We can celebrate victory at the first stage: The local Administrative Court where we started legal action against the obligation to store fingerprints in ID documents has referred our case to the European Court of Justice. That takes us a large step closer to our objective, which is to overturn the obligation.
On 2 August 2021, a change came into force to the German Act on Identity Cards and Electronic Identification. Since then, everybody applying for a new ID card is obliged to have prints of both their index fingers stored on the chip contained in the ID card. This was introduced to adapt the German ID Cards Act to a new EU regulation (Article 3 (5) Regulation (EU) 2019/1157). We do not believe that this EU Regulation is compatible with European law. If the European Court of Justice agrees with us and nullifies the EU Regulation, then the German law that is based on it can not be upheld either.
Why the obligation to store fingerprints is unlawful
The Administrative Court points to three reasons why it considers the EU Regulation that enacts the storage obligation to be unlawful:
- There were formal errors in the legislative process.
- The EU Regulation is not compatible with European fundamental rights.
- The legislator did not conduct a privacy impact assessment, which would have been required due to the high risk involved.
1. Formal errors
The Administrative Court acknowledges that formal errors were made, as we pointed out in our legal argumentation. To summarise briefly: The EU Regulation was created using the so-called ordinary legislative procedure. But in this case, a special legislative procedure which imposes stricter requirements was needed (more details in the Court’s decision from p. 17, paragraph 29 [German]).
2. In violation of fundamental rights
The Administrative Court agrees with us that the obligation to store fingerprints is not compatible with the fundamental right to respect of private and family life, and the right to the protection of personal data concerning them (Art. 7 and 8 of the Charter of Fundamental Rights of the European Union).
- Art. 8 par. 2 CFR stipulates that personal data can only be processed with consent of the person concerned, or some other legitimate basis laid down in law. Since having an ID card is compulsory in Germany, voluntary consent can not be assumed. (Administrative Court decision, p. 20, par. 43)
- Just because we have an obligation to store fingerprints in passports, it does not follow that this is legitimate for ID cards as well. These are two very different documents. For example, ID cards are not only shown for crossing a border but also in many every-day situations, e.g. when banks or airlines ask their customers for identification. Further, ID cards are mandatory in Germany, which is not the case for passports. The incursion into fundamental rights is therefore more severe with ID cards than with passports. (p. 19–21, par. 47–51)
It is not proven that storing fingerprints on ID cards increases their security from falsification. If the fingerprints taken from a person match those on an ID card, it only shows that the card belongs to the person. But the match does not prove that the ID card, and thus the identity of the person, is genuine. Biometric data may make it harder to produce a fake, but that alone does not justify this severe incursion. (p. 25 / par. 57)
An ID card with a damaged chip is still valid in Germany. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) comments: “The security of the ID document is safeguarded by its physicial security features”. That is a clear own goal. The Administrative Court extends: “If the security is guaranteed by physical security features alone (in particular, micro inscriptions, UV imprints etc), then the question whether fingerprints need to be stored becomes all the more urgent”. (p. 25 / par. 58)
- What is stored on the ID cards are full images of the fingerprints. That contradicts the principle of data minimisation laid down in the GDPR. There are “frugal” methods for fingerprint matching that require only certain parts of the fingerprints. Storing the complete fingerprint increases the risk of identity theft in the case of a data leak. (p. 26f / par. 60–61)
- The RFID chips used in ID cards could potentially be read out by unauthorised scanners. Whether this will expose us to a data leak of our fingerprints for the rest of our lives then wholly depends on the security of the technology used to transmit and ecrypt the data on the RFID chip. (p. 27 / par. 62)
3. No impact assessment
If data processing foreseeably creates a high risk for persons’ rights and freedoms, the General Data Protection Regulation (GDPR) requires a privacy impact assessment. That was already expressed by the European Data Protection Supervisor in an opinion on the plans to introduce fingerprint storage in ID cards. Biometric data are considered particularly sensitive and require special protection. But this point, according to the Court, was hardly taken into account in the legislation. The Court therefore comes to a clear conclusion and critique: The failure to conduct an impact assessment must make the legal norm invalid, because “otherwise the norm’s creator would be rewarded for their malpractice”. (p. 27–28 / par. 65–69)
The case will now be brought before the European Court of Justice. However, it will be a while until a ruling is issued. Next to us as plaintiffs, the EU Member States, The Commission and the Advocate general can submit opinions to the ECJ.
So while we have succeeded on this first stage, the real contest is yet to come. We need your help to make it through! Please support our legal action with a donation.
- Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement: https://data.europa.eu/eli/reg/2019/1157/oj
- Act on Identity Cards and Electronic Identification (Personalausweisgesetz, PAuswG) – Translation by the Language Service of the Federal Ministry of the Interior:https://www.gesetze-im-internet.de/englisch_pauswg/englisch_pauswg.html
- German original: https://www.gesetze-im-internet.de/pauswg/__5.html
- Charter of fundamental rights of the European Union: https://www.europarl.europa.eu/charter/pdf/text_en.pdf