On 14 January 2021, the Belgian Constitutional Court delivered a highly anticipated judgment on the legality of the integration of the digital format of two fingerprints in ID cards, introduced through Article 27 of the Belgian law of 25 November 2018. After a balancing of interests, the Court ruled that the inclusion of digital fingerprints on ID cards does not violate the fundamental right to respect for private life, thereby providing clarity on a heavily criticized matter and setting an important precedent.
On 20 June 2019, the European Union adopted Regulation 2019/1157/EU which will enter into force on 2 August 2021 and which will introduce the mandatory obligation for Member States to include two fingerprints in interoperable digital formats in national ID cards. Prior to this Regulation, however, Belgium already adopted a similar obligation through Article 27 of the Law of 25 November 2018 on various provisions relating to the National Register and population registers. The article was particularly controversial and quickly resulted in five appeals for annulation before the Belgian Constitutional Court
The fundamental right to privacy
The applicants stated that Article 27 of the Belgian law of 25 November 2018, providing the integration of the digital format of two fingerprints in ID cards for Belgian citizens with a minimum age of 12 years, violated Article 22 of the Belgian Constitution, which preserves the right to respect for private life (read in conjunction with Article 8 of the European Convention on Human Rights, Articles 7 and 8 of the EU Charter on Fundamental Rights and Articles 9, 35 and 36 of the General Data Protection Regulation 2016/679,GDPR).
The right to respect of private life and to protection of personal data, however, is not an absolute right. An interference by a public authority is allowed provided that it is authorized by a sufficiently precise legal provision, meets a pressing social need in a democratic society and is proportionate to the legitimate aim pursued.
Assessment of the Constitutional Court
Firstly, the Court stated that the Law of 25 November 2018 pursues a legitimate aim as it contributes to the prevention of ID fraud and crimes relating to ID fraud, such as human trafficking or terrorist activities. As Belgium is already enforcing Regulation 2019/1157/EU prematurely through its Law of 25 November 2018, the Court referred to the purposes of this Regulation as well. These are the reinforcement of security, the facilitation of the free movement of EU citizens and their family members and the reduction of the risk of ID fraud and must be regarded as objectives of general interests recognized by the European Union. In this regard, the Court cited the Schwarz case of 2013, where the European Court of Justice decided that analogous Regulation 2252/2004/EC, providing for the integration of two digital fingerprints in passports and travel documents issued by Member States, also pursued objectives of general interests recognized by the European Union. Furthermore, the Court stated that all these objectives constitute “reasons of substantial public interests” in the sense of Article 9(1), g) GDPR, thus allowing for the processing of these biometric data.
The Court further clarified that the contested provision is appropriate to attain the objectives pursued, since “the storage of the digital format of the fingerprints on the ID card may, reduce the risk of falsification of ID cards and facilitate the task of the authorities responsible for verifying their authenticity and also prevent the fraudulent use of ID cards.”
In accordance with the principle of legality, the interference with the fundamental right to respect for private life must be sufficiently precise and foreseeable. The Court distinguished the following elements included in the contested provision: (i) the relevant data, namely the digital format of two fingerprints, (ii) the maximum term during which these data may be retained for the purpose of producing and issuing the ID card (3 months), (iii) the destruction of these data at the end of this term, (iv) the fact that the data is stored exclusively on the ID card and that they can only be read electronically and (v) the bodies authorized to read them. As these elements enable the data subject to sufficiently ascertain the scope and limitations of the interference with their right to respect for private life, the Court concluded that the contested provision fulfills the legality requirement.
As to the necessity and proportionality of the contested provision, the Court again referred to the Schwarz case of the European Court of Justice on Regulation 2252/2004/EC. Whilst the Court did acknowledge that passports and ID cards are documents of different nature, generally intended for different uses, it nevertheless noted that a certain level of analogy is permitted, given that ID cards are frequently used as travel documents within the EU, as well as for travel to a limited number of third countries and may serve as “source” documents in order to obtain a passport. Therefore, the Court considered that the Schwarz case may be considered for the necessity and proportionality assessment. In this regard, the absence of a central register of fingerprints of all ID card holders was an important consideration for the Court. The centralization of the fingerprints is time-limited and only occurs for the purposes of producing and issuing the ID card, after which this data is destroyed. Thus, the Court emphasized that the contested provision limits the retention of the digital format of the fingerprints to the integration in the ID cards only and should therefore be regarded as proportionate.
Lastly, the applicants requested to refer questions for preliminary ruling to the European Court of Justice regarding the validity of Regulation 2019/1157/EU. As the measures provided in the contested provision of the Law of 25 November 2018 find their equivalent in this Regulation and as the Court found its examination of the contested provision sufficiently clear, this request was, however, dismissed.
In light of the above, the Constitutional Court dismissed all appeals and ruled that the contested provision does not violate the fundamental right to respect for private life. Given the high level of criticism of privacy experts surrounding the Law of 25 November 2018 and the negative advice of the Belgian Data Protection Authority prior to its adoption, this might have come as a surprise. Moreover, a preliminary reference to the European Court of Justice might also have been an opportunity to examine the validity of Regulation 2019/1157/EU, which will undoubtedly have a tremendous impact on the digital single market as we know it. In any event, the Belgian judgment proves to be a clear demonstration of the relativity of fundamental rights, particularly with regard to national security and the prevention of fraud. It remains to be seen how this will evolve within other Member States once Regulation 2019/1157/EU will enter into force.