Balancing security and privacy: CJEU Advocate General Medina's perspective on storing fingerprints in ID cards


On 29 June 2023, Advocate General (“AG”) Laila Medina released her opinion in case C-61/22 (RL v Landeshauptstadt Wiesbaden) regarding the mandatory collection and storage of fingerprints in identity cards, pending before the Court of Justice of the European Union (“CJEU”).

The background of this case and national proceedings

In November 2021, a German citizen requested the City of Wiesbaden a new identity card without a fingerprint image included in its chip. However, the authorities rejected the application, given the mandatory requirement to store a fingerprint image in the chip of new identity cards since August 2021.

Before ruling on the action against this refusal, the Administrative Court of Wiesbaden has raised concerns about the validity of certain provisions of Regulation (EU) 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (“Regulation 2019/1157”) substantiating the compulsory collection and storage of fingerprints in German identity cards, and thus, referred a question to the CJEU for a preliminary ruling.

Specifically, the referring court questions whether:

  • the adoption of Regulation 2019/1157 was based on the appropriate legal basis, namely Article 21 (2) of the Treaty on the Functioning of the European Union (TFEU), rather than Article 77 (3) of the same treaty;
  • Regulation 2019/1157 is compatible with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, in conjunction with Article 52 (1) of the Charter;
  • Regulation 2019/1157 aligns with the obligation to conduct a data protection impact assessment (“DPIA”) under Article 35 (10) of the GDPR.

The AG Opinion

In a nutshell, the AG considered that:

  • Regulation 2019/1157 was correctly adopted based on Article 21 (2) of the TFEU, to promote the unrestricted mobility and residency rights of EU citizens within the Member States, considering that:
    • the freedom of EU citizens to explore and establish themselves in any Member State enables them to immerse themselves in the other residents’ daily life in their host country; as a result, the national identity cards serve the same functions as they do for those residents, acting as a reliable and authentic proof of identity that facilitates the unrestricted enjoyment of free movement;
    • the harmonization of national identity cards’ format and the enhancement of their reliability through security standards, including digital fingerprints, directly influence the exercise of that right, by making them more trustworthy and easily accepted by both the authorities of Member States and service-providing entities;
    • the authority granted to the Council by Article 77 (3) TFEU should be interpreted as applicable solely to matters related to border control policies. Therefore, any EU measure that extends beyond those matters, such as Regulation 2019/1157, would not fall under that provision;
  • the requirement to collect and retain a biometric image of two fingerprints in identity cards does not constitute an unjustified limitation on the fundamental right to respect for private life with regard to the processing of personal data, considering that:
    • Regulation 2019/1157 introduces provisions comparable to those scrutinized by the CJEU in Case C‑291/12 (i.e., concerning passports) and therefore, it becomes crucial to determine if such data processing can be justified under the provisions of Article 52 (1) of the Charter;
    • regarding the assessment of whether the limitations imposed by Regulation 2019/1157 satisfy an objective of general interest, the AG believes that the absence of uniformity in the formats and security attributes of national identity cards increases the risk of falsification and document fraud. In this context, the limitations introduced by Regulation 2019/1157 aiming to mitigate such risks and foster the acceptance of these cards pursue such an objective of general interest;
    • the limitations are suitable, necessary, and do not exceed what is essential to accomplish the primary objective of Regulation 2019/1157, since there doesn’t appear to be an alternative method equally effective yet less intrusive than capturing and storing fingerprints to achieve the aims set out in Regulation 2019/1157. Moreover, Regulation 2019/1157 includes adequate and appropriate measures to ensure effective protection against the misuse and abuse of biometric identifiers. These measures ensure that the biometric identifiers stored in newly issued cards remain under the exclusive control of the cardholder and are not publicly accessible;
  • concerning the issue of whether Regulation 2019/1157 complies with the requirement to conduct a DPIA under the GDPR, the AG highlights that such an obligation does not apply during the adoption of a norm of EU secondary law, and thus, the process for adopting Regulation 2019/1157 cannot be considered as breaching the GDPR requirement to conduct a DPIA, considering that:
    • both the GDPR and Regulation 2019/1157 are secondary legislation acts, holding equal positions within the hierarchy of EU legal sources;
    • unless an act of secondary EU legislation contains a provision expressly giving primacy over another, the validity of the latter cannot be evaluated in the light of the former.

Following this opinion, now we await the CJEU’s decision.

The press release is available here, and the full opinion is available here.