Joined Cases C-446/12 – 449/12 Willems: The CJEU washes its hands of Member States’ fingerprint retention
Eduardo Gill-Pedro
When is the Charter of Fundamental Rights of the EU applicable to a Member State measure? In C-446/12 – 449/12 Willems the CJEU held that a Member State which stores and uses fingerprint data, originally collected in compliance with Regulation No 2252/2004, but which the Member State then uses for purposes other than those stipulated in the Regulation, is not acting within the scope of EU law, and therefore is not bound by the Charter. This case appears to indicate a retreat by the Court from the expansive interpretation of the scope of application of the Charter which it had previously laid down in C-617/10 Fransson.
Facts and judgment
Council Regulation No 2252/2004/EC requires Member States to collect and store biometric data, including fingerprints, in the storage medium of passports and other travel documents, and require that such data be used for verifying the authenticity of the document or the identity of the holder. The Netherlands introduced measures requiring the collection and retention of the fingerprint data for use in connection with travel documents. However, those national measures also provide that such data can be kept in a central register, and used for other purposes (such as national security, prevention of crime and identification of disaster victims). The applicants made passport applications, but refused to provide the fingerprint data. They argued, inter alia, that the storage and further use of those data breached their fundamental rights under Article 7 and 8 of the Charter of Fundamental Rights of the EU. The national court referred two questions for preliminary ruling.
The first question concerned the applicability of the Regulation to national identity cards. The Court held that the Regulation did not apply to such cards. The second question is the one I want to focus on: Does Article 4(3) of the Regulation, read together with Articles 6 and 7 of Directive 95/46/EC and Articles 7 and 8 of the Charter, require Member States to guarantee that the biometric data collected and stored pursuant to that Regulation will not be collected, processed and used for purposes other than the issue of passports or other travel documents?
The ECJ had already held (in C-291/12 Schwarz) that the collection of those data for the purposes stipulated in the regulation (to verify the authenticity of the passport or the identity of the holder) was compatible with the Charter. The question was whether further processing of those data by the Member State would similarly be compatible.
The Court noted that the Regulation did not provide a legal basis for such further processing – if a Member State were to retain those data for other purposes, it would need to do so in exercise of its own competence (para 47). On the other hand, the Regulation did not require a Member State not to use it for other purposes. From these two observations the Court concluded that the Regulation was not applicable. The Court then cited its famous passage in C-617/10 Fransson where it had held that the applicability of EU law entails the applicability of the Charter. As the Regulation was not applicable, the Charter was not applicable either.
The Court then turned to Directive 95/46/EC (the Data Protection Directive). It merely observed that the referring court requested the interpretation of the Regulation “and only that Regulation”. As the Regulation was not applicable, there was no need to examine whether the Data Protection Directive may affect the national measures.
Comment
I will focus on the question of applicability of the Charter (See Steve Peers comment on the “appalling” reasoning of the Court in respect of the Data Protection Directive). This judgment appears to signal a retreat by the Court from the expansive understanding of the scope of application which was laid down in Fransson. It is true that in that case the Court had held that when EU law is not applicable, the Charter is not applicable. But when applying that test to the facts, the Court observed that the national (Swedish) measure was connected (in part) to infringements of the VAT Directive, and therefore was designed to implement an obligation imposed on the Member States by EU law “to impose effective penalties for conduct prejudicial to the financial interests of the European Union”. So in Fransson the Court held that national measures which were connected in part to a specific obligation imposed by EU law on the Member State fell within the scope of application of EU law, and therefore of the Charter.
In the present case, the national measures are designed (in part) to implement the obligation imposed on the Member States by the Regulation, to collect and retain fingerprint data. Applying the reasoning in Fransson it would seem to follow that such measures would fall within the scope of EU law – after all, the measures relate to the retention of fingerprints, and the reason the fingerprints need to be retained stems from a specific obligation imposed, by EU law, on Member States: the obligation to collect and store biometric data with a view to issuing passports and travel data, set out in Article 4(3) of the Regulation.
Of course, this case can be distinguished from Fransson. In Fransson the Member State’s measure could be seen as not only stemming from the specific obligation imposed by EU law, but also as furthering the EU purpose of preventing conduct prejudicial to its financial interests. In contrast, in the present case the Member State’s measure is in furtherance of a member state’s purposes, and not an EU purpose.
But such a distinction would seem to entail a very strict approach to what obligations are imposed by EU law. Because the obligation which the Regulation imposes is not just to collect and store date, but also (under Article 4(3) of the Regulation) to ensure that the data are only used to for the specified purposes set out in the Regulation. That obligation was subsequently modified by Recital 5 in Regulation 444/2009, which states that Regulation 2252/2004 is “without prejudice to any other use or storage of these data in accordance with national legislation of Member States.” But is such a Recital sufficient to place the measures concerning those data outside the scope of EU law, or does it merely confer a discretion on states to adopt such measures, provided that they are compatible with EU law? Unfortunately, the reasoning in this judgment does not provide much guidance.
Conclusion
The approach of the Court in Fransson did not meet universal approval, and the judgement of the German Federal Constitutional Court in the Counter-Terrorism Database case may be read as a warning shot across the CJEU’s bows to make sure that the Charter is not applied to Member States’ measures in a way that “question[s] the identity of the [national] constitutional order”. And by emphasising the autonomy of EU fundamental rights in its recent Opinion 2/13 on the accession to the ECHR, the Court certainly raised the stakes involved in demanding Member State compliance with the Charter. So this case may indicate a desire to ensure that the EU fundamental rights standard is reserved for those Member State measures where it matters most that a EU standard is applied – those matters where the primacy, unity and effectiveness of EU law is at stake.
In effect, this case can be read as tacit acceptance of AG Cruz Villalón in his Opinion in Fransson, who proposed that the oversight by the Court of the exercise of public authority by the Member States be limited to those cases where there was “a specific interest of the Union in ensuring that that exercise of public authority accords with the interpretation of the fundamental rights by the Union”. However, that Opinion was a well reasoned legal argument. This judgment leaves many questions unanswered, and makes it very difficult to predict when a national measure will fall within the scope of EU law.
Furthermore, this approach sits uneasily with the self-understanding of the EU as a Union based on the rule of law inasmuch as neither Member States nor its institutions can avoid review of the conformity of their acts with fundamental rights (C-402/05 P and C-415/05 P Kadi). Through this Regulation, the EU requires the Member States to collect and store sensitive personal data of all EU citizens who wish to travel; but where the Member States go on to use those data in ways that may breach the fundamental rights of those EU citizens, the Court washes its hands of the matter.
12 comments
Spain? It does not affect the excellent legal analysis, but it seems the case stems from the Netherlands: parties, law and courts
Thank you for spotting that. All the cases were referred from a Dutch court, the Raad van State, and concerned national measures from the Netherlands, not from Spain. Apologies for the ‘rookie mistake’!
Thank you Ignacio, we have amended the text accordingly.
Recitals complement teleological thinking along the lines of the objectives as stated in the treaties, or may help to discern historical arguments in interpretation. No issue, I think, in using recitals to define the proper scope of regulation, and in turn, the scope of application of EU law in the area.
Thanks for your comment, Tomáš,
My issue is not with the use of recitals to define the scope of a Regulation, but with the use of ‘such a recital’ (i.e. a recital which, on the face of it appears to allow member states discretion to use the collected date for other purposes) to exclude that exercise of discretion from the scope of EU law in toto. The Court has previously held that such an exercise of discretion was still governed by EU law (see for instance the judgment in C 411/10 N.S.). It is possible that this case is distinguishable from N.S. and other such cases, but then it would be helpful to have an indication from the Court of how this is so. My view is that merely pointing to existence of the Recital, without more, does not suffice to show why the use of this data by the member state falls outside the scope of EU law.
Thank you, Eduardo, for clarification. I do indeed believe that the N.S. case might be distinguished as there the discretion was allowed by an express wording of the asylum regulation and was “a part of the established system” (see for example point 64 et seq. of the judgment). But here, the discretion is not as much created by the system of the regulation as it is rather residual with the member states outside of EU law’s boundaries. In such cases, recitals have been playing major role in defining the proper scope of regulations (case law on Brussels 1 regulation may be a good example).
I agree fully thought that the court could do more to better explain its position, particularly in such a sensitive matter as data retention.
This conversation could go on ad infinitum (hopefully not ad nauseam!). But I think it is helping to clarify the analysis of this case, so it is worth pursuing a bit further.
You make a very important point – In N.S. the Member State discretion is provided by the EU rules themselves. In the words of the ECJ it is “discretionary power [which] forms an integral part of the Common European Asylum System provided for by the TFEU Treaty and developed by the European Union legislature”. Therefore the member state’s exercise of that discretion is within the scope of EU law.
You distinguish Willens on the grounds that the member state discretion is “residual with the member states outside of EU law’s boundaries”. That would imply that this is a member state power which has not been conferred on the Union. The question then is – did Holland have the power to store and use fingerprints for purposes of crime prevention, etc, prior to, and independently of, the EU Regulations. In theory, perhaps yes (I know little of Dutch law). In practice, no – because it could only exercise such power if it had the fingerprints in the first place. Remember that the provisions which required Holland to collect the fingerprints were the EU Regulations. Absent those Regulations, Holland would not have collected the fingerprints, and so would not be in a position to exercise discretion on how to store and further use them.
So while the member state’s discretion might not stem ‘de jure’ from EU law, it is a discretion which is ‘de facto’ made possible by EU law. Therefore, it would seem consistent with N.S. to also consider the exercise of such discretion to fall within the scope of EU law.
Thank you for this excellent analysis and discussion. I am afraid I disagree.
Article 4(3) does not state that the collected data can only be used for those two purposes. It states that ‘For the purpose of this Regulation’ it can only be used for those purposes. I do not see how that excludes further use outside the four corners of the Regulation. It could have done so: it simply needed to exclude those first six words.
Nor is it correct that EU law required (or provided a legal basis for) the retention of these data by the MSs. EU law only required that the passports themselves contained the data. See Schwarz §62. In this sense, it is also incorrect to argue that recital 5 ‘modified’ the regulation: see Schwarz §61.
Centralising this data and using it for other purposes is therefore outside of the scope of the Regulation. One may disagree with this for policy reasons, although Schwarz §§61-62 points out that such centralisation can itself be challenged at national level (at which point Dir 95/46 could come into play). But it was open to the European legislature to provide that in mandating collection they were also prohibiting centralisation and further use, and it chose not to.
As for the ‘discretion’ argument, I would echo Tomas Pavelka’s point on the recital. I disagree with the analogy drawn with NS: the factors for NS were that (a) the discretion was a derogation from the regulation, (2) the discretion formed an integral part of the system and (3) use of the discretion gave rise to specific consequences under the regulation, including for other MSs (§§65 and 67). None of these factors is present here. By contrast, in NS the factor you mention – that de facto they can only use national law because EU law provided the data – did not exist. Their ability to register an asylum seeker did not arise because EU law gave them the asylum seeker. Again, one might disagree with this for policy reasons, but I do not think that NS would apply here.
Hi Niall,
Thank you for your kind words, and thank you also for the thoroughgoing critique of my arguments. I think the adjudication of fundamental rights by the CJEU is a matter of fundamental importance, and in respect of which there is considerable disagreement, so discussion is necessary. I think, however, that we should be wary of getting too engrossed in technical details that we fail to see the bigger picture,
You do not see how the wording of the Regulation “excludes further use outside the four corners of the Regulation.” I did not claim that it did exclude further use – on the contrary, I said that it made such further use possible. What I did say was that such further use was still a member state measure that fell within the scope of EU law, and therefore the Charter should have applied.
You also claim that I was incorrect in holding that the Regulation provided a legal basis for the retention of the fingerprint data by the member states. You claim that it only required “that the passports themselves contained that data”. But to see the retention of the date in the passport chip as something that ‘belongs to the holder alone’ (as the ECJ did in Schwarz) does not seem credible. You may be the bearer of the passport, but it is issued by the state and its use is controlled by the state so data stored in the passport chip is not data that ‘belongs to you alone’, but is data which of which the state has significant control over. So the Regulation imposes obligations on the member states not just in respect of collection, but also in respect of storage of those data.
Your citation of Schwarz §§61-62 is strange – you state that the Court held that such centralisation can itself be challenged at national level (at which point Dir 95/46 could come into play). But this is precisely what Willems tried to do – challenge the national measures entailing such centralization. And this is where the Court held that neither Dir 95/46 nor the Charter ‘could come into play’ because the matter is outside the scope of EU law. As Steve Peers pointed out, it was this possibility for individuals to challenge more extensive intrusions of their privacy by member states that allowed the Court to declare the Regulation valid in Schwarz. By now washing its hands of the matter and refusing to engage with these very intrusive national measures, the Court is, as Peers put it “undercutting its own ruling in Schwarz”.
Regarding the claim that NS is not analogous, you list three grounds. As I see it, all three grounds are made out:
a) Discretion was a derogation from the Regulation. Not sure why that is so crucial – the scope of EU law covers both implementation and derogation. However, here the discretion of the member state is provided by way of a derogation from the general rule (set out in Art 4(3)), which prohibits use of the data for other purposes.
b) the discretion formed an integral part of the system – How member states use the biometric data which they collect and retain in respect of the Regulation is surely an integral part of the system of collection and storage of biometric data established by “Council Regulation on standards for security features and biometrics in passports”.
c) use of the discretion gave rise to specific consequences under the regulation – if you consider that potential breaches of fundamental rights of all Dutch passport users is a ‘specific consequence’ then this criterion applies. I certainly do.
You also, rather cryptically, state that NS is distinguishable because the MS “ability to register an asylum seeker did not arise because EU law gave them the asylum seeker”. This only serves to prove my point. Even though in NS the MS was discharging an obligation under international law, because this had been harmonized by the Regulation, then the exercise of discretion by the MS was in the scope of EU Law. Here, the MS is discharging a specific obligation that arises as a result of EU law, and it is this that, de facto, which gives them the discretion to then retain it for other purposes. Absent EU law, there is then no obligation to collect and retain and so no possibility to exercise discretion. So all the more reason to consider that the MS is in the scope of EU law.
Finally, you mention that the Dutch measures did not give rise to consequences for other member states. I think you may be on to something there. This Dutch measure was not considered to “undermine the unity, primacy and effectiveness of EU law”, and therefore the CJEU did not feel it necessary to apply the EU fundamental rights standard, but left the matter for the member state. This is one interpretation of the Court’s motivation. You claim that I might object to this for policy reasons. I do not. I object to it for legal reasons – EU law requires that member states, when they implement EU law, respect the Charter rights, and the Court is charged by the Treaties to ensure that, in the application of the Treaties, the law is observed. There may be policy reasons why the Court decided to look the other way on this occasion, but asking the court to live up to its legal commitments is not a policy argument.
Dear Eduardo,
Many thanks for your reply – and apologies for the large delay in my own.
I would agree with your warning on getting lost in the technical side and losing track of the bigger picture. I will thus start with a point about the bigger picture and then reply to your points more briefly.
Reg 2252/2004 is about one thing: ensuring that certain biometric data is contained with EU passports. Those passports are not in the possession of the state. They are in the possession of the holder. The Regulation explicitly does not require that MSs hold that data centrally too. The Regulation provides no legal basis for MSs to do so. If MSs additionally wish to store that data centrally, they require a wholly separate legal basis. That legal basis can itself be challenged.
This is the fundamental point that Schwarz made at 61-62 and Reg 444/2009’s recital 5 makes.
Two points follow. First, it is incorrect to state that it is not ‘credible’ that the data stored on a passport is not in the state’s control, or that the Regulation provides no basis for data retention. In principle, it would be possible for a state to issue passports and retain none of the biometric data centrally. That is: the state could fulfil their EU law obligations without any centralised data retention.
This does raise other questions: in practice, we both know that the states will retain that data centrally. But that goes to the broader debate of why states and organisations tend to retain data whenever they get the opportunity to collect it. It does not change the fact that EU law only requires the collection and depositing on decentralised passports of biometric data, not its centralised retention.
Second, the EU legislature made (I would argue) a quite conscious choice to limit the scope of the Regulation in this way. It may be that one of the legislature’s motivations was to ensure that only this narrow part was directly reviewable by the CJEU (rather than indirectly via Dir 95/46). Another may have been the principle of subsidiarity. In either case, those limits should be respected by the Court.
This is why I disagree with your view that the centralised retention of the data is, as a matter of law (rather than what you or I might want for policy reasons), within the scope of EU law by virtue of Reg 2252/2004. It so happens that Dir 95/46 might bring it within the scope of EU law, but that is an entirely separate argument.
To briefly address the individual points:
1) on the ‘four corners’ point, I read this sentence as simplying that Art 4(3) itself limited the use of the collected data: ‘Because the obligation which the Regulation imposes is not just to collect and store date, but also (under Article 4(3) of the Regulation) to ensure that the data are only used to for the specified purposes set out in the Regulation.’ But evidently I misunderstood it.
2) on the legal basis for retention – addressed above.
3) on Schwarz at 61-62: I am not sure that this is what Willems says. I do not read it as placing the database outside of Dir 95/46 or EU law. I instead read it as answering the question referred by the Dutch courts, i.e. whether Art 4(3) of Reg 2252/2004 *itself* brought it within EU law. In light of Schrems, I think it is strongly arguable that this reflects a failure on the parties/court’s part to refer the correct question. There is an argument, as Peers says, that the Court should have rephrased it to ask the correct question. But the court is not obliged to do this (and it is not immediately obvious what the rephased question would be).
4) On NS: (a) yes, quite – but derogations tend to be interpreted particularly strictly. Again, I disagree that this was a derogation from Art 4(3) because, as above, Art 4(3) is explicitly limited to the scope of the Regulation itself. It explicitly does not apply, as the Regulation itself does not apply, to any incidental retention.
(b) again, I disagree for the reasons set out above.
(c) even if this does violate the CFR, how would that be a consequence *under the Regulation*?
5) on the ‘cryptic’ point – my point was this: in NS itself, the asylum seeker did not come to the MS under EU law. It is thus strange to rely on NS as authority for the view that simply because data is collected to discharge an EU law obligation, the entire process and any subsequent retention comes within EU law.
6) unity/primacy/effectiveness: yes, I had not thought about it that way. As for the policy/legal point, I think I addressed that above.
I hope this contributes to the need for discussion to which you referred.
Niall