On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian eID. According to the Court, is not contrary to the right to privacy and the right to protection of personal data.
On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian electronic identity cards (eID). According to the Court, is not contrary to the right to privacy and the right to protection of personal data.
1. Legislative background
The Law of 25 November 2018 on miscellaneous provisions concerning the National Register and population registers (hereafter, the “Law” ; Official Gazette, 13 December 2018, available in French and in Dutch) contains provisions proposing several changes to the eID. One of the major changes is the obligation for every Belgian to provide two fingerprints that will be integrated on their eID and visible only digitally (Article 27 of the Law).
This provision is the subject of the action for annulment before the Constitutional Court that is asked to verify the compatibility of this obligation to the rights to privacy and to data protection.
2. The judgment of the Constitutional Court
Specifically, three aspects of the provision are criticized.
a) The collection of fingerprints and the storage of the scanned image of the eID
The collection and storage of fingerprints constitute an interference with the two above-mentioned fundamental rights. However, the Court notes that they are provided for by law and pursue perfectly legitimate aims: combating identity fraud and protecting the rights and freedoms of others.
The Constitutional Court further stresses that fingerprints are sensitive data as defined by the GDPR (more precisely, biometric data in the sense of Article 4(14), GDPR). Their collection and storage is, however, necessary for reasons of substantial public interest and is permitted if it is proportionate to the aforementioned purpose (Article 9(2)(g)).
The Court further recalls that this objective is reflected in Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (see here). Thus, the Belgian law only anticipates this European regulation.
A parallel can also be drawn with the case of Schwarz v. Stadt Bochum of the Court of Justice of the European Union that validated an identical system for passports (17 October 2013, C-291/12).
Finally, the Constitutional Court validates the proportionality test. The arrangements for collection and storage of the fingerprints do not affect the essential content of the right to privacy and the right to protection of personal data, in particular because fingerprints are no intimate data and no central register of fingerprints is created.
b) The centralised storage of the digital image for the purposes of the manufacture and issuance of the identity card
The storage is temporary (three months maximum) and is justified by the needs to manufacture and issue the eID.
For the applicants, this processing is not necessary: technically, the prints could be directly integrated into the eID. However, this stage of temporary storage is justified in particular for reasons of security and data integrity. It avoids abuses and makes it possible to centralise the integration of fingerprints into the identity card in a single place and with a single administration. In that regard, the Court does not consider such storage to be disproportionate.
c) Reading the scanned image of the fingerprints
When integrated into the eID, the fingerprints can be read by authorised authorities whose tasks are legally determined. This authorisation only allows for reading the data, not recording and storing them, and is justified by the main purpose for which the fingerprints are included in the identity card.
The Constitutional Court validates, subject to few clarifications of interpretation, the whole system. In view of the case law of the Court of Justice of the European Union on passports, and in view of Regulation 2019/1157, such a conclusion could be expected. However, the judgment is not without interest: it is instructive in that it justifies with precision and in the light of European texts a particular measure whose sole objective is identity fraud and therefore, ultimately, the protection of citizens.
By Edouard Cruysmans, Cyril Fischer and Erik Valgaeren