Joined Cases C-446/12 – 449/12 Willems: The CJEU washes its hands of Member States’ fingerprint retention
When is the Charter of Fundamental Rights of the EU applicable to a Member State measure? In C-446/12 – 449/12 Willems the CJEU held that a Member State which stores and uses fingerprint data, originally collected in compliance with Regulation No 2252/2004, but which the Member State then uses for purposes other than those stipulated in the Regulation, is not acting within the scope of EU law, and therefore is not bound by the Charter. This case appears to indicate a retreat by the Court from the expansive interpretation of the scope of application of the Charter which it had previously laid down in C-617/10 Fransson.
Facts and judgment
Council Regulation No 2252/2004/EC requires Member States to collect and store biometric data, including fingerprints, in the storage medium of passports and other travel documents, and require that such data be used for verifying the authenticity of the document or the identity of the holder. The Netherlands introduced measures requiring the collection and retention of the fingerprint data for use in connection with travel documents. However, those national measures also provide that such data can be kept in a central register, and used for other purposes (such as national security, prevention of crime and identification of disaster victims). The applicants made passport applications, but refused to provide the fingerprint data. They argued, inter alia, that the storage and further use of those data breached their fundamental rights under Article 7 and 8 of the Charter of Fundamental Rights of the EU. The national court referred two questions for preliminary ruling.
The first question concerned the applicability of the Regulation to national identity cards. The Court held that the Regulation did not apply to such cards. The second question is the one I want to focus on: Does Article 4(3) of the Regulation, read together with Articles 6 and 7 of Directive 95/46/EC and Articles 7 and 8 of the Charter, require Member States to guarantee that the biometric data collected and stored pursuant to that Regulation will not be collected, processed and used for purposes other than the issue of passports or other travel documents?
The ECJ had already held (in C-291/12 Schwarz) that the collection of those data for the purposes stipulated in the regulation (to verify the authenticity of the passport or the identity of the holder) was compatible with the Charter. The question was whether further processing of those data by the Member State would similarly be compatible.
The Court noted that the Regulation did not provide a legal basis for such further processing – if a Member State were to retain those data for other purposes, it would need to do so in exercise of its own competence (para 47). On the other hand, the Regulation did not require a Member State not to use it for other purposes. From these two observations the Court concluded that the Regulation was not applicable. The Court then cited its famous passage in C-617/10 Fransson where it had held that the applicability of EU law entails the applicability of the Charter. As the Regulation was not applicable, the Charter was not applicable either.
The Court then turned to Directive 95/46/EC (the Data Protection Directive). It merely observed that the referring court requested the interpretation of the Regulation “and only that Regulation”. As the Regulation was not applicable, there was no need to examine whether the Data Protection Directive may affect the national measures.
I will focus on the question of applicability of the Charter (See Steve Peers comment on the “appalling” reasoning of the Court in respect of the Data Protection Directive). This judgment appears to signal a retreat by the Court from the expansive understanding of the scope of application which was laid down in Fransson. It is true that in that case the Court had held that when EU law is not applicable, the Charter is not applicable. But when applying that test to the facts, the Court observed that the national (Swedish) measure was connected (in part) to infringements of the VAT Directive, and therefore was designed to implement an obligation imposed on the Member States by EU law “to impose effective penalties for conduct prejudicial to the financial interests of the European Union”. So in Fransson the Court held that national measures which were connected in part to a specific obligation imposed by EU law on the Member State fell within the scope of application of EU law, and therefore of the Charter.
In the present case, the national measures are designed (in part) to implement the obligation imposed on the Member States by the Regulation, to collect and retain fingerprint data. Applying the reasoning in Fransson it would seem to follow that such measures would fall within the scope of EU law – after all, the measures relate to the retention of fingerprints, and the reason the fingerprints need to be retained stems from a specific obligation imposed, by EU law, on Member States: the obligation to collect and store biometric data with a view to issuing passports and travel data, set out in Article 4(3) of the Regulation.
Of course, this case can be distinguished from Fransson. In Fransson the Member State’s measure could be seen as not only stemming from the specific obligation imposed by EU law, but also as furthering the EU purpose of preventing conduct prejudicial to its financial interests. In contrast, in the present case the Member State’s measure is in furtherance of a member state’s purposes, and not an EU purpose.
But such a distinction would seem to entail a very strict approach to what obligations are imposed by EU law. Because the obligation which the Regulation imposes is not just to collect and store date, but also (under Article 4(3) of the Regulation) to ensure that the data are only used to for the specified purposes set out in the Regulation. That obligation was subsequently modified by Recital 5 in Regulation 444/2009, which states that Regulation 2252/2004 is “without prejudice to any other use or storage of these data in accordance with national legislation of Member States.” But is such a Recital sufficient to place the measures concerning those data outside the scope of EU law, or does it merely confer a discretion on states to adopt such measures, provided that they are compatible with EU law? Unfortunately, the reasoning in this judgment does not provide much guidance.
The approach of the Court in Fransson did not meet universal approval, and the judgement of the German Federal Constitutional Court in the Counter-Terrorism Database case may be read as a warning shot across the CJEU’s bows to make sure that the Charter is not applied to Member States’ measures in a way that “question[s] the identity of the [national] constitutional order”. And by emphasising the autonomy of EU fundamental rights in its recent Opinion 2/13 on the accession to the ECHR, the Court certainly raised the stakes involved in demanding Member State compliance with the Charter. So this case may indicate a desire to ensure that the EU fundamental rights standard is reserved for those Member State measures where it matters most that a EU standard is applied – those matters where the primacy, unity and effectiveness of EU law is at stake.
In effect, this case can be read as tacit acceptance of AG Cruz Villalón in his Opinion in Fransson, who proposed that the oversight by the Court of the exercise of public authority by the Member States be limited to those cases where there was “a specific interest of the Union in ensuring that that exercise of public authority accords with the interpretation of the fundamental rights by the Union”. However, that Opinion was a well reasoned legal argument. This judgment leaves many questions unanswered, and makes it very difficult to predict when a national measure will fall within the scope of EU law.
Furthermore, this approach sits uneasily with the self-understanding of the EU as a Union based on the rule of law inasmuch as neither Member States nor its institutions can avoid review of the conformity of their acts with fundamental rights (C-402/05 P and C-415/05 P Kadi). Through this Regulation, the EU requires the Member States to collect and store sensitive personal data of all EU citizens who wish to travel; but where the Member States go on to use those data in ways that may breach the fundamental rights of those EU citizens, the Court washes its hands of the matter.