Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.

The Dutch Council referred the question of legality the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.

The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation (read here and here) compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.

The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology.  The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.

The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court.

We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible.

A government proposal to this effect is currently before the Dutch House of Representatives.

The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.

Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.

The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable.

The German court outlined in detail the technical limitations of biometric passports, arguing that (paraphrased):

a biometric passport is not an appropriate measure because of the rate of mistakes which are made at border controls. Another problem is the durability of the RFID chips inside the passports, and their susceptibility to being read by people who have no legal authority to read them. … If the goal of the measure is to prevent terrorist attacks, then these biometric passports are suitable only to a very limited degree. The primary problem is the security risk that arises from the use of real passports that incorporate a fraudulently obtained identity.

In 2008, the European Court of Human Rights issued a landmark judgment on biometric privacy. In S. and Marper v. the United Kingdom, the Court held that the long-term retention of both fingerprints and DNA samples interfered with an individual’s right to privacy and, consequently, found a breach of Article 8 of the ECHR. The fingerprints and DNA samples were collected following the arrest of the complainants and retained even after their release, even though the complainants had asked for the destruction of the samples.

European countries are increasingly collecting and storing citizen’s biometric data. Throughout the world, countries are beginning to implement contactless 'RFID' chips in passports or mandatory national biometric ID cards. Other countries, such as the Netherlands, have implemented database storage. Last year, an alliance of more than 80 civil society organizations including EFF requested the Council of Europe's (CoE) Secretary General to start an in-depth investigation on the collection and storage of biometric data by Member States.

Based on Article 52 of the ECHR, the COE's Secretary General has a personal investigatory power to request an explanation from Member States as to how their internal law ensures the effective implementation of any of the provisions of the ECHR, including the right to privacy. This is why the alliance has requested that the COE's Secretary General asked its Members States to explain how their national biometrics laws comply with the ECHR and the rulings of the European Court of Human Rights. As of now, the Council of Europe has refused to carry out such an in-depth investigation. In light of the recent Dutch decision, EFF recalled the COE's Secretariat General the need to carry out such investigation.

EFF will continue to fight against the collection and storage of mandatory ID biometrics by governments, especially in view of its inherent unreliability and the new threats to privacy and security posed by such technology.