EU Collection of Fingerprints for Passports Threatens Privacy, but Is Lawful, ECJ Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Oct. 18 --A European Union regulation requiring the inclusion of digitized fingerprints in passports infringes the right to privacy and the protection of personal data, but is nevertheless justified as a measure to prevent the fraudulent use of passports, the European Court of Justice ruled Oct. 17 (Schwarz v. Bochum, E.C.J., No. C/291/12, 10/17/13).

Under a 2004 regulation on integration of biometric features in passports and travel documents (Regulation (EC) No 2252/2004), EU member states are required as a security measure to include in passports a digitized facial image and two fingerprints of the holder .

German Resident Filed Suit

The validity of the requirement was questioned by a German resident, Michael Schwarz, whose application for a passport was rejected after he refused to have his fingerprints taken. Schwarz brought an action against the rejection before a German administrative court, which referred it to the ECJ for an interpretation of EU law.

Taking and storing fingerprint data “constitutes a threat to the rights to respect for private life and the protection of personal data. Accordingly, it must be ascertained whether that twofold threat is justified,” the court said in its judgment opinion.

In an Oct. 17 statement accompanying the judgment, the Luxembourg-based European Court of Justice said “the contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU” and are “appropriate for attaining the aim of protecting against the fraudulent use of passports.”

Furthermore, the 2004 regulation “was adopted on an appropriate legal basis,” and “the procedure leading to the adoption of the measures applicable in the present case is not vitiated by any defect,” the court added.

The court also noted that although digitized fingerprints may be stored in passports, the 2004 regulation didn't include a provision for storing fingerprints in a database and “cannot in and of itself be interpreted as providing a legal basis for the centralised storage of data collected thereunder.”

Further Challenges?

Gus Hosein, executive director of London-based Privacy International, an advocacy group campaigning for privacy rights, told Bloomberg BNA Oct. 18 that the court had “narrowly interpreted” EU law, and there was potential for challenges against the taking of fingerprints for inclusion in passports to be brought before the European Court of Human Rights.

The court ruling was the “perpetuation of a stupid mistake” made by the European Parliament when it approved the collection of fingerprints for passports, Hosein said.

The EU regulation goes beyond international standards, such as the International Civil Aviation Organization recommendation that biometric passports should contain a digitized photograph, he said.

In 2008, the European Commission proposed revisions to the biometric passport requirements--a move the European Data Protection Supervisor said didn't go far enough to protect privacy --but the proposal didn't move forward.

EU member states Denmark, Ireland and the United Kingdom opted out of the regulation requiring the inclusion of fingerprints in passports.


To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Full text of the European Court of Justice's opinion is available at

Request Bloomberg Law: Privacy & Data Security