Articles

Constitutional Court: fingerprints on the Belgian eID do not infringe the rights of privacy and to data protection

Constitutional Court: fingerprints on the Belgian eID do not infringe

Constitutional Court: fingerprints on the Belgian eID do not infringe the rights of privacy and to data protection

08.02.2021 BE law

On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian eID.  According to the Court, is not contrary to the right to privacy and the right to protection of personal data.

Introduction

On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian electronic identity cards (eID).  According to the Court, is not contrary to the right to privacy and the right to protection of personal data.

1. Legislative background

The Law of 25 November 2018 on miscellaneous provisions concerning the National Register and population registers (hereafter, the “Law” ; Official Gazette, 13 December 2018, available in French and in Dutch) contains provisions proposing several changes to the eID. One of the major changes is the obligation for every Belgian to provide two fingerprints that will be integrated on their eID and visible only digitally (Article 27 of the Law).

This provision is the subject of the action for annulment before the Constitutional Court that is asked to verify the compatibility of this obligation to the rights to privacy and to data protection.

2. The judgment of the Constitutional Court

Specifically, three aspects of the provision are criticized.

a) The collection of fingerprints and the storage of the scanned image of the eID

The collection and storage of fingerprints constitute an interference with the two above-mentioned fundamental rights. However, the Court notes that they are provided for by law and pursue perfectly legitimate aims: combating identity fraud and protecting the rights and freedoms of others.

The Constitutional Court further stresses that fingerprints are sensitive data as defined by the GDPR (more precisely, biometric data in the sense of Article 4(14), GDPR). Their collection and storage is, however, necessary for reasons of substantial public interest and is permitted if it is proportionate to the aforementioned purpose (Article 9(2)(g)).

The Court further recalls that this objective is reflected in Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (see here). Thus, the Belgian law only anticipates this European regulation.

A parallel can also be drawn with the case of Schwarz v. Stadt Bochum of the Court of Justice of the European Union that validated an identical system for passports (17 October 2013, C-291/12).

Finally, the Constitutional Court validates the proportionality test. The arrangements for collection and storage of the fingerprints do not affect the essential content of the right to privacy and the right to protection of personal data, in particular because fingerprints are no intimate data and no central register of fingerprints is created.

b) The centralised storage of the digital image for the purposes of the manufacture and issuance of the identity card

The storage is temporary (three months maximum) and is justified by the needs to manufacture and issue the eID.

For the applicants, this processing is not necessary: technically, the prints could be directly integrated into the eID. However, this stage of temporary storage is justified in particular for reasons of security and data integrity. It avoids abuses and makes it possible to centralise the integration of fingerprints into the identity card in a single place and with a single administration. In that regard, the Court does not consider such storage to be disproportionate.

c) Reading the scanned image of the fingerprints

When integrated into the eID, the fingerprints can be read by authorised authorities whose tasks are legally determined. This authorisation only allows for reading the data, not recording and storing them, and is justified by the main purpose for which the fingerprints are included in the identity card.

Conclusion

The Constitutional Court validates, subject to few clarifications of interpretation, the whole system. In view of the case law of the Court of Justice of the European Union on passports, and in view of Regulation 2019/1157, such a conclusion could be expected. However, the judgment is not without interest: it is instructive in that it justifies with precision and in the light of European texts a particular measure whose sole objective is identity fraud and therefore, ultimately, the protection of citizens.

 

By Edouard Cruysmans, Cyril Fischer and Erik Valgaeren

Team

Related news

06.05.2021 EU law
Abuse of economic dependence: lessons drawn from the first judgments

Short Reads - On 22 August 2020, the ban on abuse of economic dependence was implemented in Belgium (Article IV.2/1 of the Code of Economic Law). Now that almost a year has passed and the first judgments have been rendered, we assess what first lessons can be drawn from these judgments. The rulings show that the ban is regularly relied upon in court and has lowered the hurdle for plaintiffs to make their case.

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more

01.04.2021 NL law
Slovak Telekom: ECJ on essentials of the ‘essential facilities’ doctrine

Short Reads - Only dominant companies with a “genuinely tight grip” on the market can be forced to grant rivals access to their infrastructure. According to the ECJ’s rulings in Slovak Telekom and Deutsche Telekom, it is only in this scenario that the question of indispensability of the access for rivals comes into play. In the assessment of practices other than access refusal, indispensability may be indicative of a potential abuse of a dominant position, but is not a required condition.

Read more

01.04.2021 NL law
Pay-for-delay saga ends with nothing new; but pharma quest continues

Short Reads - On 25 March 2021, the ECJ ended the Lundbeck pay-for-delay saga by dismissing the appeals from Lundbeck and five generic manufacturers against a European Commission ‘pay-for-delay’ decision. Following its recent Paroxetine judgment, the ECJ found that Lundbeck’s process patents did not preclude generic companies being viewed as potential competitors, particularly since the patents did not represent an insurmountable barrier to entry. In addition, the patent settlement agreements constituted infringements "by object".

Read more