, pursuant to Regulation 2019/1157, at the sole disposal of the cardholder.

80. However, the limitation introduced by Regulation 2019/1157 concerns the protection of personal data, which, according to the Court’s case-law, plays an important role in the light of the fundamental right to respect for private life. (57) In addition, the measures which accompany the capture and storage of fingerprints, as I have described in points 68 and 69 of the present Opinion, are liable to increase the risk of undue access by public authorities to biometric identifiers and abuse in that regard. Finally, as the referring court points out, account should be taken of the aggregated impact of Regulation 2019/1157 on the EU population, whose obligation to include an image of the holder’s fingerprints in newly issued identity cards is capable of affecting up to 85% of EU citizens given the mandatory nature of those cards in the majority of the Member States. (58)

81. For all of those reasons, the EU legislature’s discretion should be regarded, in my view, as reduced, with the result that review of that discretion should be strict. That being said, I consider that the limitations arising from Regulation 2019/1157 and, in particular, from Article 3(5) thereof are appropriate, necessary and do not go beyond what is indispensable for achieving the main objective of that regulation.

82. In the first place, concerning the question whether the capture and storage of fingerprints in newly issued national identity cards is appropriate for attaining the objective pursued by Regulation 2019/1157, it is common ground – and indeed it was considered by the Court in the judgment in Schwarz (59) – that the storage of fingerprints on a highly secure storage medium is likely to reduce the risk of national documents being falsified, given the unique nature of fingerprints for identification purposes and the sophisticated technology applied to that storage. (60) By reducing the risk of falsification of national identity cards, acceptance of those cards in Member States other than the one issuing them will be increased, which will, ultimately, facilitate the exercise of the right to free movement of EU citizens. (61) From that perspective, I do not believe that any doubt should remain as to the appropriate nature of the use of fingerprints for achieving the aim of Regulation 2019/1157. (62)

83. The referring court points out, nevertheless, that the collection and storage of fingerprints allows only for verification of whether the biometric data included in a particular national identity card corresponds with the biometric data of its holder, but not for identification of that person per se. In its view, that identification can be carried out only by comparing, on the one hand, the biometric data stored on the identity card and, on the other, the biometric data stored in an absolute forgery resistance database. From that perspective, the referring court questions whether the mandatory inclusion of fingerprints in national identity cards can fulfil the objective of Regulation 2019/1157.

84. In that respect, I would emphasise that the referring court’s argument is not capable of calling into question the fact that the inclusion of fingerprints in national identity cards is an effective means in itself of enhancing the level of authenticity and reliability of those cards and hence their acceptance in the exercise of the right to free movement. That argument relies only on the premiss that the inclusion of digital fingerprints in national identity cards might not be wholly reliable, since they can still be forged and falsified, which means that the aim pursued by Regulation 2019/1157 could be not fully achieved.

85. The existence of absolute forgery resistance of national identity cards after the adoption of Regulation 2019/1157, including the measures imposed by Article 3(5) thereof, is a matter which cannot be assessed in the light of the evidence available to the Court. That being said, it follows from the judgment in Schwarz that the circumstance that a method for countering forgery and fraudulent use is not wholly reliable is not decisive for it to be considered inappropriate for the purposes of interpreting Article 52(1) of the Charter. It is in fact enough that the method significantly reduces the likelihood of the falsification that would exist if that method were not used. (63)

86. Consequently, even if the collection and storage of fingerprints in newly issued identity cards cannot be considered an absolute forgery-proof measure, that does not call into question their appropriateness for the purposes of preventing falsification and document fraud and thereby facilitating the right to free movement of EU citizens. The circumstance – also pointed out by the referring court – that the collection and inclusion of fingerprints applies only to newly issued identity cards and that old cards continue to be temporarily valid does not call that into question, either. (64) Even in that case, the gradual introduction of that measure to national identity cards reduces the risk of national documents being falsified and progressively helps the attainment of the objective of Regulation 2019/1157.

87. In the second place, as regards the question whether the capture and storage of fingerprints in identity cards are also necessary – that there is no equally suitable but less intrusive method available to achieve the same legitimate aim – the referring court mentions two main alternatives to that measure, the first of which is examined in detail by the Commission in the impact assessment accompanying the proposal for a regulation. (65)

88. Indeed, the first alternative would be to limit the requirements for forgery protection to a facial image of the holder of the card, a method which would also serve the purpose of harmonising the various security standards for national identity cards at national level.

89. In that regard, I have pointed out that the Court has already ruled that the measure of taking fingerprints, as is the case with facial images, is not an operation of an intimate nature. It is incapable of causing any particular physical or mental discomfort to the person affected any more than when that person’s facial image is taken. (66) The Court has further considered that, even when fingerprints are to be taken in addition to the facial image, the combination of two operations designed to identify persons should not a priori be regarded as giving rise in itself to a greater threat to the rights recognised by Articles 7 and 8 of the Charter than if each of those two operations were to be considered in isolation. (67)

90. Moreover, since the anatomical features of a person’s face can change significantly, due to various vicissitudes in that person’s life, such as ageing or the onset of illness, merely matching the facial image on the national identity card with the cardholder’s face is more likely to result in errors of identification than verifying the facial image on the identity card and that same holder’s fingerprints. In that regard, as the German Government points out, even a biometric picture match can be misled by modern morphing techniques which merge different faces into a single facial image.

91. Consequently, neither a manual nor an automated comparison of the facial image on a national identity card with the cardholder’s face, (68) which were the methods employed in many Member States before the adoption of Regulation 2019/1157, can provide a more effective outcome than the combination of the biometric identifiers referred to in Article 3(5) of that same regulation, that is to say, a facial image of the holder of the card and two fingerprints. (69) To my mind, a similar conclusion can be reached if the facial image of the cardholder were to be combined only with holograms or watermarks, as the referring court also submits.

92. The second alternative would be to store a smaller amount of fingerprint data in the form of so-called minutiae or to require the taking of a single fingerprint. In that regard, it is important to explain that the inclusion of minutiae in national identity cards would require, as a first step, the taking of a whole fingerprint and, subsequently, the extraction of those minutiae as a next step, which means that more extensive data processing would have to be carried out in addition to the capture and storage of individual fingerprints. For that reason, I do not think that that method can be considered less intrusive.

93. Furthermore, according to the scientific literature, the storage of minutiae does not appear to offer the same level of security in identity verification as the use of complete fingerprints, (70) which is a consideration that can be added to the concerns raised by the use of minutiae in terms of interoperability. In that respect, as most of the parties pointed out during the hearing, there is no established uniform procedure, or even available software, either at European or at national level, for reading minutiae from national identity cards, which would raise an insurmountable burden for the exchange of data between national authorities. (71)

94. The same also applies, for instance, to the international sphere, where, in order that identity cards may be used in international air travel, the specifications of International Civil Aviation Authority Document 9303 must be met. (72) Those specifications establish that, if a State provides for the inclusion of fingerprints in machine-readable travel documents, the storage of the fingerprint image is mandatory to permit global interoperability. (73) The storage of minutiae does not meet those requirements.

95. In terms of the taking and storage of a single fingerprint, I am inclined to consider that, although the amount of data stored is less than when storing two fingerprints, that method is not equally suitable given that it results in lower reliability. Illustrative in that regard could be the case of a defective taking of a fingerprint or of an injury to the finger the print of which was taken. In any event, it is apparent from the Court’s case-law that even taking a higher number of fingerprints may be considered proportionate. (74)

96. It follows from the foregoing considerations that an equally suitable but less intrusive method does not seem to exist, as compared to the taking and storage of fingerprints, for achieving, in a similarly effective manner, the aim of Regulation 2019/1157.

97. In the third place, in order for Article 3(5) of Regulation 2019/1157 to be justified in the light of its aim, the processing of any fingerprints taken pursuant to that provision should not go beyond what is necessary to achieve that aim. In that regard, the legislature must ensure that there are specific guarantees that the processing of such data will be effectively protected from misuse and abuse. (75) That justification can only be accepted if specific limitations to the threat posed are provided for in order to prevent any abuse. (76)

98. In the present case, it should be emphasised that Article 3(5) and (6), Article 10 and Article 11 of Regulation 2019/1157 provide a clear legal framework for the collection, storage and use of biometric identifiers, namely fingerprints. (77)

99. In particular, first, the conditions governing the collection of fingerprints are set out in Article 10 of Regulation 2019/1157. It is explicitly stated in that provision that biometric identifiers can only be collected by qualified and duly authorised staff previously designated by the authorities responsible for issuing identity cards, and exclusively for the purpose of being integrated into the highly secure storage medium provided for in Article 3 of Regulation 2019/1157. Moreover, Member States must ensure that appropriate and effective procedures for the collection of biometric identifiers are put in place, and those procedures must comply with the rights and principles set out not only in the Charter, but also in the European Convention of Human Rights and the Convention on the Rights of the Child. (78) Those procedures must also respect, where difficulties are encountered, the dignity of the person concerned.

100. Second, regarding storage of biometric identifiers after their collection, it is expressly stated in Article 3(6) of Regulation 2019/1157 that the storage medium of national identity cards must guarantee the integrity, authenticity and confidentiality of the data, which must be secured in accordance with the instructions established in Commission Decision C(2018) 7767. (79) Furthermore, according to Article 10(3) of that regulation, the storage of biometric identifiers by public authorities after their collection is to be limited to the period between the collection of the data and the date of issue of the identity card and, in any event, must not exceed 90 days from the date of issue. During that period, the data must be kept in a highly secure manner. After that period, the fingerprints collected must be erased or destroyed.

101. Third, access to the fingerprints stored on the storage medium is also very limited under Article 11 of Regulation 2019/1157. Only duly authorised staff of the competent authorities have access to them (80) and access is possible only when presentation of the identity card is required by EU law or national law. Moreover, the sole purpose of that access must be to verify the authenticity of the identity card and/or the identity of the holder. In addition, control of the facial image is the primary aim for the verification of the authenticity of the document and the identity of the holder, which entails that, as a general practice, Member States should only verify the fingerprints where necessary to confirm without doubt that authenticity and identity. (81)

102. In the light of the above, I would consider that Regulation 2019/1157 offers sufficient and appropriate measures which guarantee that the collection, storage and use of biometric identifiers, in particular digital fingerprints, is effectively protected from misuse and abuse.

103. More concretely, those measures ensure that collection procedures are carried out by a reduced number of specialised staff and are carefully set up in advance by Member States in order to respect the fundamental rights and dignity of the persons concerned. They also guarantee that biometric identifiers stored in a newly issued card remain at the sole disposal of the cardholder after the issuance of that card and that they are not publicly accessible. (82) The biometric identifiers are kept by public authorities only for the purposes of issuing the identity card in a highly secure manner and no further access is authorised to them or to any other person. The biometric identifiers must, in any event, be erased and destroyed after a clearly defined and reasonable period of storage by public authorities if that card happens not to be issued. Finally, the measures introduced by Regulation 2019/1157 confirm that biometric identifiers are accessed and used in strictly limited circumstances, predefined by the law and for the sole purpose of verifying the authenticity of the card and the identity of the cardholder, in line with the main purpose of that regulation.

104. For the sake of completeness, I would like to refer to the introductory proviso of Article 10(3) of Regulation 2019/1157, which was the subject of several questions asked by the Court during the hearing. Before referring to the temporary storage of fingerprints by public authorities and the obligation to keep those biometric identifiers in a highly secure manner, as I have already mentioned, the first sentence of Article 10(3) of Regulation 2019/1157 contains the proviso ‘other than where required for the purpose of processing in accordance with Union and national law’. The proviso appears to stem from the interinstitutional negotiation – or trilogue – held between the Parliament, the Council and the Commission during the ordinary legislative procedure leading to the adoption of Regulation 2019/1157. (83)

105. In that regard, it is true that that proviso could suggest that public authorities may store biometric identifiers such as fingerprints after their capture for a period longer that that defined in Article 10(3) of Regulation 2019/1157 and that those authorities may use them for additional purposes not precisely defined in that regulation, such as, for instance, the establishment of national databases.

106. However, a close reading of Article 10(3) of Regulation 2019/1157 reveals that that proviso does not establish any legal basis for any purpose other than those specifically set out by that regulation. Indeed, that proviso expressly refers to additional legislation, either from the European Union or from the Member States, meaning that any limitation of the rights guaranteed by Articles 7 and 8 of the Charter should be examined only by reference to that other legislation and not as being self-contained in Regulation 2019/1157. This understanding is particularly reinforced when one considers recital 21 of Regulation 2019/1157, (84) which unambiguously declares that that regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in Member States, that being a matter of national law that needs to comply with EU law regarding data protection. That same recital further states that that regulation does not provide a legal basis for setting up or maintaining a centralised database at EU level.

107. It is for that reason that I do not think that the introductory proviso of Article 10(3) of Regulation 2019/1157 is capable of calling into question the conclusion set out in point 102 above that Regulation 2019/1157 offers sufficient guarantees to prevent the processing of biometric identifiers, in particular digital fingerprints, from being misused or abused.

108. In the light of the foregoing, I would conclude that Regulation 2019/1157 and, in particular, Article 3(5) thereof do not constitute an unjustified limitation of Articles 7 and 8 of the Charter, read in conjunction with Article 52(1) thereof.

109. The second ground raised by the referring court should not lead the Court to declare the invalidity of Regulation 2019/1157.

C. Article 35(10) GDPR

110. By the third ground of invalidity, the referring court questions whether Article 3(5) of Regulation 2019/1157 infringes Article 35(10) GDPR. Echoing the view taken by the EDPS in its opinion of 10 August 2018, (85) that court harbours doubts as to whether a data protection impact assessment should have been carried out by the EU legislature upon the adoption of Regulation 2019/1157.

111. Article 35 GDPR is contained in Chapter IV thereof, under the heading ‘Controller and processor’, specifically in Section 3, relating to data protection impact assessment and prior consultation.

112. According to paragraph 1 of that provision, where a type of processing in particular using new technologies is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Paragraphs 2 to 7 of the same provision further develop the content of the obligation of controllers to carry out an impact assessment, in particular by setting out the cases in which that assessment is required and by describing the minimum elements that that assessment must contain.

113. By contrast, paragraph 10 of Article 35 GDPR establishes an exception to the obligation to carry out an impact assessment, provided that the conditions set out in that provision are met. That is especially the case where (i) the processing of data is necessary for compliance with a legal obligation to which the controller is subject, (ii) that law regulates the specific processing operation or set of operations in question, and (iii) a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that law.

114. In the present case, I must note, from the outset, that, even though the referring court cites Article 35(10) GDPR as the basis of the infringement concerned by the present ground of invalidity, the indications provided in the order for reference suggest that that ground is in fact based on infringement of Article 35(1) GDPR. It is indeed the latter provision which places data controllers, as defined in Article 4(7) GDPR, under the obligation to carry out an impact assessment when there is a high risk to the rights and freedoms of natural persons. In the view of the referring court, it is that obligation that applied to the EU legislature when adopting Regulation 2019/1157 and that would appear, according to the same court, not to have been satisfied.

115. Further, it should be noted that the GDPR and Regulation 2019/1157 are acts of secondary legislation which, in the hierarchy of sources of EU law, rank equally. This entails that, contrary to what the referring court indicates in its question, the GDPR cannot be regarded as a ‘higher ranking law’ with respect to Regulation 2019/1157. In that respect, it follows, in essence, from the case-law of the Court that unless an act of secondary legislation contains a provision expressly giving primacy over another, the validity of the latter cannot be evaluated in the light of the former. In that case, it is only necessary to ensure that each of those acts is applied in a manner that is compatible with the other and enables them to be applied consistently. (86)

116. Concerning Regulation 2019/1157, I observe that that regulation establishes explicit links with the GDPR, in particular in Article 11 thereof, in relation to the protection of personal data. That provision, which should be read in the light of recitals 40, 41 and 43 of the same regulation, makes apparent that the GDPR applies with regard to the personal data to be processed in the context of the application of Regulation 2019/1157. More specifically, it follows from Article 11(2) of that regulation that the authorities responsible for issuing identity cards must be considered the controller referred to in Article 4(7) GDPR and must have responsibility for the processing of personal data. Furthermore, Article 11(3) of Regulation 2019/1157 compels Member States to ensure that supervisory authorities can fully exercise their tasks as referred to in the GDPR, including, for instance, access to all personal data as well as access to any premises or data processing equipment of the competent authorities.

117. It follows from Regulation 2019/1157 that the GDPR can impose obligations on national bodies and competent authorities when implementing Regulation 2019/1157. The EU institutions and the governments intervening before the Court concede that point. That being said, at no point does it result from the GDPR that the obligation to carry out an impact assessment, as is provided for in Article 35(1) thereof, is binding on the EU legislature, nor does that provision establish any criterion in relation to which, for instance, the validity of another secondary law norm of the European Union should be assessed.

118. In the light of the foregoing, I would conclude therefore that Article 35(1) GDPR does not apply to the EU legislature during the adoption of a norm of secondary law and that, for that reason, the legislative process leading to the adoption of Regulation 2019/1157 and, in particular, of Article 3(5) thereof, cannot be regarded as breaching the requirement to conduct an impact assessment.

119. It follows from the foregoing considerations that the third ground raised by the referring court should not lead the Court to declare the invalidity of Regulation 2019/1157.

120. The examination of the question referred by the referring court has not disclosed any factor such as to affect the validity of Regulation 2019/1157 and, in particular, of Article 3(5) thereof.

V. Conclusion

121. In the light of all of the foregoing considerations, I propose that the Court answer the question referred by the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) as follows:

Examination of the question referred has not disclosed any factor such as to affect the validity of Regulation 2019/1157 and, in particular, of Article 3(5) thereof.

1 Original language: English.

2 Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (OJ 2019 L 188, p. 67) (‘Regulation 2019/1157’).

3 That obligation is applicable as from 2 August 2021. See Article 16 of Regulation 2019/1157.

4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

5 Judgment of 17 October 2013, Schwarz (C‑291/12, EU:C:2013:670) (‘the judgment in Schwarz’).

6 Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1) (‘Regulation No 2252/2004’).

7 The present case is also closely related to case C‑280/22, Kinderrechtencoalitie Vlaanderen and Liga voor Mensenrechten, pending before the Court.

8 Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ 2004 L 158, p. 77), as amended (‘Directive 2004/38’).

9 Commission Implementing Decision of 30 November 2018 laying down the technical specifications for the uniform format for residence permits for third country nationals and repealing Decision C(2002)3069 (C(2018) 7767 final) (‘Commission Decision C(2018) 7767’).

10 Act of 18 June 2009 (BGBl. I p. 1346), last amended by Article 2 of the Act of 5 July 2021 (BGBl. I p. 2281) (‘the PAuswG’).

11 European Data Protection Supervisor Opinion 7/2018, of 10 August 2018, on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents (OJ 2018 C 338, p. 22) (‘EDPS Opinion 7/2018’).

12 Judgment of 3 December 2019, Czech Republic v Parliament and Council (C‑482/17, EU:C:2019:1035, paragraph 31 and the case-law cited).

13 Ibid. (paragraph 32 and the case-law cited).

14 Judgment in Schwarz, paragraph 20.

15 See, in that regard, judgment of 18 December 2014, United Kingdom v Council (C‑81/13, EU:C:2014:2449, paragraphs 35 and 36 and the case-law cited).

16 See also recital 46 of Regulation 2019/1157.

17 That recital expressly states that the establishment of minimum security standards and the integration of biometric data in identity cards are important steps in rendering their use in the Union more secure and in allowing EU citizens to fully benefit from their rights of free movement.

18 See, to that effect, the Proposal for a Regulation of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (COM(2018) 212 final), page 4 (‘the Commission’s proposal for a regulation’).

19 For a conceptual framework of the general and specific objectives of the Commission’s proposal for a regulation, see Commission Staff Working Document – Impact Assessment, of 17 April 2018 (SWD(2018) 110 final), page 24 (‘the Commission’s impact assessment’).

20 See recital 28 of Regulation 2019/1157.

21 Judgment of 17 February 2005, Oulane (C‑215/03, EU:C:2005:95, paragraph 22).

22 See also Article 8(3) of Directive 2004/38, under the heading ‘Administrative formalities for Union citizens’.

23 See Article 35 of Directive 2004/38.

24 As is the case, for instance, regarding Member States like Ireland, where internal border checks remain in effect, or regarding the temporary reintroduction of border control at internal borders pursuant to Article 23 et seq. of Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ 2016 L 77, p. 1), as amended.

25 See point 47 of the present Opinion.

26 Benefits for European democratic rights and for the citizens’ initiative are further mentioned in the Commission’s impact assessment (point 6.1).

27 See, to that effect, the last sentence of recital 15 of Regulation 2019/1157, and recital 28 of that regulation, which, as already indicated, states that both types of measures help Member States, on the one hand, to rely on the authenticity of those documents and, on the other, to provide sufficient guarantees to public authorities and private entities so that they can rely on them when used by EU citizens for identification purposes.

28 See, to that effect, judgment of 16 April 2015, Willems and Others (C‑446/12 to C‑449/12, EU:C:2015:238, paragraph 39).

29 Commission Staff Working Document – Impact Assessment, of 17 April 2018, as cited in footnote 19 above.

30 See the Commission’s impact assessment (point 1.1), which states that more than 15 million EU citizens reside in another Member State and that more than 11 million citizens are working in another Member State, in addition to the many students who move across the European Union for educational and training purposes.

31 Commission’s impact assessment, point 1.2 and Annex 5.

32 Commission’s impact assessment, point 2.1 and figure 2.1.

33 Commission’s impact assessment, point 2.2.

34 See, inter alia and to that effect, judgment of 22 June 2017, E.ON Biofor Sverige (C‑549/15, EU:C:2017:490, paragraph 50 and the case-law cited).

35 See, inter alia, judgment of 11 June 2014, Commission v Council (C‑377/12, EU:C:2014:1903, paragraph 34).

36 As the Spanish Government observes, the adoption of Regulation 2019/1157 was part of the objective of improving the security of travel documents, in particular following the amendment of the Schengen Borders Code, which introduced the obligation to systematically check all persons and their travel documents – irrespective of the nationality of the holder – in the Schengen Information System (SIS) and in the Stolen and Lost Travel Documents database (SLTD). See, to that effect, Regulation (EU) 2017/458 of the European Parliament and of the Council of 15 March 2017 amending Regulation (EU) 2016/399 as regards the reinforcement of checks against relevant databases at external borders (OJ 2017 L 74, p. 1). See also the Commission’s impact assessment, point 1.2 (page 5).

37 See, inter alia, judgment of 20 November 2018, Commission v Council (Antarctic MPAs) (C‑626/15 and C‑659/16, EU:C:2018:925, paragraph 77 and the case-law cited).

38 See, to that effect, judgment of 20 May 2010, Zanotti (C‑56/09, EU:C:2010:288).

39 Ibid. (paragraph 24 and the case-law cited).

40 See Article 4b of Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ 2002 L 157, p. 1).

41 See judgment in Schwarz (paragraph 25), and judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 29). Compare with Opinion of Advocate General Cruz Villalón in Joined Cases Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2013:845, point 64), where he argues that, in the case of personal data not related to private life, only Article 8 of the Charter should apply.

42 Judgment of 3 October 2019, A and Others (C‑70/18, EU:C:2019:823, paragraph 54 and the case-law cited).

43 Ibid. (paragraph 55 and the case-law cited). See also the Commission’s impact assessment, point 6.1 (pages 34 and 35), which points out that biometric data needs to be encrypted and that, for that purpose, cryptographic keys need to be exchanged with the specific services – namely, border guards and police.

44 Judgment in Schwarz (paragraphs 24 to 30).

45 That capture must be carried out in accordance with the technical specifications established by the Commission Decision C(2018) 7767, cited in footnote 9 above.

46 See, regarding the mandatory nature of national identity cards in the Federal Republic of Germany, Paragraph 1(1) of the PAuswG, cited in point 14 of the present Opinion.

47 Judgment in Schwarz (paragraph 33 and the case-law cited).

48 Ibid. (paragraph 34). See also judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 38).

49 See Paragraph 5(9) of the PAuswG, as set out in point 15 of the present Opinion.

50 See points 97 to 107 of the present Opinion.

51 See points 33 to 37 of the present Opinion.

52 See also the Commission’s impact assessment, point 6.1 (page 34), which further states that the exercise of fundamental political rights (Articles 39 and 40 of the Charter) as well as the exercise of the right of petition (Article 44 of the Charter) will be positively impacted by the reinforcement of the security features of national identity cards.

53 Judgment in Schwarz (paragraph 36).

54 See judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 46 and the case-law cited).

55 Ibid. (paragraph 47). See also as regards Article 8 of the ECHR, Eur. Court H.R., S. and Marper v. the United Kingdom [GC], Nos 30562/04 and 30566/04, § 102, ECHR 2008-V.

56 Judgment in Schwarz (paragraph 48).

57 Ibid.

58 See EDPS Opinion 7/2018 (page 3).

59 See, to that effect, judgment in Schwarz (paragraph 41).

60 No two people have the same fingerprints, not even identical twins. Nor do fingerprints change, even due to age, unless the deep or ‘basal’ layer is destroyed or intentionally changed by plastic surgery. There are three main fingerprint patterns, called arches, loops and whorls. The shape, size, number and arrangement of minor details in those patterns make each fingerprint unique. See, in that regard, https://www.interpol.int/How-we-work/Forensics/Fingerprints.

61 See, in that regard, recital 28 of Regulation 2019/1157, as referred to in footnote 27 of the present Opinion.

62 As I have already indicated in the present Opinion, EU law already establishes, for similar purposes, standards for security features and biometrics in passports and travel documents issued by Member States (Regulation No 2252/2004), and uniform formats for visas (Regulation No 1683/95 (OJ 1995 L 164, p. 1)) and residence permits for third-country nationals (Regulation No 1030/2002), which builds on a coherent approach by the EU legislature.

63 Judgment in Schwarz (paragraph 43 and 44), where the Court further considered, in essence, that, although it is true that the use of fingerprints as a means of ascertaining identity may not, on an exceptional basis, lead to optimal results, a mismatch in respect of the biometric data of the holder will normally draw the competent authorities’ attention to the person concerned and will result in a more detailed check of that person in order definitively to establish his or her identity.

64 See Article 5 of Regulation 2019/1157, which provides that identity cards which do not meet the requirements set out in Article 3 of that regulation must cease to be valid at their expiry or by 3 August 2031, whichever is earlier.

65 See the Commission’s impact assessment, points 5.2 and 6.1 and table 6.1, which refer to ‘Option ID 1’. That option includes a format with some common features such as the information on the card and minimum security features taking into account ICAO Doc 9303 and a chip including a mandatory facial image.

66 Judgment in Schwarz (paragraph 48).

67 Ibid. (paragraph 49).

68 By using EasyPass systems for instance. See, in that regard, Regulation (EU) 2017/2225 of the European Parliament and of the Council of 30 November 2017 amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System (OJ 2017 L 327, p. 1).

69 See the Commission’s impact assessment, point 7.1 (page 49), in which, after comparing the different alternatives in terms of effectiveness, it concludes that the combination of a facial image and two fingerprints is more effective at achieving the specific objectives of reducing document fraud and improving document authentication. See also point 7.4 (page 56) of that same document, which states that, for the purpose of improving the acceptance of national identity cards and, therefore, of facilitating the objective of free movement, the combination of a facial image and two fingerprints is preferred over the requirement of a sole facial image.

70 Maltoni, D. et al., Handbook of fingerprint recognition, 2nd edition, Springer, 2009, p. 53.

71 By contrast, Member States have standarised instruments for the interoperability of the biometric identifiers concerned by Regulation 2019/1157. See, in that regard, Article 3(6) of that regulation and Commission Decision C(2018) 7767.

72 See recital 23 of Regulation 2019/1157.

73 ‘Machine readable travel documents’, DOC 9303, 8th edition, ICAO, 2021 (Part 9, Chapter 4).

74 Even 10 fingerprints can be considered proportionate. See, to that effect, judgment of 3 October 2019, A and Others (C‑70/18, EU:C:2019:823, paragraph 58).

75 See judgment in Schwarz, (paragraph 55). See also judgment of the Eur. Court H.R., S. and Marper v. the United Kingdom [GC], Nos 30562/04 and 30566/04, § 103, ECHR 2008-V.

76 Judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 54 et seq.).

77 See also recital 22 of Regulation 2019/1157.

78 Adopted by the United Nations General Assembly in its resolution 44/25 of 20 November 1989; it entered into force on 2 September 1990.

79 See, in particular, Annex III to Commission Decision C(2018) 7767, point 5, under the heading ‘Data security and integrity issues’.

80 See Article 11(7) of Regulation 2019/1157, which further requires that Member States must communicate annually to the Commission a list of the competent authorities with access to the biometric data. The Commission must publish online a compilation of such national lists.

81 See recital 19 of Regulation 2019/1157. See also Article 4(3) of Regulation No 2252/2004, which establishes the same limited use for passports and travel documents.

82 As explained by the Commission during the hearing, it follows from Commission Decision C(2018) 7767 that, for the purposes of the authentication of the terminal, the reading machine sends its reading authorisation in the form of various digital certificates to the chip of the identity card. The chip in the identity card can thus check the authenticity of the terminal certificate. This means in practice that only the competent authorities listed in Article 11(7) of Regulation 2019/1157 and no other authority or person can access biometric data

83 See Interinstitutional file of 22 February 2019, which declares that ‘the compromise text maintains all the key elements of the Council negotiating mandate, most notably: … the ability of Member States to set up and maintain biometric databases in line with national legislation’, available at https://data.consilium.europa.eu/doc/document/ST6412-2019-INIT/en/pdf.

84 See also, in that regard, the Commission’s impact assessment, point 6 (pages 33 and 35), which states that ‘nothing in these initiatives shall provide a legal basis for the centralised storage of data collected … or for the use of such data for purposes other than that of verifying the authenticity of the document and the identity of the holder …’, and that ‘any implementation will have to be compatible with EU law and the fundamental rights it protects’.

85 See footnote 11 above.

86 See, to that effect, judgment of 28 June 2012, Commission v Éditions Odile Jacob (C‑404/10 P, EU:C:2012:393, paragraph 110), and of 29 June 2010, Commission v Bavarian Lager (C‑28/08 P, EU:C:2010:378, paragraph 56). See also Opinion of Advocate General Pitruzzella in Joined Cases Luxembourg Business Registers (C‑37/20 and C‑601/20, EU:C:2022:43, point 66).