As explained in an earlier post, the Court of Justice of the European Union (CJEU) issued on 16 April 2015 its preliminary ruling in the case of Willems and Others v Burgemeester van Nuth and Others C-446-12 to C-449/12 (Willems) concerning the interpretation of an EU Regulation (2252/2004, ‘the Regulation’) on standards for security features and biometrics in passports and travel documents issued by Member States (subsequently amended by Regulation (EC) No 444/2009.

Is this a mild foretaste of the awaited CJEU’s judgment in the case of Schrems v Data Protection Commissioner [2014] IEHC 310 (see here for a discussion of this case)? Unfortunately… it may very well be!

In Willems, the CJEU was asked 2 questions, the second being of particular interest here:

“… [M]ust Article 4(3) of Regulation [No 2252/2004], [read] in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union [“the Charter”], Article 8(2) of the European Convention on the Protection of Human Rights and Fundamental Freedoms[, signed at Rome on 4 November 1950,] and Article 7(f) of [Directive 95/46], read in conjunction with Article 6(1)(b) of that directive, be interpreted as meaning that, when the Member States give effect to Regulation No 2252/2004, there should be a statutory guarantee that the biometric data collected and stored pursuant to that regulation may not be collected, processed and used for any purposes other than the issuing of the document concerned?”

By way of background, Article 4(3), first subparagraph, of the Regulation reads as follows:

“Biometric data shall be collected and stored in the storage medium of passports and travel documents with a view to issuing such documents. For the purpose of this Regulation the biometric features in passports and travel documents shall only be used for verifying:

(a)     the authenticity of the passport or travel document;

(b)     the identity of the holder by means of directly available comparable features when the passport or travel document is required to be produced by law.”

Reading the letter of Article 4(3), it appears that assuming the Regulation is applicable, there is built into it a guarantee that the biometric data collected and stored pursuant to that regulation may not be collected, processed and used for any purposes other than the issuing of the documents concerned.

This was clearly acknowledged by the CJEU itself in an earlier case Michael Schwarz v Stadt Bochum [2013] EUECJ C-291/12 where the CJEU “noted that Article 4(3) of Regulation No 2252/2004 explicitly states that fingerprints may be used only for verifying the authenticity of a passport and the identity of its holder”. ([56]). The CJEU went on adding that at [61] “The regulation not providing for any other form or method of storing those fingerprints [than the storage of fingerprints within the passport itself], it cannot in and of itself, as is pointed out by recital 5 of Regulation No 444/2009, be interpreted as providing a legal basis for the centralised storage of data collected thereunder or for the use of such data for purposes other than that of preventing illegal entry into the European Union”. As a result it concluded that the “risks linked to possible centralisation cannot, in any event, affect the validity of that regulation and would have, should the case arise, to be examined in the course of an action brought before the competent courts against legislation providing for a centralised fingerprint base” at [62]. More generally, as it confirmed it in Willems (see [46]), the Court held that “the use and storage of biometric data for the purposes specified in Art.4(3) of that regulation are compatible with the requirements of Article 7 and 8 of the [European Charter of Fundamental Rights]”.

In Willems, the answer of the CJEU is not exactly in the same terms though. This is due to one fundamental reason: the use and storage of the data at stake in Willems are not governed by the Regulation.

How is this possible? This is because Willems concerned the storage and use of biometric data for the purposes of the issuance of identity cards (and not passports or travel documents having a validity of more than 12 months). [Is this really an appropriate distinction?]

Because the Regulation is not applicable, the CJEU concludes that there is no need to determine whether the storage and use of biometric data for the purposes at stake in Willems are compatible with Article 7 and 8 of the Charter (see [50]).

Why? Because the Charter is applicable only in cases in which the EU is competent to act. Under Article 6 of the Treaty on European Union “[t]he provisions of the Charter shall not extend in any way the competences of the Union as defined in the Treaties”. Yet as recalled by Recital 5 of the Regulation, the Regulation “is without prejudice to any other use or storage of these data in accordance with national legislation of Member States. Regulation … No 2252/2004 does not provide a legal base for setting up or maintaining databases for storage of those data in Member States, which is strictly a matter of national law.” Said otherwise, the creation of databases containing biometric data is strictly a matter of MS competence.

Is this always true? Well… I am not sure. EU law governs the creation of such databases to the extent (at least for now) the Data Protection Directive is applicable.

Yet in Willems the CJEU does not even attempt to determine whether the Data Protection Directive is applicable. Why? This is because according the CJEU the national court was only requesting the interpretation of the Regulation.

Is this really true? Well… I am not sure either, as the Data Protection Directive is expressly mentioned within the question referred.

So why is the CJEU so quick to set aside this scenario? It might be because of Article 3 of the Data Protection Directive which states that the Directive does not apply to the processing of personal data “in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law”.

Okay…. But the CJEU could have at least checked whether the processing at stake in Willems was outside the scope of the Data Protection Directive!

Now if the Data Protection Directive is not applicable would it always be the end of the story…Does it mean that the Charter… and/or the Treaty are never applicable?

Well…The “Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detecting or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data” just shows that Article 16 of the Treaty on the Functioning of the European Union (TFEU) is a viable basis for regulating the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties…. [although the explanatory memorandum of the proposed Directive might over-simplify the question of competence when it states that “with Article 16 (2) TFEU, the Lisbon Treaty introduces a specific legal basis for the adoption of rules on the protection of personal data that also applies to judicial co-operation in criminal matters and police co-operation”.]

Does not it mean that the CJEU should have at least addressed the question whether the Charter can confine the processing of biometric data at a national level even for the purposes of the issuance of identity cards?

In its judgment of 8 April 2014 (Digital Rights Ireland) on the validity of the Data Retention Directive, the CJEU examined the legality of data retention obligations imposed upon Internet service providers, i.e. obligations to process personal data imposed upon private actors for the purposes of, investigation, detection and prosecution of serious crimes in the light of the Charter. Why not examining the processing of personal data by public bodies for the purposes of prevention, investigation, detection or prosecution of criminal offences in the light of the Charter as well?

Truly, in the Digital Rights Ireland case, the EU had exercised its competence by adopting the Data Retention Directive. Strictly speaking in the case of the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences this competence has not been exercised yet. Does it mean that the Charter is only applicable when the EU does exercise its competence …when the competences are shared?

But … and this is why the CJEU could really have been more prolix. In Dano (Case -333/13) on 11 November 2014 the CJEU clearly stated in relation to the principle of non-discrimination based on nationality enshrined in Article 18 TFEU [i.e. the right to non-discrimination based on nationality] that this principle [i.e. this right] is applicable “in all situations falling within the scope rationae materiae of EU law” ([59]). For this right to be applicable there is thus no need for the EU to exercise its competence. [Would we really need to distinguish between Article 16 and Article 18 TFEU?]

….Obviously to go back to Schrems for a minute, the CJEU will be even less tempted to use Article 16 TFEU or the Charter as the competence regarding measures of national security remains with the Member States (See Article 4 of the Treaty on European Union)….

Sophie Stalla-Bourdillon