IP case law Court of Justice

Judgment of 16 Apr 2015, C-446/12 (Willems and Others)

Charter of fundamental rights of the EU > Article 7 - Respect for private and family life
Charter of fundamental rights of the EU > Article 8 - Protection of personal data
General data protection law > Chapter II - Principles > Purpose limitation
General data protection law > Chapter II - Principles > Lawfulness - Legal obligation
General data protection law > Chapter II - Principles > Lawfulness - Performance of a task of public interest or official authority
General data protection law > Chapter II - Principles > Lawfulness - Legitimate interest

JUDGMENT OF THE COURT (Fourth Chamber)

16 April 2015 (*)

(Reference for a preliminary ruling — Area of freedom, security and justice — Biometric passport — Biometric data — Regulation (EC) No 2252/2004 — Article 1(3) — Article 4(3) — Use of data collected for purposes other than the issue of passports and travel documents — Establishment and use of databases containing biometric data — Legal guarantees — Charter of Fundamental Rights of the European Union — Articles 7 and 8 — Directive 95/46/EC — Articles 6 and 7 — Right to privacy — Right to the protection of personal data — Application to identity cards)

In Joined Cases C-446/12 to C-449/12,

REQUESTS for a preliminary ruling under Article 267 TFEU from the Raad van State (Netherlands), made by decision of 28 September 2012, received at the Court on 3 October 2012 (C-446/12), 5 October 2012 (C-447/12) and 8 October 2012 (C-448/12 and C-449/12), in the proceedings

W.P. Willems (C-446/12)

v

Burgemeester van Nuth,

and

H.J. Kooistra (C-447/12)

v

Burgemeester van Skarsterlân,

and

M. Roest (C-448/12)

v

Burgemeester van Amsterdam,

and

L.J.A. van Luijk (C-449/12)

v

Burgemeester van Den Haag,

THE COURT (Fourth Chamber),

composed of L. Bay Larsen, President of the Chamber, K. Jürimäe, J. Malenovský (Rapporteur), M. Safjan and A. Prechal, Judges,

Advocate General: P. Mengozzi,

Registrar: M. Ferreira, Principal Administrator,

having regard to the written procedure and further to the hearing on 6 November 2014,

after considering the observations submitted on behalf of:

–        Mr Willems, by himself,

–        Mr Kooistra, by himself,

–        Ms Roest and Ms van Luijk, by J. Hemelaar, advocaat,

–        the Netherlands Government, by J. Langer, M. Bulterman and H. Stergiou, acting as Agents,

–        the French Government, by F.-X. Bréchot, acting as Agent,

–        the Swiss Government, by D. Klingele, acting as Agent,

–        the European Parliament, by P. Schonard and R. van de Westelaken, acting as Agents,

–        the Council of the European Union, by E. Sitbon, I. Gurov and K. Michoel, acting as Agents,

–        the European Commission, by B. Martenczuk and G. Wils, acting as Agents,

having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,

gives the following

Judgment

1        These requests for a preliminary ruling concern the interpretation of Articles 1(3) and 4(3) of Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States (OJ 2004 L 385, p. 1), as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 6 May 2009 (OJ 2009 L 142, p. 1, and corrigendum OJ 2009 L 188, p. 127) (‘Regulation No 2252/2004’).

2        The requests have been made in proceedings between Mr Willems, Mr Kooistra, Ms Roest and Ms van Luijk and the Burgemeester van Nuth, the Burgemeester van Skarsterlân, the Burgemeester van Amsterdam and the Burgemeester van Den Haag, respectively (‘the Burgemeesters’), concerning the refusal by the latter to issue the applicants in the main proceedings with a passport (C-446/12, C-448/12 and C-449/12) and an identity card (C-447/12) unless their biometric data was recorded at the same time.

 Legal context

 EU law

3        Under Article 6(1)(b), first sentence, of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), Member States are to provide that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. In accordance with Article 6(1)(c) thereof that data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.

4        Article 7(c), (e) and (f) of that directive provides that personal data may be processed only if it is necessary ‘for compliance with a legal obligation to which the controller is subject’ or ‘for the performance of a task carried out in the public interest or ‘in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed’ or ‘for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)’.

5        According to Article 4(1) of Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ 2009 L 158, p. 77):

‘Without prejudice to the provisions on travel documents applicable to national border controls, all Union citizens with a valid identity card or passport and their family members who are not nationals of a Member State and who hold a valid passport shall have the right to leave the territory of a Member State to travel to another Member State.’

6        Article 5(1) of that directive provides:

‘Without prejudice to the provisions on travel documents applicable to national border controls, Member States shall grant Union citizens leave to enter their territory with a valid identity card or passport and shall grant family members who are not nationals of a Member State leave to enter their territory with a valid passport.’

7        Under Article 1(2) and (3) of Regulation No 2252/2004:

‘2. Passports and travel documents shall include a storage medium which shall contain a facial image. Member States shall also include fingerprints in interoperable formats. The data shall be secured and the storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data.

3. This Regulation applies to passports and travel documents issued by Member States. It does not apply to identity cards issued by Member States to their nationals or to temporary passports and travel documents having a validity of 12 months or less.’

8        Article 4(3), first subparagraph, of the regulation reads as follows:

‘Biometric data shall be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. For the purpose of this Regulation the biometric features in passports and travel documents shall only be used for verifying:

(a)      the authenticity of the passport or travel document;

(b)      the identity of the holder by means of directly available comparable features when the passport or travel document is required to be produced by law.’

9        In accordance with Recital 5 in the preamble to Regulation No 444/2005, which amended Regulation No 2252/2004:

‘Regulation … No 2252/2004 requires biometric data to be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. This is without prejudice to any other use or storage of these data in accordance with national legislation of Member States. Regulation … No 2252/2004 does not provide a legal base for setting up or maintaining databases for storage of those data in Member States, which is strictly a matter of national law.’

 Netherlands law

10      Pursuant to Article 2(1), introductory, part (a), of the Law laying down the rules for the issue of travel documents (Rijkswet houdende het stellen van regelen betreffende de verstrekking van reisdocumenten) of 26 September 1991 (Stb. 1991, No 498, ‘the Passport Law’), the national passport is one of the travel documents issue by the Kingdom of the Netherlands.

11      According to Article 2(2) thereof, the Netherlands identity card is a travel document relating to the European part of the Kingdom of the Netherlands, valid for countries which are parties to the European Agreement on Regulations governing the Movement of Persons between Member States of the Council of Europe, adopted in Paris on 13 December 1957.

12      Article 3(3) of that law, in the version in force at the material time, provides that a travel document must contain a facial image, two fingerprints and the signature of the holder. Article 3(8) thereof states that the competent issuing authorities are required to keep records of the travel documents issued.

13      Article 65(1) and (2) of the Passport Law, in the version in force at the material time, provided:

‘1.      The authority which issues travel documents shall retain the following data in the records referred to in Article 3(8), second sentence:

a.      fingerprint data referred to in Article 3(3);

b.      two other fingerprints, as specified by the competent Minister, of the person applying for a travel document;

2.      The data referred to in paragraph 1 may be provided solely to authorities, institutions and individuals charged with the implementation of this law, in so far as they require the data for such implementation.

14      The Passport Law also contains Articles 4a and 4b, but they had not entered into force at the material time, a royal decree being required for that purpose. Article 4a of that law provided that a minister was to keep a central register of travel documents in which the data relating to travel documents are to be stored. That central register was to contain the data referred to in Article 3 of that law and two digital fingerprints from the applicant different than those in the travel document, pursuant to Article 3(3) of that law. Article 4b of the Passport Law set out the conditions under which the data stored in the central register for travel documents could be communicated to other institutions, bodies or persons, in particular, for the purpose of identifying victims of disasters and accidents, the detection and prosecution of criminal offences and for the conduct of investigations of acts constituting a threat to State security.

15      Articles 3, 4a, 4b and 65 of the Passport Law were amended with effect from 20 January 2014. Pursuant to Article 3(9) of that law, inserted following that legislative amendment, digital fingerprints are to be stored only for the duration of the procedure for application and issue of the passport, that is to say until the passport is issued to the holder. After issue of the new passport, the digital fingerprints are to be erased. Articles 4a and 4b of that law have been amended so that they no longer provide for the central storage and communication to third parties of the digital fingerprints taken. Article 65(1) and (2) of that law was repealed and replaced by Article 3(9).

 The actions in the main proceedings and the questions referred for a preliminary ruling

16      Mr Willems and Ms Roest and Ms van Luijk each made passport applications. In each case, the Burgemeester concerned rejected those applications, since the persons in question had refused to provide digital fingerprints. Mr Kooistra made an application for the issue of a Netherlands identity card which was also refused on the ground that he had refused to provide digital fingerprints and a facial image.

17      The applicants in the main proceedings refused to provide that biometric data on the ground that creating and storing it constitute a serious breach of their physical integrity and their right to privacy.

18      According to the applicants in the main proceedings that breach arises, inter alia, from the storage of that data on three different media. The data is stored not only on the storage medium integrated into the Netherlands passport or identity card, but also on a decentralised database. In addition, data security risks will increase because the Passport Law provides that local authority databases are eventually to be combined into in a centralised database.

19      Furthermore, there are no provisions clearly identifying the persons who will have access to biometric data, so that the applicants in the main proceedings will lose control of that data.

20      Similarly, the applicants in the main proceedings submit that in the future the authorities might use biometric data for purposes other than those for which it was provided to them. In particular, the storage of that data in a database might lead to its use for judicial purposes or by the intelligence and security services. It follows from Regulation No 2252/2004 that, for the purposes of the application of that regulation, biometric data, such as digital fingerprints, may be used only in order to verify the authenticity of the document and the identity of the holder. Such use is also contrary to fundamental rights.

21      Since their respective actions against the decisions of the Burgemeesters were rejected at first instance, the applicants in the main proceedings have brought appeals before the referring court.

22      The referring court asks, first of all, whether, in Case C-447/12, the Netherlands identity card falls within the scope of Regulation No 2252/2004. In that connection, it is clear from EU law on the free movement of persons that an identity card is also a travel document within the European Union. Furthermore, that card enables travel outside the European Union, to EU candidate countries. Moreover, it is conceivable that Article 1(3) thereof may be read as meaning that the concept of ‘identity card’ for the purposes of that provision must be read together with the expression ‘having a validity of 12 months or less’ which also appears in that provision. Netherlands identity cards are valid for five years.

23      Next, the referring court indicates that the outcome of the cases in the main proceedings will depend on whether the ground relied on by the applicants, according to which the purposes for which the data collected for the issue of a passport or a travel document may be used in the future are unclear, is well founded.

24      Lastly, that court asks whether it follows from Regulation No 2252/2004 that it must be guaranteed by law, that is to say, by means of a mandatory rule of general scope, that the biometric data collected on the basis of that regulation may not be used for purposes other than those set out therein.

25      In those circumstances, the Raad van State decided to stay the proceedings and to refer two questions for a preliminary ruling in Cases C-446/12, C-448/12 and C-449/12 and three questions in Case C-447/12.

26      The first questions in Cases C-446/12, C-448/12 and C-449/12 and the second question in Case C-447/12 concerned the validity of Article 1(2) of Regulation No 2252/2004. They corresponded to the question referred for a preliminary ruling which gave rise to the judgment in Schwarz (C-291/12, EU:C:2013:670).

27      Following that judgment, the referring court withdrew the questions mentioned in the preceding paragraph.

28      However, the Raad van State maintained the first question referred for a preliminary ruling in Case C-447/12 which is worded as follows:

‘Must Article 1(3) of [Regulation No 2252/2004] be interpreted as meaning that it does not apply to identity cards, such as the Netherlands identity cards, issued by Member States to their nationals, regardless of their period of validity and regardless of the possibilities of using them as travel documents?’

29      Likewise, the Raad van State maintained the second questions referred in Cases C-446/12, C-448/12 and C-449/12, and the third question in Case C-447/12, which are identical and are worded as follows:

‘… [M]ust Article 4(3) of Regulation [No 2252/2004], [read] in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union [“the Charter”], Article 8(2) of the European Convention on the Protection of Human Rights and Fundamental Freedoms[, signed at Rome on 4 November 1950,] and Article 7(f) of [Directive 95/46], read in conjunction with Article 6(1)(b) of that directive, be interpreted as meaning that, when the Member States give effect to Regulation No 2252/2004, there should be a statutory guarantee that the biometric data collected and stored pursuant to that regulation may not be collected, processed and used for any purposes other than the issuing of the document concerned?’

 Consideration of the questions referred for a preliminary ruling

 The first question in Case C-447/12

30      By its question, the referring court asks essentially if Article 1(3) of Regulation No 2252/2004 must be interpreted as meaning that that regulation is not applicable to identity cards issued by a Member State to its nationals, such as the Netherlands identity cards, irrespective of the period of their validity and irrespective of the possibility to use them for the purposes of travel outside that State.

31      According to Article 1(3), second sentence, Regulation No 2252/2004 does not apply to identity cards issued by Member States to their nationals or to temporary passports and to travel documents having a validity of 12 months or less.

32      In the first place, it must be established whether the scope of Regulation No 2252/2004 varies according to the period of validity of an identity card.

33      In that connection, it is clear from Article 1(3), second sentence, of that regulation that that provision restricts the scope of the regulation by excluding from it two categories of documents. Given that those two categories of documents are connected in the text by the conjunction ‘or’, they must be regarded as being separate from one another.

34      That conclusion is supported by the fact that in several language versions of Article 1(3), second sentence, of Regulation No 2252/2004, and in particular, in the English (‘temporary passports and travel documents having a validity of 12 months or less’), German (‘vorläufige Pässe und Reisedokumente mit enier Gültigkeitsdauer von zwölf Monaten oder weniger’) and Dutch (‘tijdelijke paspoorten en reisdocumenten die een geldigheidsduur van 12 maanden of minder hebben’) language versions, the expressions ‘temporary’ and ‘having a validity of 12 months or less’ do not apply to one of the categories of documents mentioned in the preceding paragraph, namely identity cards issued by the Member States.

35      In those circumstances, it must be stated that the expressions ‘temporary’ and ‘having a validity of 12 months or less’ do not concern identity cards issued by the Member States to their nationals.

36      It follows that, according to the wording of Article 1(3) of Regulation No 2252/2004, that regulation does not apply to identity cards issued by Member States to their nationals, whether or not they are temporary and whatever the period of their validity.

37      Moreover, that conclusion is reinforced by the travaux préparatoires for Regulation No 2252/2004. In particular from Article 1(3) of the Draft Council Regulation on standards for security features and biometrics in travel documents issued by Member States (Council Document No 11489/04 of 26 July 2004) stated that that regulation is intended to apply ‘to passports and travel documents with a validity of 12 months or more. It does not apply to identity cards issued by Member States to their nationals’.

38      In the second place, it must be established whether the fact that identity cards such as Netherlands identity cards may be used for the purposes of travel within the European Union and to certain non-Member States may bring it within the scope of Regulation No 2252/2004.

39      In that connection, it must be observed that it is true that identity cards, such as Netherlands identity cards, may serve as identification of the holder with regard to non-Member States which have concluded bilateral agreements with the Member State concerned, and, in accordance with Articles 4 and 5 of Directive 2004/38, for the purposes of travel between several Member States.

40      However, it is clear from the wording of the second sentence of Article 1(3) of Regulation No 2252/2004, interpreted in the light of the findings in paragraphs 32 to 37 of the present judgment, that the EU legislature expressly decided to exclude from the scope of that regulation identity cards issued by Member States to their nationals.

41      Consequently, the fact that identity cards, such as Netherlands identity cards, may be used for the purposes of travel within the European Union and to a limited number of non-Member States, does not bring them within the scope of Regulation No 2252/2004.

42      Having regard to the foregoing considerations, the answer to the question referred is that Article 1(3) of Regulation No 2252/2004 must be interpreted as meaning that that regulation is not applicable to identity cards issued by a Member States to its nationals, such as Netherlands identity cards, regardless of the period of validity and the possibility of using them for the purposes of travel outside that State.

 The second questions in Cases C-446/12, C-448/12 and C-449/12, and the third question in Case C-447/12

43      By those questions, which it is appropriate to examine together, the referring court asks essentially whether Article 4(3) of Regulation No 2252/2004, read together with Articles 6 and 7 of Directive 95/46 and Articles 7 and 8 of the Charter, must be interpreted as meaning that it requires Member States to guarantee that the biometric data collected and stored pursuant to that regulation will not be collected, processed and used for purposes other than the issue of passports or other travel documents.

44      In that connection, it must be observed at the outset that, having regard to the answer to the first question in Case C-447/12, it is only necessary to examine the questions raised in relation to Cases C-446/12, C-448/12 and C-449/12.

45      Article 4(3) of Regulation No 2252/2004 requires that, in order to issue a passport or travel document, biometric data must be ‘collected’ and ‘stored’ on the storage medium integrated into those documents. As regards the ‘use’ of that data, that provision states that, for the purposes of that regulation, the latter are to be used only for verifying the authenticity of the document or the identity of the holder when the passport or other travel documents are required to be produced by law.

46      The Court has already held, in its judgment in Schwarz (C-291/12, EU:C:2013:670), that the use and storage of biometric data for the purposes specified in Article 4(3) of that regulation are compatible with the requirements of Articles 7 and 8 of the Charter.

47      As regards all other uses and storage of that data, it is clear from Article 4(3) of Regulation No 2252/2004, which deals with the use of such data ‘[f]or the purpose of this Regulation’, read in the light of recital 5 in the preamble to Regulation No 444/2009, which amended Regulation No 2252/2004, that the use and storage of that data are not governed by the latter regulation. That recital states that Regulation No 2252/2004 is without prejudice to any other use or storage of these data in accordance with national legislation of Member States and that it does not provide a legal base for setting up or maintaining databases for storage of those data in Member States, that matter being within the exclusive competence of the Member States.

48      It follows, in particular, that Regulation No 2252/2004 does not require a Member State to guarantee in its legislation that biometric data will not be used or stored by that State for purposes other than those mentioned in Article 4(3) of that regulation (see, to that effect, judgment in Schwarz, C-291/12, EU:C:2013:670, paragraph 61).

49      Next, as regards Articles 7 and 8 of the Charter, it is clear from the case-law of the Court that the fundamental rights guaranteed by the Charter must be respected where national legislation falls within the scope of EU law. In other words, the applicability of EU law entails the applicability of the fundamental rights guaranteed by the Charter (judgments in Åkerberg Fransson, C-617/10, EU:C:2013:105, paragraphs 20 and 22, and Texdata Software, C-418/11, EU:C:2013:588, paragraphs 71 to 73).

50      Given that, in the present case, Regulation No 2252/2004 is not applicable, there is no need to determine whether the storage and use of biometric data for purposes other than those referred to in Article 4(3) thereof are compatible with those articles of the Charter.

51      The foregoing considerations are without prejudice to any examination by the national courts of the compatibility of all the national measures relating to the use and storage of biometric data with their national law and, if appropriate, with the European Convention on the Protection of Human Rights and Fundamental Freedoms (see, to that effect, judgment in Schwarz, C-291/12, EU:C:2013:670, paragraph 62).

52      Finally, as regards Articles 6 and 7 of Directive 95/46, it must be observed that, by its questions, the referring court requests the interpretation of Regulation No 2252/2004 and only that regulation. Since it follows from the foregoing considerations that that regulation is not applicable in the present case, there is no need to examine, as a separate matter, whether those articles affect the national legal framework relating to the storage and use of biometric data outside the scope of Regulation No 2252/2004.

53      Therefore, the answer to the questions referred is that Article 4(3) of Regulation No 2252/2004 must be interpreted as meaning that it does not require the Member States to guarantee, in their legislation, that biometric data collected and stored in accordance with that regulation will not be collected, processed and used for purposes other than the issue of the passport or travel document, since that is not a matter which falls within the scope of that regulation.

 Costs

54      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fourth Chamber) hereby rules:

1.      Article 1(3) of of Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 of the European Parliament and of the Council of 6 May 2009, must be interpreted as meaning that that regulation is not applicable to identity cards issued by a Member States to its nationals, such as Netherlands identity cards, regardless of the period of validity and the possibility of using them for the purposes of travel outside that State.

2.      Article 4(3) of Regulation No 2252/2004, as amended by Regulation No 444/2009, must be interpreted as meaning that it does not require the Member States to guarantee, in their legislation, that biometric data collected and stored in accordance with that regulation will not be collected, processed and used for purposes other than the issue of the passport or travel document, since that is not a matter which falls within the scope of that regulation.

[Signatures]

* Language of the case: Dutch.


Disclaimer