Why the obligation to store fingerprints is unlawful

The Administrative Court points to three reasons why it considers the EU Regulation that enacts the storage obligation to be unlawful:

1. There were formal errors in the legislative process.  
2. The EU Regulation is not compatible with European fundamental rights.  
3. The legislator did not conduct a privacy impact assessment, which would have been required due to the high risk involved.

2. In violation of fundamental rights

The Administrative Court agrees with us that the obligation to store fingerprints is not compatible with the fundamental right to respect of private and family life, and the right to the protection of personal data concerning them (Art. 7 and 8 of the Charter of Fundamental Rights of the European Union).

• Art. 8 par. 2 CFR stipulates that personal data can only be processed with consent of the person concerned, or some other legitimate basis laid down in law. Since having an ID card is compulsory in Germany, voluntary consent can not be assumed. (Administrative Court decision, p. 20, par. 43)
• Just because we have an obligation to store fingerprints in passports, it does not follow that this is legitimate for ID cards as well. These are two very different documents. For example, ID cards are not only shown for crossing a border but also in many every-day situations, e.g. when banks or airlines ask their customers for identification. Further, ID cards are mandatory in Germany, which is not the case for passports. The incursion into fundamental rights is therefore more severe with ID cards than with passports. (p. 19–21, par. 47–51)

• It is not proven that storing fingerprints on ID cards increases their security from falsification. If the fingerprints taken from a person match those on an ID card, it only shows that the card belongs to the person. But the match does not prove that the ID card, and thus the identity of the person, is genuine. Biometric data may make it harder to produce a fake, but that alone does not justify this severe incursion. (p. 25 / par. 57)

• An ID card with a damaged chip is still valid in Germany. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) comments: “The security of the ID document is safeguarded by its physicial security features”. That is a clear own goal. The Administrative Court extends: “If the security is guaranteed by physical security features alone (in particular, micro inscriptions, UV imprints etc), then the question whether fingerprints need to be stored becomes all the more urgent”. (p. 25 / par. 58)

• What is stored on the ID cards are full images of the fingerprints. That contradicts the principle of data minimisation laid down in the GDPR. There are “frugal” methods for fingerprint matching that require only certain parts of the fingerprints. Storing the complete fingerprint increases the risk of identity theft in the case of a data leak. (p. 26f / par. 60–61)
• The RFID chips used in ID cards could potentially be read out by unauthorised scanners. Whether this will expose us to a data leak of our fingerprints for the rest of our lives then wholly depends on the security of the technology used to transmit and ecrypt the data on the RFID chip. (p. 27 / par. 62)