Is Processing Biometric Data of Turkish Nationals in a National Database Lawful under the EEC-Turkey Agreement? Reflections on the Judgment in A, B and P (C-70/18)
*I am indebted to Prof. Kees Groenendijk for his valuable comments on a previous draft of this blog post. Many thanks also to Teresa Quintel for reading through this blog post. An annotation in Dutch will be published by Evelien Brouwer in issue 16 of Jurisprudentie Vreemdelingenrecht.
In the aftermath of Digital Rights Ireland -the landmark ruling that invalidated Directive 2006/24/EC on the retention of telecommunications metadata for law enforcement purposes– Steve Peers heralded a new era of ‘privacy spring’. Indeed, since then, a series of important judgments –such as Schrems Tele2 and Opinion 1/15– have been released, affirming the prime importance of the rights of private life and personal data protection particularly in the law enforcement context. However, the Luxembourg Court’s judgment of 3 October 2019 in the case of A, B and P leads us to wonder whether in the case of third-country nationals we are still amidst the ‘privacy winter’.
The facts of the case involve two Turkish nationals. The first one, Mr A, required a temporary residence permit after taking up employment in the Netherlands. The second one Mr B, married to dual national (Turkish—Dutch) Ms Pa, applied for a temporary residence permit for family reunification. In both cases, in accordance with Article 106a(1) of the Vreemdelingenwet 2000 (Law on Foreign Nationals), the issuance of the permit was made conditional upon the collection, recording and retention of specific biometric data -a full set of fingerprints and facial image- in a central filing system. The applicants lodged appeals concerning this requirement, which the Staatsecretaris dismissed. As a result actions were brought before the District Court of The Hague. While that Court declared those actions well founded, on appeal, the Dutch Council of State decided to stay the proceedings and refer the case to the Court of Justice.
The CJEU judgment
The Court was first asked to determine whether the Dutch rule concerning the mandatory processing of biometric data for the purposes of issuing a temporary residence permit constitutes a ‘new restriction’ within the meaning of Article 7 of Decision No 2/76 and Article 13 of Decision 1/80, and, if so, whether such restriction could be justified by its objective, which is to prevent identity and document fraud. Article 7 of Decision No 2/76 prohibits the introduction of new restrictions on the conditions of access to employment applicable to workers legally resident and employed in their territory. Article 13 is the standstill clause that prohibits generally the introduction of any new national measure with the objective or effect of making the exercise by a Turkish national of the freedom of movement of workers on national territory subject to conditions more restrictive than those applied at the time when these decisions entered into force (para 37). The Court noted that the rule in question falls within the scope ratione temporis of Article 13 of Decision 1/80 only (paras 34-36). Reiterating its pronouncements in Demir, it pointed out that proscription includes new restrictions relating to both the substantive and the procedural conditions governing the first admission into the territory of the Member State where the Turkish national intends to exercise that freedom.
The Court found no difficulty in ascertaining that the rule in question constitutes a ‘new restriction’; the conditions for issuing a temporary residence permit were made more restrictive that those applied when Decision 1/80 came into force (paras 41-43). As mentioned in Yön, a restriction is prohibited unless it falls within the remit of Article 14 of that decision, or unless it is justified by an overriding reason of public interest, is suitable to achieve the legitimate objective pursued and does not go beyond what is necessary to attain that objective (para 44).
With regard to the objective pursued, the Court recalled its findings in Demir that preventing unlawful entry and residence constitutes such an overriding reason. Schwarz was also relevant; in that case, the Court opined that the retention of two fingerprints in EU passports pursued an objective of legitimate interest, namely the prevention of illegal entry. In addition, the Court made reference to Regulation 767/2008 on the Visa Information System (VIS Regulation) and Regulation 2019/817 concerning interoperability between EU databases since both instruments refer to the fight against identity fraud as one of their objectives (paras 47-49).
Furthermore, the appropriateness of collecting biometric data for the stated purpose was justified in the light of the attributes of biometrics to ‘identify precisely the person concerned and to detect identity and document fraud by comparing the biometric data of the applicant […] with those contained in that filing system’ (para 50). As for the proportionality, the ‘new restriction’ was analysed through the lens of the ‘protection of the right to privacy in the processing of personal data’, as enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights. In that respect, the Court raised five points :
- In order to prevent and combat identity and document fraud, Member States must verify the declared identity of the applicant. As Advocate General Pitruzella noted in his Opinion, a comparison of fingerprints against those stored in the filing system serves to verify that no other application has been submitted before under a different identity’ (para 57).
- As opined in Schwarz, the collection of fingerprints and photos is not of an intimate nature and does not cause any particular physical or mental discomfort for the person concerned (para 58). Besides, such a requirement is also included in the VIS Regulation (para 59).
- The requirement applies to all third-country nationals who wish to reside in the Netherlands for more than 90 days, or reside illegally as the purpose of preventing and combating identity and document fraud cannot be achieved by limiting the application of the rule to a specific category of third-country nationals (paras 60-61).
- The authorities accessing the data are limited to officials responsible for the implementation of national legislation on foreign nationals, such as staff at consular and diplomatic posts, duly authorised by the competent minister (para 62).
- Retention period is five years, starting either from the rejection of an application, the departure of the person, or the expiry of the period of validity of an entry ban or a declaration of undesirability. The retention of biometrics during the stay appears justified when considering an extension of the residence permit or to prevent applications being made under the identity of third-country nationals lawfully resident in the Netherlands (paras 63-67). As for rejected applicants, the retention period enables preventing them from making a new application under a different identity (para 68).
This simplistic approach of the Court is not fully satisfactory and raises doubts as to whether its findings are applicable in the case of EU information systems that also process biometric data.
1. Turkish nationals and the principle of non-discrimination
First, the Court acknowledged that the Dutch rule in question affects all categories of third-country nationals -thus including Turkish citizens- who apply for a temporary residence permit without making any exception. The general application of the Dutch legislation to all third-country national without any distinction or exception is deemed an advantage in order to ensure the attainment of the objective of combating identity and document fraud. Is there any reason why the position of Turkish nationals should be distinguished from other third-country nationals? An argument towards that direction could be inferred from Article 9 of the EEC-Turkey Agreement that proscribes discrimination on grounds of nationality. In other words, EU law itself has set aside Turkish nationals from other categories of third-country nationals. Whereas the applicants made explicit reference to Article 9 in the national proceedings as well as their written and oral observations before the CJEU, the Dutch Council of State chose not to submit a question in that respect and framed the issue solely as one pertaining to the interpretation of whether the rule constitutes a ‘new restriction’. That this issue was brought to the attention of the referring Court is evident in para 8 of the Advocate General’s Opinion, where it is stated that the Staatssecretaris considered that the collection and processing of biometric data are not contrary to Article 9 of the Association Agreement.
Article 9 has been referred to by the Court of Justice in four cases, albeit never independently. In three cases, Birlikte (para 59), Kocak & Örs (para 36) and Özturk (para 49), the Court highlighted the general principle of non discrimination which has been implemented and concretely expressed in Articles developing the EEC-Turkey Association (see Article 10(1) of Decision No 1/80 or Article 3(1) of Decision No 3/80). In Commission v Netherlands, the Court took the view that the principle contributes ‘to facilitating the progressive integration of migrant Turkish workers and Turkish nationals who move for the purposes of establishment or in order to provide services in a Member State (para 68). However, integration did not play a role in the judgment. The case of B who is the spouse of an EU national, therefore with obvious connections to the EU is even more problematic in that respect.
A question on whether this requirement violates the principle of non discrimination could have made possible to apply by analogy the findings in the case of Huber, concerning the processing of personal data of EU citizens who are not nationals of the Member State that collects their data. It is evident that the Court did not wish to push the issue further by allowing leeway to Member States to impose their own rules and requirements on how they deal with third-country nationals at the national level without interfering with national practices in digitalisation. Under these circumstances, admittedly the CJEU’s hands were tied; whereas the questions by the referring Court are often reformulated, examining the case under the lens of non-discrimination was not within the jurisdiction of the Court. However, the principle of non-discrimination constitutes one of the values behind the right to the protection of personal data, which the Court explicitly listed as one of the Charter rights that were relevant for the interpretation of the Dutch rule (paras 53-54). Therefore, it could be argued that the principle of non discrimination could have been brought to the forefront through the back door if the Court had adopted a different reading of the right to personal data protection.
2. A rigid interpretation of proportionality
In examining the necessity and proportionality of processing biometric data for immigration control purposes the Court uncritically reiterated its findings in the case of Schwarz. This is not a satisfactory approach. The Court seems to equate the fingerprinting process with that of taking a facial image by considering both processes as not of an intimate nature and not causing any particular physical or mental discomfort for the person concerned. This is not always the case, as the negative connotations of fingerprinting remain, with the Eurodac database whereby asylum seekers are forced to register their fingerprints being a prime example in that respect. Furthermore, third-country nationals do not enjoy a special relationship of trust with the Member State to which they submit their application, as EU nationals do. Moreover, nowhere in the judgment is the nature of fingerprints as a special category of personal data subject to higher safeguards acknowledged, even though Article 9 of the General Data Protection Regulation (GDPR) explicitly distinguishes this category of personal data. The special nature of fingerprints was highlighted in S and Marper, where the European Court of Human Rights (ECtHR) opined that processing biometric data ‘without the consent of the individual concerned cannot be regarded as neutral or insignificant’ (para 84) and that the retention of fingerprints was not ‘inconsequential, irrelevant or neutral’. The possibility of false matches has also been marginalised. In Schwarz, the consequence of a false match would result in a second round of checks on the EU national wishing to cross the external borders of the EU. In the case of applicants for a residence permit, a false match may impact on the outcome of the application or even lead to proceedings for identity fraud. However, the seriousness of the consequences of a potential false match was not taken into account in lieu of over-reliance and trust on technological advents. Crucially, there was no assessment as to whether precise identification could take place on the basis of processing less data than a full set of fingerprints combined with a facial image; in this author’s view, two or four fingerprints would also suffice for the purpose of detecting identity or document fraud. This would be in line with the data minimisation principle, a key principle of data protection law (Article 5(1)(c) of the General Data Protection Regulation). According to this principle, the data processed must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
3. Applying by analogy the Court’s pronouncements to the case of EU information systems?
With the processing of biometrics in centralised databases becoming the norm, a pressing question arises: could the Court’s pronouncements be applied to the case of EU-wide centralised databases that process biometrics, such as fingerprints and facial images? The reference to the VIS in the Court’s proportionality assessment, drawn from the Opinion of the Advocate General (see para 29), may be interpreted as the Court implicitly evaluating the proportionality of the VIS provisions as well. This could be further expanded to Regulation 2018/1981 on the Schengen Information System (SIS) that enables Member States to record alerts on unwelcome third-country nationals, including their fingerprints and a facial image. Furthermore, the recast Eurodac Regulation that is currently being negotiated also expands the categories of personal data to be processed to include a facial image on top of a full set of fingerprints which is the current rule. In addition, the VIS Regulation is also to be extended to long-stay visa applicants and holders of residence permits and residence cards. It is hereby recalled that the CJEU has never been called to interpret the provisions of the VIS Regulation -or any other information system- from a fundamental rights perspective. Therefore, the Court merely presumes the lawfulness of the VIS rules without having evaluated any arguments as to whether the EU rules are excessive and disproportionate. The fact that the requirement for collecting, storing and further processing a facial image and a full set of fingerprints exists under EU law cannot justify the proportionality of the national rule in question. It may be an indication towards a particular trend in digitalised immigration control, but it should not function as a benchmark of lawfulness. This circular logic seems to disregard the fact that EU law is not beyond reproach, especially since the past years have witnessed a series of EU law instruments being found violating the rights of private life and personal data protection, with the latest example in that respect being Opinion 1/15 the draft EU-Canada PNR Agreement.
4. Retention of data: Lack of safeguards and protection of Turkish nationals
Another issue that merits further exploration relates to the retention period of biometric data. A five-year retention period may be justified only in relation to failed applicants, specifically in cases where their application has been based on fraudulent information. Otherwise, the argument that a five-year retention period in relation to residence permit holders is proportionate in order to facilitate the renewal of the permit is not particularly strong. Residence permit holders would more probably have renewed their permit within a limited period of time, or they have already sought naturalisation, or they may have left the national territory. Importantly, the fact that the data remain stored in a centralised database throughout the duration of a person’s lawful stay in the Netherlands and may be accessed not only by immigration but also by law enforcement authorities is completely sidelined. In practice their records may be stored for decades irrespectively of the fact that the person concerned may have never raised any suspicion of any unlawful conduct. This is because the deadline for deletion only starts after the person has left the national territory. A long retention period thus seems to denote that a level of suspicion of identity fraud accompanies holders of residence permits even when they have undergone checks and procedures at the national level. In addition, it cannot go unnoticed that the Court understands retention periods as serving the purpose of deterring fraudulent applicants from lodging an application. The preventive nature of retention periods may have multiple readings and may lead to abuse by legislators; undoubtedly the longer the retention period, the easier it will to detect applicants attempting fraud, thus the higher the preventive benefit it may have.
5. Law enforcement access: An elusive issue
It is regrettable that the question on the use of the Turkish nationals’ record for law enforcement purposes was not addressed given that the applicants were not suspected of a criminal offence and their data had not been used in the framework of criminal investigations. The mere possibility that their data could be accessed by law enforcement authorities was not found to be enough to engage with a proportionality assessment. It could be argued that by declaring the question inadmissible, the Court indirectly does not pay attention to the fact that access of law enforcement authorities may take place during the full length of legal stay. This leads to a paradox: the fact that the persons concerned have not been subject to criminal prosecutions results in a decrease to their privacy protection. Furthermore, requiring the applicant to be implicated in criminal investigations, leads to the alarming realisation that the threshold for the Court to engage with questions about the proportionality of law enforcement access to personal data collected for immigration-related purposes is particularly high. This shrinks the chances for a case actually reaching the Court. Such access is currently envisaged as an ancillary objective in relation to the VIS, Eurodac and the forthcoming EES and ETIAS.
The Advocate General considered this issue (paras 34-42), opining that the processing of personal data for law enforcement purposes does not constitute an ‘obstacle to the free movement of EU workers’ since it is too uncertain and indirect (para 38). This is because access is dependent on a number of future and hypothetical events, namely the existence of suspicion, involving a conduct that is a cause of serious concern and the search has been authorised by the court on request by the public prosecution service (para 39). The low number of incoming requests for consultation by law enforcement authorities was also relevant in the Advocate General’s view (para 40). This is not a correct approach either. The mere possibility of expanding the pool of authorities having access to the stored personal data is a violation of the purpose limitation principle and a further interference with the right to private life (see the ECtHR’s judgment in Weber and Saravia). Therefore its proportionality needs to be assessed (e.g. the argument above on the prolonged retention period are relevant). Furthermore, the low number of requests may even question the necessity of the rule. As for the conditions of access these may be revised thus making the obstacle not that ‘uncertain and indirect’.
6. Identity and document fraud as an EU objective
Finally, the Court contends the importance of addressing the phenomenon of identity and document fraud, by noting that this objective features in the VIS Regulation as well as the recently adopted Regulation 2019/816 on the interoperability of databases. First, this marks the first time that the latter features in a Court’s judgment, however the Court does not make any comments regarding this objective, but uncritically accepts that since it is present in the Interoperability Regulation, this suffices to qualify as an EU objective. Second, despite these references, it will be for national courts to refer questions to the EU Court of Justice concerning the interpretation of both these instruments and the validity of their provisions from a fundamental rights standpoint. Third, whereas the attainment of this objective is not disputed, it is advisable that the adoption of any EU instrument tackling a phenomenon or contributing to the attainment of an objective is supplemented by evidence on its magnitude and seriousness. Otherwise, numerous EU instruments may be adopted with similar aims without an ex-post evaluation of whether they have been effective.
Overall, the Court’s pronouncements should not be viewed outside the specific context of the case at hand, i.e they should not be understood as generally applicable to the processing of biometric data for immigration law purposes. The Court’s approach favours national prerogatives in managing third-country nationals through data surveillance policies as it allows a significant margin of discretion for Member States. What is worrisome though is that despite the efforts to distinguish biometric data from other categories of personal data, the Court is reluctant to highlight not only their undoubted benefits, but also their significant limitations, such as the potential for false hits.