Case C‑291/12

Michael Schwarz

v

Stadt Bochum

(Request for a preliminary ruling from the Verwaltungsgericht Gelsenkirchen)

‛Reference for a preliminary ruling — Area of freedom, security and justice — Biometric passport — Fingerprints — Regulation (EC) No 2252/2004 — Article 1(2) — Validity — Legal basis — Procedure for adopting — Articles 7 and 8 of the Charter of Fundamental Rights of the European Union — Right to respect for private life — Right to the protection of personal data — Proportionality’

Summary — Judgment of the Court (Fourth Chamber), 17 October 2013

1. Border controls, asylum and immigration — Crossing of the external borders of the Member States — Common rules on standards and procedures for carrying out checks — Passports and travel documents issued by Member States — Regulation No 2252/2004 on standards for security features and biometrics in those passports and documents — Legal basis — Authority of the EU legislature — Introduction of security features for the passports of both third-country nationals and EU citizens

   (Art. 62(2)(a) EC; Council Regulation No 2252/2004)

2. Acts of the institutions — Procedure for adopting — Consultation of Parliament — No consultation — Act replaced by a new act adopted following the joint decision procedure — Ineffective ground

   (Arts 62(2)(a) EC and 67(1) EC)

3. Fundamental rights — Charter of Fundamental Rights of the European Union — Respect for private life — Protection of personal data — Concept of personal data — Collection and storage of fingerprints in the passports of EU citizens — Included — Threats to rights recognised by Articles 7 and 8 of the Charter

   (Charter of Fundamental Rights of the European Union, Arts 7 and 8; Council Regulation No 2252/2004, Art. 1(2))

4. Border controls, asylum and immigration — Crossing of the external borders of the Member States — Common rules on standards and procedures for carrying out checks — Passports and travel documents issued by Member States — Regulation No 2252/2004 on standards for security features and biometrics in those passports and documents — Collection and storage of fingerprints in the passports of EU citizens — Respect for private life — Protection of personal data — Limitations — Conditions — Absence

   (Charter of Fundamental Rights of the European Union, Arts 7, 8 and 52(1); Council Regulation No 2252/2004, Arts 1(2) and 4(3))

1.  It is clear from both the wording and the aim of Article 62(2)(a) EC, which was part of Title IV of the EC Treaty, that this provision authorised the Council to regulate how checks were to be carried out at the external borders of the European Union in order to ascertain the identity of persons crossing those borders. Such checks necessarily requiring documents to be presented that make it possible to establish that identity, Article 62(2)(a) EC therefore authorised the Council to adopt legal provisions relating to such documents and to passports in particular.

   As regards the authority of the EU legislature in that area, it should be noted, first, that the provision — which referred to checks on ‘persons’ without providing further details — was intended to cover not only third-country nationals, but also citizens of the Union and, hence, their passports.

   Second, harmonised security standards for passports of EU citizens may be required in order to avoid passports having security features which lag behind those provided for by the uniform format for visas and residence permits for third-country nationals. In those circumstances, the EU legislature has the authority to provide for similar security features in respect of passports held by EU citizens, in so far as such authority helps to prevent those passports from becoming targets for falsification or fraudulent use.

   (see paras 17-19)

2.  See the text of the decision.

   (see paras 21, 22)

3.  Article 7 of the Charter of Fundamental Rights of the European Union states that everyone has the right to respect for his or her private life. Under Article 8(1) thereof, everyone has the right to the protection of personal data concerning him or her. It follows from a joint reading of those articles that, as a general rule, any processing of personal data by a third party may constitute a threat to those rights. Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows those individuals to be identified with precision. Applying Article 1(2) of Regulation No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States means that national authorities are to take a person’s fingerprints and that those fingerprints are to be kept in the storage medium in that person’s passport. Such measures must therefore be viewed as a processing of personal data and a threat to the rights to respect for private life and the protection of personal data.

   (see paras 24, 25, 27, 29, 30)

4.  Regarding whether threats to the rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which are not absolute rights, can be justified, it should be borne in mind, first, that the limitation arising from the taking and storing of fingerprints when issuing passports must be considered to be provided for by law, for the purposes of Article 52(1) of the Charter, since those operations are provided for by Article 1(2) of Regulation No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States. Moreover, by preventing the falsification of passports and by preventing fraudulent use thereof, that is to say, use by persons other than their genuine holders, Article 1(2) is designed to prevent, inter alia, illegal entry into the European Union and pursues an objective of general interest recognised by the Union.

   Next, the taking and storing of fingerprints referred to in Article 1(2) of Regulation No 2252/2004 are appropriate for attaining the aims pursued by that regulation and, by extension, the objective of preventing illegal entry to the European Union.

   First, although the method of ascertaining identity using fingerprints is not wholly reliable, as it does not prevent all unauthorised persons from being accepted, it significantly reduces the likelihood of such acceptance that would exist if that method were not used. Second, a mismatch between the fingerprints of the holder of a passport and the data in that document does not mean that the person concerned will automatically be refused entry to the European Union. A mismatch of that kind will simply result in a more detailed check in order definitively to establish the identity of that person.

   Lastly, as regards whether such processing is necessary, the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints. Article 1(2) of Regulation No 2252/2004 does not require the processing of any fingerprints taken to go beyond what is necessary to achieve that aim. Indeed, Article 4(3) of that regulation explicitly states that fingerprints may be used only for verifying the authenticity of a passport and the identity of its holder, and Article 1(2) of Regulation No 2252/2004 makes it clear that that regulation ensures protection against the risk of data including fingerprints being read by unauthorised persons and does not provide for the storage of fingerprints except within the passport itself, which belongs to the holder alone.

   (see paras 33, 35-38, 42-45, 53, 54, 56, 57, 60)

Case C‑291/12

Michael Schwarz

v

Stadt Bochum

(Request for a preliminary ruling from the Verwaltungsgericht Gelsenkirchen)

‛Reference for a preliminary ruling — Area of freedom, security and justice — Biometric passport — Fingerprints — Regulation (EC) No 2252/2004 — Article 1(2) — Validity — Legal basis — Procedure for adopting — Articles 7 and 8 of the Charter of Fundamental Rights of the European Union — Right to respect for private life — Right to the protection of personal data — Proportionality’

Summary — Judgment of the Court (Fourth Chamber), 17 October 2013

1. Border controls, asylum and immigration — Crossing of the external borders of the Member States — Common rules on standards and procedures for carrying out checks — Passports and travel documents issued by Member States — Regulation No 2252/2004 on standards for security features and biometrics in those passports and documents — Legal basis — Authority of the EU legislature — Introduction of security features for the passports of both third-country nationals and EU citizens

   (Art. 62(2)(a) EC; Council Regulation No 2252/2004)

2. Acts of the institutions — Procedure for adopting — Consultation of Parliament — No consultation — Act replaced by a new act adopted following the joint decision procedure — Ineffective ground

   (Arts 62(2)(a) EC and 67(1) EC)

3. Fundamental rights — Charter of Fundamental Rights of the European Union — Respect for private life — Protection of personal data — Concept of personal data — Collection and storage of fingerprints in the passports of EU citizens — Included — Threats to rights recognised by Articles 7 and 8 of the Charter

   (Charter of Fundamental Rights of the European Union, Arts 7 and 8; Council Regulation No 2252/2004, Art. 1(2))

4. Border controls, asylum and immigration — Crossing of the external borders of the Member States — Common rules on standards and procedures for carrying out checks — Passports and travel documents issued by Member States — Regulation No 2252/2004 on standards for security features and biometrics in those passports and documents — Collection and storage of fingerprints in the passports of EU citizens — Respect for private life — Protection of personal data — Limitations — Conditions — Absence

   (Charter of Fundamental Rights of the European Union, Arts 7, 8 and 52(1); Council Regulation No 2252/2004, Arts 1(2) and 4(3))

1.  It is clear from both the wording and the aim of Article 62(2)(a) EC, which was part of Title IV of the EC Treaty, that this provision authorised the Council to regulate how checks were to be carried out at the external borders of the European Union in order to ascertain the identity of persons crossing those borders. Such checks necessarily requiring documents to be presented that make it possible to establish that identity, Article 62(2)(a) EC therefore authorised the Council to adopt legal provisions relating to such documents and to passports in particular.

   As regards the authority of the EU legislature in that area, it should be noted, first, that the provision — which referred to checks on ‘persons’ without providing further details — was intended to cover not only third-country nationals, but also citizens of the Union and, hence, their passports.

   Second, harmonised security standards for passports of EU citizens may be required in order to avoid passports having security features which lag behind those provided for by the uniform format for visas and residence permits for third-country nationals. In those circumstances, the EU legislature has the authority to provide for similar security features in respect of passports held by EU citizens, in so far as such authority helps to prevent those passports from becoming targets for falsification or fraudulent use.

   (see paras 17-19)

2.  See the text of the decision.

   (see paras 21, 22)

3.  Article 7 of the Charter of Fundamental Rights of the European Union states that everyone has the right to respect for his or her private life. Under Article 8(1) thereof, everyone has the right to the protection of personal data concerning him or her. It follows from a joint reading of those articles that, as a general rule, any processing of personal data by a third party may constitute a threat to those rights. Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows those individuals to be identified with precision. Applying Article 1(2) of Regulation No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States means that national authorities are to take a person’s fingerprints and that those fingerprints are to be kept in the storage medium in that person’s passport. Such measures must therefore be viewed as a processing of personal data and a threat to the rights to respect for private life and the protection of personal data.

   (see paras 24, 25, 27, 29, 30)

4.  Regarding whether threats to the rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which are not absolute rights, can be justified, it should be borne in mind, first, that the limitation arising from the taking and storing of fingerprints when issuing passports must be considered to be provided for by law, for the purposes of Article 52(1) of the Charter, since those operations are provided for by Article 1(2) of Regulation No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States. Moreover, by preventing the falsification of passports and by preventing fraudulent use thereof, that is to say, use by persons other than their genuine holders, Article 1(2) is designed to prevent, inter alia, illegal entry into the European Union and pursues an objective of general interest recognised by the Union.

   Next, the taking and storing of fingerprints referred to in Article 1(2) of Regulation No 2252/2004 are appropriate for attaining the aims pursued by that regulation and, by extension, the objective of preventing illegal entry to the European Union.

   First, although the method of ascertaining identity using fingerprints is not wholly reliable, as it does not prevent all unauthorised persons from being accepted, it significantly reduces the likelihood of such acceptance that would exist if that method were not used. Second, a mismatch between the fingerprints of the holder of a passport and the data in that document does not mean that the person concerned will automatically be refused entry to the European Union. A mismatch of that kind will simply result in a more detailed check in order definitively to establish the identity of that person.

   Lastly, as regards whether such processing is necessary, the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints. Article 1(2) of Regulation No 2252/2004 does not require the processing of any fingerprints taken to go beyond what is necessary to achieve that aim. Indeed, Article 4(3) of that regulation explicitly states that fingerprints may be used only for verifying the authenticity of a passport and the identity of its holder, and Article 1(2) of Regulation No 2252/2004 makes it clear that that regulation ensures protection against the risk of data including fingerprints being read by unauthorised persons and does not provide for the storage of fingerprints except within the passport itself, which belongs to the holder alone.

   (see paras 33, 35-38, 42-45, 53, 54, 56, 57, 60)