The clock is ticking for mandatory fingerprints in ID cards
For several years now, we receive calls and letters almost every day from people who – just like us – do not want to be treated like criminal suspects when they apply for a new ID card.
Since 2021, two fingerprints have to be submitted and stored on the chip of all new ID cards in Germany (and across the EU). We took legal action against this – now, the ruling by the European Court of Justice has been issued.
Our summary of the ECJ’s judgment:
The EU regulation that created mandatory inclusion of fingerprints in ID cards was adopted on an incorrect legal basis and is therefore invalid. A success for Digitalcourage!
But the fingerprint obligation was allowed to remain in effect until the end of 2026.
So for now, all EU citizens applying for a new ID card still have to submit their fingerprints.
But the clock is ticking: If no new regulation comes into force until the end of 2026, the obligation for the inclusion of fingerprints will expire. Passing such a new regulation will be more difficult this time, as the correct legal basis means that any single EU Member State can block the regulation.
Therefore: The issue is back on the political agenda!
Many thanks to everyone who made our lawsuit possible by supporting us! We must now keep going to convince EU Member State governments to vote against mandatory fingerprints. Lend us your voice through a donation.
The ECJ ruled that the current EU regulation is invalid for formal reasons. That is a success. But we would have wished for the court to throw out mandatory fingerprinting in general because it is incompatible with our fundamental rights as citizens of the European Union.
Regrettably, our objections on security grounds were swept aside. There are major weaknesses in the EU regulation that created mandatory fingerprints. The fingerprints are not deleted as soon as the ID card has been produced. Instead, the local authorities that registered the fingerprints are allowed to store them for up to 90 days. These data are therefore exposed to the risk of theft through hacking or leaks while they are stored by local authorities.
Even worse: the regulation allows for the fingerprints to be used for purposes other than ID cards – if, for example, national law provides for it. In effect, the EU created a backdoor and left it wide open, but does not want to be responsible for any consequences. Unfortunately, the ECJ did not step in to close this backdoor.
The EU has now been given time until 31 Dec 2026 to come up with a new regulation and adopt it via a special legislative procedure. This procedure requires unanimity in the EU Council (the representation of Member State governments). This means: If we can find support in the Council for our position on fundamental rights and our concerns about the security risks of fingerprint collections, there will be no new EU regulation. This is not unrealistic: If the correct procedure had been followed for the original regulation in 2019, it would not have been adopted, because there were two no-votes in the Council at the time. We have a chance!
