JUDGMENT OF THE COURT (Fourth Chamber)
17 October 2013 (*)
(Reference for a preliminary ruling – Area of freedom, security and justice – Biometric passport – Fingerprints – Regulation (EC) No 2252/2004 – Article 1(2) – Validity – Legal basis – Procedure for adopting – Articles 7 and 8 of the Charter of Fundamental Rights of the European Union – Right to respect for private life – Right to the protection of personal data – Proportionality)
In Case C-291/12,
REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgericht Gelsenkirchen (Germany), made by decision of 15 May 2012, received at the Court on 12 June 2012, in the proceedings
Michael Schwarz
v
Stadt Bochum,
THE COURT (Fourth Chamber),
composed of L. Bay Larsen, President of the Chamber, M. Safjan, J. Malenovský (Rapporteur), U. Lõhmus and A. Prechal, Judges,
Advocate General: P. Mengozzi,
Registrar: K. Malacek, Administrator,
having regard to the written procedure and further to the hearing on 13 March 2013,
after considering the observations submitted on behalf of:
– Mr Schwarz, on his own behalf, and by W. Nešković, Rechtsanwalt,
– the Stadt Bochum, by S. Sondermann, acting as Agent,
– the German Government, by T. Henze and A. Wiedmann, acting as Agents,
– the Polish Government, by B. Majczyna, acting as Agent,
– the European Parliament, by U. Rösslein and P. Schonard, acting as Agents,
– the Council of the European Union, by I. Gurov and Z. Kupčová, acting as Agents,
– the European Commission, by B. Martenczuk and G. Wils, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 13 June 2013,
gives the following
Judgment
1 This request for a preliminary ruling concerns the validity of Article 1(2) of Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 6 May 2009 (OJ 2009 L 142, p. 1; corrigendum: OJ 2009 L 188, p. 127) (‘Regulation No 2252/2004’).
2 The request has been made in proceedings between Mr Schwarz and the Stadt Bochum (city of Bochum) concerning the latter’s refusal to issue him with a passport unless his fingerprints were taken at the same time so that they could be stored on that passport.
Legal context
3 Article 2 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) provides:
‘For the purposes of this Directive:
(a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
…’
4 Article 7(e) of Directive 95/46 provides:
‘Member States shall provide that personal data may be processed only if:
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed’.
5 Recitals 2, 3 and 8 in the preamble to Regulation No 2252/2004 state:
‘(2) Minimum security standards for passports were introduced by a Resolution of the representatives of the Governments of the Member States, meeting within the Council, on 17 October 2000 [supplementing the resolutions of 23 June 1981, 30 June 1982, 14 July 1986 and 10 July 1995 as regards the security characteristics of passports and other travel documents (OJ 2000 C 310, p. 1)]. It is now appropriate to upgrade this Resolution by a Community measure in order to achieve enhanced harmonised security standards for passports and travel documents to protect against falsification. At the same time biometric identifiers should be integrated in the passport or travel document in order to establish a reliable link between the genuine holder and the document.
(3) The harmonisation of security features and the integration of biometric identifiers is an important step towards the use of new elements in the perspective of future developments at European level, which render the travel document more secure and establish a more reliable link between the holder and the passport and the travel document as an important contribution to ensuring that it is protected against fraudulent use. The specifications of the International Civil Aviation Organisation (ICAO), and in particular those set out in Document 9303 on machine readable travel documents, should be taken into account.
…
(8) With regard to the personal data to be processed in the context of passports and travel documents, Directive [95/46] applies. It should be ensured that no further information shall be stored in the passport unless provided for in this Regulation, its annex or unless it is mentioned in the relevant travel document.’
6 Under recital 5 in the preamble to Regulation No 444/2009:
‘Regulation [No 2252/2004] requires biometric data to be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. This is without prejudice to any other use or storage of these data in accordance with national legislation of Member States. Regulation [No 2252/2004] does not provide a legal base for setting up or maintaining databases for storage of those data in Member States, which is strictly a matter of national law.’
7 Under Article 1(1) to (2a) of Regulation No 2252/2004:
‘1. Passports and travel documents issued by Member States shall comply with the minimum security standards set out in the Annex.
…
2. Passports and travel documents shall include a highly secure storage medium which shall contain a facial image. Member States shall also include two fingerprints taken flat in interoperable formats. The data shall be secured and the storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data.
2a. The following persons shall be exempt from the requirement to give fingerprints:
(a) Children under the age of 12 years.
…
(b) persons, where fingerprinting is physically impossible.’
8 Article 2(a) of that regulation provides:
‘Additional technical specifications … for passports and travel documents relating to the following shall be established in accordance with the procedure referred to in Article 5(2):
(a) additional security features and requirements including enhanced anti-forgery, counterfeiting and falsification standards’.
9 Article 3(1) of that regulation provides:
‘In accordance with the procedure referred to in Article 5(2) it may be decided that the specifications referred to in Article 2 shall be secret and not be published. In that case, they shall be made available only to the bodies designated by the Member States as responsible for printing and to persons duly authorised by a Member State or the [European] Commission.’
10 Under Article 4(3) of that regulation:
‘Biometric data shall be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. For the purpose of this Regulation the biometric features in passports and travel documents shall only be used for verifying:
(a) the authenticity of the passport or travel document;
(b) the identity of the holder by means of directly available comparable features when the passport or travel document is required to be produced by law.
The checking of the additional security features shall be carried out without prejudice to Article 7(2) of Regulation (EC) No 562/2006 of the European Parliament and of the Council of 15 March 2006 establishing a Community Code on the rules governing the movement of persons across borders (Schengen Borders Code) [(OJ 2006 L 105, p. 1)]. The failure of the matching in itself shall not affect the validity of the passport or travel document for the purpose of the crossing of external borders.’
The dispute in the main proceedings and the question referred for a preliminary ruling
11 Mr Schwarz applied to the Stadt Bochum for a passport, but refused at that time to have his fingerprints taken. After the Stadt Bochum rejected his application, Mr Schwarz brought an action before the referring court in which he requested that the city be ordered to issue him with a passport without taking his fingerprints.
12 Before that court, Mr Schwarz disputes the validity of the regulation (Regulation No 2252/2004) which created the obligation to take the fingerprints of persons applying for passports. He submits that that regulation does not have an appropriate legal basis and is vitiated by a procedural defect. In addition, he claims that Article 1(2) of that regulation infringes the right to the protection of personal data laid down, in general terms, in Article 7 of the Charter of Fundamental Rights of the European Union (‘the Charter’), which relates to the right to respect for private life, and explicitly in Article 8 thereof.
13 In those circumstances the Verwaltungsgericht Gelsenkirchen (Administrative Court, Gelsenkirchen) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Is Article 1(2) of [Regulation No 2252/2004] to be considered valid?’
Consideration of the question referred
14 By its question, read in the light of the order for reference, the referring court asks, in essence, whether Article 1(2) of Regulation No 2252/2004 is invalid on the grounds, in the first place, that the regulation has an inappropriate legal basis; in the second, that the procedure for adopting that regulation is vitiated by a defect and, in the third, that Article 1(2) of that regulation breaches certain fundamental rights of the holders of passports issued in accordance with that provision.
Legal basis of Regulation No 2252/2004
15 The referring court seeks to establish whether it was permissible for the Council to adopt Regulation No 2252/2004 on the basis of Article 62(2)(a) EC, given that that provision does not explicitly refer to any power to regulate issues relating to passports and travel documents issued to citizens of the Union (‘passports’).
16 In that regard, it should be noted that Article 62(2)(a) EC, in the version applicable from 1 May 1999 to 30 November 2009, on the basis of which Regulation No 2252/2004 was adopted, was part of Title IV of the EC Treaty, entitled ‘Visas, asylum, immigration and other policies related to free movement of persons’. That provision stated that the Council of the European Union, acting in accordance with the procedure referred to in Article 67 EC, was, within a period of five years after the entry into force of the Treaty of Amsterdam, to adopt ‘measures on the crossing of the external borders of the Member States which shall establish … standards and procedures to be followed by Member States in carrying out checks on persons at such borders’.
17 It is clear from both the wording and the aim of Article 62(2)(a) EC that this provision authorised the Council to regulate how checks were to be carried out at the external borders of the European Union in order to ascertain the identity of persons crossing those borders. Such checks necessarily requiring documents to be presented that make it possible to establish that identity, Article 62(2)(a) EC therefore authorised the Council to adopt legal provisions relating to such documents and to passports in particular.
18 As to whether Article 62(2)(a) EC authorised the Council to adopt measures establishing standards and procedures in connection with the issuing of passports to citizens of the Union, it should be noted, first, that the provision referred to checks on ‘persons’ without providing further details. Thus, it must be presumed that the provision was intended to cover not only third-country nationals, but also citizens of the Union and, hence, their passports.
19 Second, as also confirmed by the Explanatory Memorandum to the proposal for a Council Regulation on standards for security features and biometrics in EU citizens’ passports [(COM(2004) 116 final)] as submitted by the Commission, harmonised security standards for passports may be required in order to avoid passports having security features which lag behind those provided for by the uniform format for visas and residence permits for third-country nationals. In those circumstances, the EU legislature has the authority to provide for similar security features in respect of passports held by EU citizens, in so far as such authority helps to prevent those passports from becoming targets for falsification or fraudulent use.
20 It follows that Article 62(2)(a) EC was an appropriate legal basis for adopting Regulation No 2252/2004 and, in particular, Article 1(2) thereof.
Procedure for adopting Regulation No 2252/2004
21 The referring court seeks to establish whether Article 1(2) of Regulation No 2252/2004 is valid in view of the procedural requirements listed in Article 67(1) EC. In that regard, that court refers to the line of argument put forward by the applicant, who is of the view that, contrary to the requirements of the latter provision, the European Parliament was not properly consulted in the course of the legislative procedure. According to Mr Schwarz, the Commission’s proposal submitted to the Parliament for consultation purposes provided for the storage of images of fingerprints on passports to be merely an option for the Member States, changing into an obligation after the Parliament had been consulted. That represented a significant amendment; as a result, under Article 67 EC, further consultation of the Parliament was necessary.
22 However, it is common ground that Regulation No 444/2009 has replaced the wording of Article 1(2) of Regulation No 2252/2004 – on the subject of which, according to the applicant, the Parliament was not consulted – with new wording which reproduces the obligation to store images of fingerprints in passports. Regulation No 444/2009 being applicable to the facts in the case before the referring court and adopted following the joint decision procedure and, so, with the full involvement of the Parliament in its role as co-legislator, the ground for invalidity relied on by the applicant in that regard is ineffective.
Fundamental rights to respect for private life and the protection of personal data
23 First, the Court must examine whether taking fingerprints and storing them in passports, as provided for in Article 1(2) of Regulation No 2252/2004, constitutes a threat to the rights to respect for private life and the protection of personal data. If so, it must then be ascertained whether such a threat can be justified.
Whether such a threat exists
24 Article 7 of the Charter states, inter alia, that everyone has the right to respect for his or her private life. Under Article 8(1) thereof, everyone has the right to the protection of personal data concerning him or her.
25 It follows from a joint reading of those articles that, as a general rule, any processing of personal data by a third party may constitute a threat to those rights.
26 From the outset, it should be borne in mind that the right to respect for private life with regard to the processing of personal data concerns any information relating to an identified or identifiable individual (Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECR I-11063, paragraph 52, and Joined Cases C-468/10 and C-469/10 ASNEF and FECEMD [2011] ECR I-12181, paragraph 42).
27 Fingerprints constitute personal data, as they objectively contain unique information about individuals which allows those individuals to be identified with precision (see, to that effect, in particular, European Court of Human Rights judgment in S. and Marper v. United Kingdom, §§ 68 and 84, ECHR 2008).
28 In addition, as can be seen from Article 2(b) of Directive 95/46, processing of personal data means any operation performed upon such data by a third party, such as the collecting, recording, storage, consultation or use thereof.
29 Applying Article 1(2) of Regulation No 2252/2004 means that national authorities are to take a person’s fingerprints and that those fingerprints are to be kept in the storage medium in that person’s passport. Such measures must therefore be viewed as a processing of personal data.
30 In those circumstances, the taking and storing of fingerprints by the national authorities which is governed by Article 1(2) of Regulation No 2252/2004 constitutes a threat to the rights to respect for private life and the protection of personal data. Accordingly, it must be ascertained whether that twofold threat is justified.
Justification
31 Under Article 8(2) of the Charter, personal data cannot be processed except on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
32 First of all, concerning the condition requiring the consent of persons applying for passports before their fingerprints can be taken, it should be noted that, as a general rule, it is essential for citizens of the Union to own a passport in order, for example, to travel to non-member countries and that that document must contain fingerprints pursuant to Article 1(2) of Regulation No 2252/2004. Therefore, citizens of the Union wishing to make such journeys are not free to object to the processing of their fingerprints. In those circumstances, persons applying for passports cannot be deemed to have consented to that processing.
33 Next, regarding whether the processing of fingerprints can be justified on the basis of some other legitimate basis laid down by law, it should be borne in mind from the outset that the rights recognised by Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society (see, to that effect, Volker und Markus Schecke and Eifert, paragraph 48, and Case C-543/09 Deutsche Telekom [2011] ECR I-3441, paragraph 51).
34 Indeed, Article 52(1) of the Charter allows for limitations of the exercise of those rights, so long as those limitations are provided for by law, respect the essence of those rights, and, in accordance with the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
35 First, in the present case, it is common ground that the limitation arising from the taking and storing of fingerprints when issuing passports must be considered to be provided for by law, for the purposes of Article 52(1) of the Charter, since those operations are provided for by Article 1(2) of Regulation No 2252/2004.
36 Second, concerning the objective of general interest underlying that limitation, it can be seen that Article 1(2) of Regulation No 2252/2004, when read in the light of recitals 2 and 3 of that regulation, has two specific aims: the first, to prevent the falsification of passports and the second, to prevent fraudulent use thereof, that is to say, use by persons other than their genuine holders.
37 Accordingly, Article 1(2) is designed, through pursuit of those aims, to prevent, inter alia, illegal entry into the European Union.
38 In those circumstances, it must be found that Article 1(2) of Regulation No 2252/2004 pursues an objective of general interest recognised by the Union.
39 Third, it is not apparent from the evidence available to the Court, nor has it been claimed, that the limitations placed on the exercise of the rights recognised by Articles 7 and 8 of the Charter in the present case do not respect the essence of those rights.
40 Fourth, the Court must establish whether the limitations placed on those rights are proportionate to the aims pursued by Regulation No 2252/2004 and, by extension, to the objective of preventing illegal entry into the European Union. It must therefore be ascertained whether the measures implemented by that regulation are appropriate for attaining those aims and do not go beyond what is necessary to achieve them (see Volker und Markus Schecke and Eifert, paragraph 74).
41 As to whether Article 1(2) of Regulation No 2252/2004 is appropriate for attaining the aim of preventing the falsification of passports, it is common ground that the storage of fingerprints on a highly secure storage medium as provided for by that provision requires sophisticated technology. Therefore such storage is likely to reduce the risk of passports being falsified and to facilitate the work of the authorities responsible for checking the authenticity of passports at EU borders.
42 Mr Schwarz submits that the method of ascertaining identity using fingerprints is not appropriate for attaining the aim of preventing fraudulent use of passports, since there have been mistakes when implementing that method in practice; given that no two digital copies of a set of fingerprints are ever identical, systems using that method are not sufficiently accurate, resulting in not inconsiderable rates of unauthorised persons being incorrectly accepted and of authorised persons being incorrectly rejected.
43 In that regard, however, it must be held that the fact that the method is not wholly reliable is not decisive. Although that method does not prevent all unauthorised persons from being accepted, it is enough that it significantly reduces the likelihood of such acceptance that would exist if that method were not used.
44 Although it is true that the use of fingerprints as a means of ascertaining identity may, on an exceptional basis, lead to authorised persons being rejected by mistake, the fact remains that a mismatch between the fingerprints of the holder of a passport and the data in that document does not mean that the person concerned will automatically be refused entry to the European Union, as is pointed out in the second subparagraph of Article 4(3) of Regulation No 2252/2004. A mismatch of that kind will simply draw the competent authorities’ attention to the person concerned and will result in a more detailed check of that person in order definitively to establish his identity.
45 In the light of the foregoing, the taking and storing of fingerprints referred to in Article 1(2) of Regulation No 2252/2004 are appropriate for attaining the aims pursued by that regulation and, by extension, the objective of preventing illegal entry to the European Union.
46 Next, in assessing whether such processing is necessary, the legislature is obliged, inter alia, to examine whether it is possible to envisage measures which will interfere less with the rights recognised by Articles 7 and 8 of the Charter but will still contribute effectively to the objectives of the European Union rules in question (see, to that effect, Volker und Markus Schecke and Eifert, paragraph 86).
47 In that context, with regard to the aim of protecting against the fraudulent use of passports, it must in the first place be considered whether the threat posed by the measure of taking fingerprints does not go beyond what is necessary in order to achieve that aim.
48 In this respect, it is be borne in mind, on the one hand, that that action involves no more than the taking of prints of two fingers, which can, moreover, generally be seen by others, so that this is not an operation of an intimate nature. Nor does it cause any particular physical or mental discomfort to the person affected any more than when that person’s facial image is taken.
49 It is true that those fingerprints are to be taken in addition to the facial image. However, the combination of two operations designed to identify persons may not a priori be regarded as giving rise in itself to a greater threat to the rights recognised by Articles 7 and 8 of the Charter than if each of those two operations were to be considered in isolation.
50 Thus, as regards the case in the main proceedings, nothing in the case file submitted to the Court permits a finding that the fact that fingerprints and a facial image are taken at the same time would, by reason of that fact alone, give rise to greater interference with those rights.
51 On the other hand, it should also be noted that the only real alternative to the taking of fingerprints raised in the course of the proceedings before the Court is an iris scan. Nothing in the case file submitted to the Court suggests that the latter procedure would interfere less with the rights recognised by Articles 7 and 8 of the Charter than the taking of fingerprints.
52 Furthermore, with regard to the effectiveness of those two methods, it is common ground that iris-recognition technology is not yet as advanced as fingerprint-recognition technology. In addition, the procedure for iris recognition is currently significantly more expensive than the procedure for comparing fingerprints and is, for that reason, less suitable for general use.
53 In those circumstances, the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.
54 In the second place, in order for Article 1(2) of Regulation No 2252/2004 to be justified in the light of that aim, it is also crucial that the processing of any fingerprints taken pursuant to that provision should not go beyond what is necessary to achieve that aim.
55 In that regard, the legislature must ensure that there are specific guarantees that the processing of such data will be effectively protected from misuse and abuse (see, to that effect, European Court of Human Rights judgment, S. and Marper, § 103).
56 In that respect, it should be noted that Article 4(3) of Regulation No 2252/2004 explicitly states that fingerprints may be used only for verifying the authenticity of a passport and the identity of its holder.
57 In addition, that regulation ensures protection against the risk of data including fingerprints being read by unauthorised persons. In that regard, Article 1(2) of that regulation makes it clear that such data are to be kept in a highly secure storage medium in the passport of the person concerned.
58 However, the referring court is uncertain, in the light of its assessment, whether Article 1(2) of Regulation No 2252/2004 is proportionate in view of the risk that, once fingerprints have been taken pursuant to that provision, the – extremely high quality – data will be stored, perhaps centrally, and used for purposes other than those provided for by that regulation.
59 In that regard, it is true that fingerprints play a particular role in the field of identifying persons in general. Thus, the identification techniques of comparing fingerprints taken in a particular place with those stored in a database make it possible to establish whether a certain person is in that particular place, whether in the context of a criminal investigation or in order to monitor that person indirectly.
60 However, it should be borne in mind that Article 1(2) of Regulation No 2252/2004 does not provide for the storage of fingerprints except within the passport itself, which belongs to the holder alone.
61 The regulation not providing for any other form or method of storing those fingerprints, it cannot in and of itself, as is pointed out by recital 5 of Regulation No 444/2009, be interpreted as providing a legal basis for the centralised storage of data collected thereunder or for the use of such data for purposes other than that of preventing illegal entry into the European Union.
62 In those circumstances, the arguments put forward by the referring court concerning the risks linked to possible centralisation cannot, in any event, affect the validity of that regulation and would have, should the case arise, to be examined in the course of an action brought before the competent courts against legislation providing for a centralised fingerprint base.
63 In the light of the foregoing, it must be held that Article 1(2) of Regulation No 2252/2004 does not imply any processing of fingerprints that would go beyond what is necessary in order to achieve the aim of protecting against the fraudulent use of passports.
64 It follows that the interference arising from Article 1(2) of Regulation No 2252/2004 is justified by its aim of protecting against the fraudulent use of passports.
65 In those circumstances, there is no longer any need to examine whether the measures put into effect by that regulation are necessary in view of its other aim (namely, preventing the falsification of passports).
66 In the light of all the foregoing considerations, the answer to the question referred is that examination of that question has revealed nothing capable of affecting the validity of Article 1(2) of Regulation No 2252/2004.
Costs
67 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fourth Chamber) hereby rules:
Examination of the question referred has revealed nothing capable of affecting the validity of Article 1(2) of Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 6 May 2009.
[Signatures]
** Language of the case: German.