Articles

Constitutional Court: fingerprints on the Belgian eID do not infringe the rights of privacy and to data protection

Constitutional Court: fingerprints on the Belgian eID do not infringe

Constitutional Court: fingerprints on the Belgian eID do not infringe the rights of privacy and to data protection

08.02.2021 BE law

On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian eID.  According to the Court, is not contrary to the right to privacy and the right to protection of personal data.

Introduction

On 14 January 2021, the Constitutional Court validated a legislative measure requiring the inclusion of fingerprints on Belgian electronic identity cards (eID).  According to the Court, is not contrary to the right to privacy and the right to protection of personal data.

1. Legislative background

The Law of 25 November 2018 on miscellaneous provisions concerning the National Register and population registers (hereafter, the “Law” ; Official Gazette, 13 December 2018, available in French and in Dutch) contains provisions proposing several changes to the eID. One of the major changes is the obligation for every Belgian to provide two fingerprints that will be integrated on their eID and visible only digitally (Article 27 of the Law).

This provision is the subject of the action for annulment before the Constitutional Court that is asked to verify the compatibility of this obligation to the rights to privacy and to data protection.

2. The judgment of the Constitutional Court

Specifically, three aspects of the provision are criticized.

a) The collection of fingerprints and the storage of the scanned image of the eID

The collection and storage of fingerprints constitute an interference with the two above-mentioned fundamental rights. However, the Court notes that they are provided for by law and pursue perfectly legitimate aims: combating identity fraud and protecting the rights and freedoms of others.

The Constitutional Court further stresses that fingerprints are sensitive data as defined by the GDPR (more precisely, biometric data in the sense of Article 4(14), GDPR). Their collection and storage is, however, necessary for reasons of substantial public interest and is permitted if it is proportionate to the aforementioned purpose (Article 9(2)(g)).

The Court further recalls that this objective is reflected in Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (see here). Thus, the Belgian law only anticipates this European regulation.

A parallel can also be drawn with the case of Schwarz v. Stadt Bochum of the Court of Justice of the European Union that validated an identical system for passports (17 October 2013, C-291/12).

Finally, the Constitutional Court validates the proportionality test. The arrangements for collection and storage of the fingerprints do not affect the essential content of the right to privacy and the right to protection of personal data, in particular because fingerprints are no intimate data and no central register of fingerprints is created.

b) The centralised storage of the digital image for the purposes of the manufacture and issuance of the identity card

The storage is temporary (three months maximum) and is justified by the needs to manufacture and issue the eID.

For the applicants, this processing is not necessary: technically, the prints could be directly integrated into the eID. However, this stage of temporary storage is justified in particular for reasons of security and data integrity. It avoids abuses and makes it possible to centralise the integration of fingerprints into the identity card in a single place and with a single administration. In that regard, the Court does not consider such storage to be disproportionate.

c) Reading the scanned image of the fingerprints

When integrated into the eID, the fingerprints can be read by authorised authorities whose tasks are legally determined. This authorisation only allows for reading the data, not recording and storing them, and is justified by the main purpose for which the fingerprints are included in the identity card.

Conclusion

The Constitutional Court validates, subject to few clarifications of interpretation, the whole system. In view of the case law of the Court of Justice of the European Union on passports, and in view of Regulation 2019/1157, such a conclusion could be expected. However, the judgment is not without interest: it is instructive in that it justifies with precision and in the light of European texts a particular measure whose sole objective is identity fraud and therefore, ultimately, the protection of citizens.

 

By Edouard Cruysmans, Cyril Fischer and Erik Valgaeren

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

03.06.2021 NL law
First material judgment in Dutch damages proceedings in trucks infringement

Short Reads - In its judgment of 12 May 2021, the Amsterdam District Court ruled that it has not been established that it is definitively excluded that the trucks infringement led to damage to the claimants. However, this does not alter the fact that it must still be assessed for each claimant whether the threshold for referral to the damages assessment procedure has been met. For this to be the case, it must be plausible that a claimant may have suffered damage as a result of the unlawful actions of the truck manufacturers. The Amsterdam District Court has not yet ruled on this issue.

Read more