Growing concerns about the protection of biometric data have led the EU to propose a data protection regulation classifying such data as sensitive, thus providing it with a higher level of protection. However, until this proposal is enacted, existing EU regulations address this issue, although not always effectively, as demonstrated by the recent CJEU ruling in the Willems case, which falls short in its application of existing regulations to biometric data.

The Willems judgment concerns biometric data gathered for passports, as stipulated in a 2004 EU regulation that was amended in 2009. The CJEU has previously interpreted this regulation in cases such as UK v Council and Schwarz, focusing on aspects like UK’s participation in the regulation and its validity in relation to external border control and privacy rights.

In Willems, the national court posed two questions to the CJEU. Firstly, does the regulation extend to certain identity cards used for travel within the EU? Secondly, how should data protection rules be interpreted regarding the use of biometric data after it is collected for passport purposes? This second question arose from concerns about the storage of biometric data in a centralized database with potentially inadequate security and potential access by unidentified parties.

The CJEU clarified that the passport regulation doesn’t apply to identity cards, regardless of their validity period, based on the regulation’s wording, which specifically excludes “identity cards issued to [Member States’] nationals”. Regarding the second question, the CJEU determined that the regulation only governs data use for its own purposes and any further use, as indicated in its preamble, falls under the jurisdiction of national law. Therefore, the regulation itself doesn’t impose a purpose limitation rule on member states regarding biometric passport data, and neither does the EU Charter apply in such cases, although national law or the ECHR might restrict further data use. The CJEU also stated that an examination of the data protection directive’s impact on national law concerning storage and use of biometric data gathered for passport purposes was unnecessary since the case specifically asked for an interpretation of the passport regulation only.

While the ruling provides clarity on the scope of the passports regulation, its failure to adequately address the application of the Charter and the data protection directive to biometric databases is a significant shortcoming. The judgment incorrectly assumes that the dispute is outside the scope of EU law, therefore rendering the Charter inapplicable, even before examining the data protection directive’s relevance.

Based on the CJEU’s own precedents, the link to the passports regulation alone should bring this case within the Charter’s scope. Previous rulings, such as NS and Promusicae, demonstrate the Charter’s application to national discretion and national implementation of EU law. Similarly, last year’s Digital Rights judgment invalidated the EU’s data retention directive due to its failure to effectively regulate further national use of collected personal data.

The CJEU’s assertion that the national court solely sought an interpretation of the passport regulation is inaccurate. The court’s request clearly includes interpreting the data protection directive within the context of the regulation. This distinction is irrelevant as the CJEU has previously rephrased questions to comprehensively address the EU law issues at hand in cases like Promusicae, where the court expanded its interpretation to include relevant data protection rules. In Willems, a minor rephrasing would have sufficed to address the national court’s query about the data protection directive’s relevance.

The CJEU’s assertion that national law governs biometric databases fails to acknowledge other relevant legal provisions. The preamble of the 2004 regulation states that access to biometric passport data is “subject to any relevant provisions of [EU] law”. Furthermore, the CJEU’s own interpretation of the data protection directive in Huber regarding a comparable national database contradicts its stance in Willems. Moreover, the data protection directive applies to situations outside the scope of the passport regulation, such as biometric data in identity cards and data collected in Member States not bound by the regulation. Ignoring these aspects undermines the CJEU’s own ruling in Schwarz, which upheld the passport regulation’s validity based on its limited interference with privacy rights.

Although seemingly legalistic, these criticisms highlight a concerning trend within the CJEU. While judgments like Digital Rights and Google Spain demonstrate the court’s willingness to engage with complex issues surrounding data protection and mass surveillance, rulings like Willems reflect a reluctance to participate in these crucial legal discussions. The increasing use of “big data” and its impact on human rights demands a proactive approach from the CJEU, urging it to engage in meaningful legal debates rather than sidestepping them with flawed reasoning.