A morning in the main courtroom of the Court of Justice of the European Union in Luxemburg: 15 judges in dark red robes enter and open the session.
Our hearing in the case against mandatory fingerprints for identity cards took place within an impressive setting. Even for Court of Justice of the European Union standards our hearing was special: it is only on rare and particularly important occasions that the Court meets in this large composition to hear a case.
Digitalcourage is contesting a European regulation that made it mandatory in all of the EU to have fingerprints stored on our ID cards. We believe it is a disproportionate infringement on our civil rights. It treats every EU citizen like a potential criminal and endangers the security of our biometric data. Our lawsuit against the fingerprint ID obligation started in Germany, but we hope that the Court of Justice of the European Union will remove this obligation from all European citizens. The ruling in this case will affect around 380 million EU citizens.
Early on in the hearing there was a lot of opposition against us. For three hours, representatives of the Council, the Commission, and the Parliament as well as of the governments of Belgium and Spain aimed to defend mandatory fingerprint IDs. Some statements were quite telling: The representative for Spain argued that fingerprints were less invasive than hair or tissue samples. He continued by stating that visible ink fingerprints had been put on identity cards in Spain in the past. Compared to that it would surely be an improvement in data security if fingerprints were stored on a chip and not directly visible to the eye. This argument involves a significant amount of historical amnesia. These fingerprint-bearing Spanish identity documents were first introduced by Spanish dictator Francisco Franco. During his time in power he executed hundreds of thousands of supposed or actual adversaries and interned around 1.5 million political prisoners in concentration camps.
The mood among the judges was very different. They put very rigorous questions to the other parties in the case. One alarming loophole, among other concerns: The EU regulation in question allows for fingerprints to be used for other purposes than the production of identity cards if other legislation at EU or national level provides so. This may amount to a wide-open backdoor to circumvent purpose limitation. Member states could use this backdoor to access the stored fingerprints on the basis of other laws. One of the judges was perceivably irritated and repeatedly questioned how this could be. No satisfying answer was given by any of the persons he asked.
The uncomfortable questions continued. The local authorities responsible for issuing identity cards may store collected fingerprints for up to 90 days. There is a risk that authorities may be hacked and data stolen during this time. The judge asked whether legislators had considered this risk and could provide evidence. Silence.
A representative of the EU Council tried to shift the responsibility for the security of the data within this period to the member states. Later, she admitted that the deadline was a weak point of the regulation and resulted from a compromise in the negotiations in the Council.
Some of the arguments put forward by the other participants in the proceedings during the hearing suggested little understanding of data security and encryption technologies. For example, the EU Commission claimed that the fingerprints would be stored on a highly secure medium that could not be cracked. At Digitalcourage we consider this assessment to be short-sighted. Many technologies that were initially classified as secure were outdated a short time later - for example, due to increasing computing power. One of the judges also noted that there is no such thing as perfect security, saying that the question is not whether a system can be cracked, but with how much effort.
One judge commented that the European legislator, with the aim of increasing the security of the ID cards, has de facto created a new vulnerability here and noted that the security provisions made for this period are very weak.
The EU institutions were unable to provide sufficient explanation how risk to biometric data of the citizens affected can be excluded. In our opinion this is impossible to exclude: once biometric data is collected, there is an inherent risk that data may be leaked and information misused.
"Even after several inquiries, the Commission and the Council could not explain how a danger to the biometric data of the citizens concerned is to be prevented. The truth is: This cannot be prevented at all. Once the data is collected, there is a risk of data leaks and abuse. Therefore there should not be an obligation to store fingerprints in IDs in the first place",
explains Konstantin Macher of Digitalcourage.
This is why we should put an end to mandatory fingerprint IDs! Digitalcourage is committed to win this lawsuit. But this kind of work has its costs – for legal advice, travel fees, or public outreach for example. We need financial security to be able to sustain this fight until the end. So please support our work with your membership or an individual donation:
The next step in our case will be the delivery of the opinion of the Advocate General on 29 June, 2023. At the time of writing, no date has been set for the delivery of a judgment. The suspense continues – but after the hearing we are optimistic!