Analysis of the ECJ Opinion in Willems and Others (C-446/12 to C-449/12)
by Kanad Bagchi and Oskar Josef Gstrein[1]
I. Introduction
On the 16th of April 2015 the Court of Justice of the European Union (hereinafter ‘CJEU’/‘ECJ’/‘Court’) handed down its opinion[2] on the interpretation of Regulation No. 2252/2004[3]. In essence, the Regulation provides for the collection, storage and use of biometric data by Member States (hereinafter ‘MS’) for the purposes of issuing passports and other related travel identity documents.[4] The present case arose in the context of Mr Willems and others refusing to provide the Netherlands authorities with their digital fingerprints and as a result being denied passports and other national identity cards. In addition to collecting and using data for the purposes of the Regulation, the Netherlands Passport Law sought to use the same for other purposes including, detection and prosecution of criminal offences, conduct of investigations etc. Among other concerns, the applicants claimed that collecting and using data for purposes unrelated to the above Regulation constituted an infraction of their rights under the Charter of Fundamental Rights of the European Union (hereinafter referred to as ‘Charter’). A connected question was whether MS while exercising their discretion in the further use of the data collected in pursuance of the Regulation, are to follow the dictates of Articles 7 and 8 of the Charter and Directive 95/46[5]. Against that background, the third question referred to the CJEU, and with which the authors are most immediately concerned, was paraphrased by the ECJ as:
“…By those questions, which it is appropriate to examine together, the referring court asks essentially whether Article 4(3) of Regulation No 2252/2004, read together with Articles 6 and 7 of Directive 95/46 and Articles 7 and 8 of the Charter, must be interpreted as meaning that it requires Member States to guarantee that the biometric data collected and stored pursuant to that Regulation will not be collected, processed and used for purposes other than the issue of passports or other travel documents…”
In the first instance, the CJEU made a distinction between ‘use’ of biometric data for the purposes as prescribed in the Passport Regulation as such, and the ‘use’ of the same for purposes outside the scope of the Regulation. As regards the first, the Court deferred to its previous decision in Schwarz[6] to underline the compatibility of the Passport Regulation as against Articles 7 and 8 of the Charter. It is in relation to the use and storage of biometrics for purposes alien to the Regulation, that the Court did a significant U-turn from some of its previously decided cases, more particularly from its decision in the Digital Rights case.[7] It held that the Passport Regulation does not determine the use and storage of data by MS for purposes falling outside the scope of the same and hence by a narrow reading of Åkerberg Fransson,[8] the Charter rights relating to Article 7 and 8 do not apply to such exercise of discretion. In the words of the Court, “…Given that, in the present case, Regulation No 2252/2004 is not applicable, there is no need to determine whether the storage and use of biometric data for purposes other than those referred to in Article 4(3) thereof are compatible with those articles of the Charter…”[9] Accordingly, the Court considered that the validity of national measures going beyond the scope of the Passport Regulation has to be examined as against the relevant national law alone, and not against the provisions of the Charter. While the opinion has received a scathing attack from both Steve Peers[10] and Eduardo Gill-Pedro[11] on various counts, this article focuses on the irreconcilable position of the Court in the light of the principles as reiterated in the Digital Rights case.
II. Digital Rights and The Appropriate Standard To Test Proportionality and Necessity of an EU Measure
In Digital Rights the Court was invited to rule on the validity of the Data Retention Directive[12] as against inter alia, Articles 7 and 8 of the Charter. The main objective of the Directive was as follows:
“This Directive aims to harmonise Member States’ provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.” [13]
The Court established that the combined effect of Art. 3 to 6 of the Directive whereby providers of communication networks were under an obligation to retain, although for a limited duration, and eventually share data so retained, with MS authorities for the purposes of the Directive, was a prima facie infraction of Art. 7 of the Charter. Art. 8 of the Charter also stood infringed, in the mind of the Court, in view of the Directive’s data processing obligations.[14] It is important to note that the Court considered the Directive’s interference as “…particularly serious…”[15] in the light of its invasive overturns. Thereafter the Court proceeded to assess whether the measures were proportional and necessary. Arguing for a strict scrutiny of legislative discretion for interference with the right to respect for private life, the Court derived that the measures as contained in the Directive does not muster the threshold of ‘necessity’, in as much as, it was unreasonably wide to include within its fold “…all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime…”[16] Two other facets of the Directive which weighed negatively in the Court’s assessment concerned the imprecise scope of its application coupled with inadequate safeguards, and the absence of any guidelines to determine the continuity and limits of the powers of the national authorities. It is instructive to reproduce the relevant paragraphs in full:
“54. Consequently, the EU legislation in question must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data…”
“60. Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law…”
Additionally, the Directive was admonished on the ground that it was silent not only as regards prescribing limits on MS authorities, but also bereft in imposing an obligation on the MS concerned, to provide for limits to their own competences.[17] In consequence, the Directive was declared to be invalid, as “…the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter…”[18]
In that backdrop, the next section of the article addresses the conspicuous judicial austerity of the Court with respect to the Passport Regulation, which in the opinion of the authors suffers from similar infirmities as the Data Retention Directive.
III. Differing Standards and a Missed Opportunity
In Digital Rights the Court displayed an acute concern, and validly so, at ensuring both the substantive and procedural rights as enshrined under Art. 7 and 8 of the Charter. A detailed two-step analysis was followed in determining the validity of the Data Retention Directive as against the Charter rights. The first step comprised of an enquiry as to the nature and extent of the infraction and the appropriate question to be asked was whether the “essence” of the rights was adversely affected. Since the Directive prohibited both the screening and acquiring of the specific content of the communication, it was declared not to adversely affect the essence of the right to respect for private and family life. Similarly, the right to protection of personal data was ensured through the Directive’s mandatory requirements pertaining to data protection and security as contained in the Data Protection Directive.[19] Having passed the first step, it is at the second stage of the enquiry that the Directive was declared incompatible with Art. 7 and 8 of the Charter. The second stage required the measures contained in the Directive to be both ‘proportional’ and ‘necessary’ in light of the mandate under Art. 52 (1) of the Charter and CJEU’s own jurisprudence. The Directive fell short on both counts, insofar as it contained imprecise rules on the one hand, governing the application of the Directive, and on the other, insufficient and inadequate safeguards to prevent abuse and misuse of the data so collected. AG Villalon in his insightful opinion in Digital Rights reached a similar conclusion, however employing a slightly different approach. He argued for a similar requirement of precision in EU legislation and termed the same as “…the quality of law requirements…”, meaning that the law “…must go beyond a purely formal requirement and cover also the lack of precision of the law…”,[20] and on that basis declared the whole Directive to be incompatible with Art. 52 (1) of the Charter.
As against that, it is surprising to notice the near absence of either judicial rigor or striking concern with respect to EU Passport Regulation’s imprecise scope and discretionary latitude as observed in the present case. Aside from delving into the ancillary question of whether the Netherland’s Passport law fell within the scope of Regulation, the Court’s indifference in subjecting the EU Passport Regulation to the mores of the Charter rights, is both disheartening and worrisome. In this regard, it is reasonable to argue that the impugned EU Passport Regulation woefully falls short of the standard that the Charter prescribes. It entrusts MS with an extraordinary amount of biometric data without providing for any safeguards as to the ultimate use of the same, once the MS have fulfilled their obligations under the Regulation. It allows the data collected in pursuance of the Passport Regulation, with a defined set of objectives and scope, to be instantaneously transformed into an instrument of state invasion, the moment MS act beyond the contours of the Regulation. Art. 7 and 8 of the Charter, contain within, as the court has noted, an obligation to ensure that data collected not misused or abused. Requirements of ‘necessity’ and ‘proportionality’, ordain that discretion as regards the collection and use of personal data is limited to the purposes of achieving the objectives of the measures alone, beyond which, any further use would be an infraction of the above principles.[21] It is submitted that, procedural Charter rights dictate not only the collection and use of the data undertaken in pursuance of the Passport Regulation, but also its ultimate use per se and it is in this connection, that the Passport Regulation does not meet the standards prescribed under the Charter. A connected concern arising from the above set of facts is that the standard of protection of biometric data is made dependent on their intended use. While the Charter standards apply when biometric data is collected and used in pursuance of the Passport Regulation, differing national standards will apply for its use in all other cases. Legal conundrums aside, contrasting standards present an undesirable path with respect to the ever evolving Regulations designed to protect the right to privacy and family life.
What is equally intriguing is that the Court upon declaring the Charter to be inapplicable to acts undertaken by MS outside the scope of the Regulation, made no overtures to test the validity of the Regulation itself.[22] Indeed in Schwarz, the Court had the occasion to rule on the question of ‘further use’ of the data collected in pursuance of the Passport Regulation; nonetheless, the decision was limited in its scope and effect. The referring court was skeptical with respect to the proportionality of the measures taken under the Regulation, which allowed for the data to be used for any other purpose otherwise than what is required for under the Regulation. However, the Court brushed aside such apprehensions by disassociating the question of validity of the Regulation from the impending risks arising out of further use of the data.[23] The validity of the Regulation having thus been established in Schwarz, the referring court in Willems was compelled to withdraw a renewed agitation of the same issue and retain only the question as regards the appropriate interpretation of Art. 4 (3) of the Regulation in light of the Charter.[24] It is argued that the Court had a wonderful opportunity to pick up from where it had left in Schwarz. While maintaining its ruling on the validity of Art. 1 (3) of the Regulation in Schwarz, it could have arguably insisted on an interpretation of Art. 4 (3) to reflect the applicants’ concern. In this manner, the EU Passport Regulation would continue to remain irreproachable so far as its intended scope and effect, as decided in Schwarz, however, Art. 4 (3) could be suitably interpreted to ensure that data collected in pursuance of the Regulation is not completely surrendered in the hands of the MS.
Considering the broader picture of fundamental rights protection in the EU and the position of the CJEU in the system, the present Opinion exposes the dangers of inconsistent approach as undertaken by the Luxembourg judges in relation to protection of citizens’ rights. As has been already laid out in this article, the CJEU in Digital Rights did not hesitate to extend the material and formal scope of Art 7 and 8 of the Charter when there was valid implication to do so. Also the much discussed decision in Google Spain[25] seemed to promise a more proactive stance of the Court in relation to the promotion of Human Rights of Europeans, a concern of utmost importance, especially in the digital age.
In the light of Willems, it is submitted that one has to carefully consider and differentiate between, on the one hand, rights with a strong ‘material’ component, like the right to life in Art 2 or the prohibition of torture in Art 3 and procedural constitutional guarantees, on the other. With respect to ‘material’ rights as such, it is evident that the emphasis of protection is on the guarantee itself, and it is likely that the Court and the European Institutions will apply a strong standard of harmonization when it comes to the realization of such guarantees. As an example one can refer to Commission President Juncker’s reaction to the discussion in Hungary about re-introducing death penalty in the country. Prime Minister Orbán was forced to clarify his comments on the death penalty, upon being threatened by Juncker with adverse consequences as regards Hungary’s rights within the Union. However, procedural constitutional guarantees, in essence, define the basic order of a state or a state institution. One can think of the values that the EU incorporates under Art. 2 TEU, the principles of conferral, subsidiarity and proportionality enshrined under Art. 5 or the reference to the political model of representative democracy in Art 10 TEU as suitable instances of the above. Since the EU is still a far cry from being a federation, one is not surprised that only a limited number of such provisions exist in the EU treaties as opposed to the constitution of MS.
But Willems questions if this is always desirable, especially from the point of view of the individual concerned. The approach of the judges in the decision works from a rational and strictly formalistic perspective. Nevertheless, it must be qualified as only a half-hearted attempt to entrench constitutional guarantees as against Court’s approach in Åkerberg Fransson and Melloni[26]. One can argue that the “ne bis in idem” principle as applied in Åkerberg Fransson is a veritable instance of enforcement of procedural constitutional guarantees at the level of the EU.
Following the same approach, one could have expected the Court to make a veiled reference to the ‘principle of legality’ as can be found in Art 20 par. 3 of the German Basic Law. Arguably, the difference between the ‘ne bis in idem’ principle and the principle of legality only concerns their antiquity. While the right not to be punished twice for the same offense existed since Roman times,[27] the principle of legality is a newer phenomenon. It is therefore not surprising that MS readily agreed to incorporate the ‘ne bis in idem’ principle in Art. 50 of the Charter, however, no such significant discussions were held as regards the ‘principle of legality’. Hence, it is rather difficult to extrapolate on a verifiable legal base for the principle of legality as a part of the EU legal order. Nonetheless, it is argued that since Art. 6 (3) TEU explicitly refers to “constitutional traditions common to member states’, the Court had the opportunity to consider that the Passport Regulation was deficient in the face of such a principle. A decision in that regard, would have been in tandem with the jurisprudence of the CJEU in fundamental rights issues, and would foster the Court’s position as a true guardian of Human Rights in Europe. An individual could reply on the judicial oversight of the Court, not only with respect to material and traditional procedural constitutional guarantees, but also when basic and commonly existent legal concepts such as the rule of law and its forms are in question.
One wonders if the formalism displayed by the Court is to be understood as a result of the criticism of the recent proactive stance taken by the Luxembourg judges in fundamental rights issues. Quite famously and to give just one example the German Constitutional Court immediately decried the approach of the Court Åkerberg Fransson in its Antiterrordatei decision.[28] In what was a very meticulously drafted reference to the CJEU in Willems, the referring court was prodding the question of the Passport Regulation’s validity, or in the alternative an interpretation of the Regulation consistent with the Charter Rights. The CJEU however, veered the argumentation from considering the infirmities in the Passport Regulation as such to an examination of the national legislation and whether the same was sanctioned by the Regulation.
The authors argue that the response of the Court does not clearly address the reference as was put to it. The reference was directed at the validity and interpretation of the Passport Regulation, whereas the Court concluded its opinion on the application of the Charter in relation to MS acting beyond the scope of the Regulation. In what can be characterized as an exercise in conscious indifference towards the frailties of the EU’s Passport Regulation, the present Opinion raises more questions than it answers, and appears disturbingly, as a step back from the decision in Digital Rights or Google Spain. Only the future will show whether the CJEU will be able to become a pillar of the system of fundamental rights system in the European Union.
————————————————-
[1] Kanad Bagchi (kanad.bagchi@gmail.com) was a research assistant at Europa-Insitut, Saarland University, Germany. Views of the author are his own and should not be imputed to the institution he represents. Mag. Dr. Oskar Josef Gstrein, LL.M. is an Assistant Professor at the Department of Governance and Innovation of Campus Fryslân, where he is also member of the Data Research Centre.
[2] ECJ Opinion in joined Cases C-446/12 to C-449/12, 16 April 2015 (hereinafter ‘Willems’s case’). Can be accessed here.
[3] Regulation (EU) No. 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States, OJ 2004 L 385, p. 1 of 13 December 2004 (hereinafter ‘Passport Regulation’/‘Regulation’). Can be accessed here.
[4] In paras. 30 ff. the court expressly excluded identity cards from the scope of Regulation 2252/2004. Such cards are common in some member states of the EU, like the Netherlands or Germany (“Personalausweis”), and enable citizens to travel in some countries of the Union like Passports. Hence, it is not standard for citizens of these countries to hold passports. Nevertheless, in para. 40 the ECJ states: “However, it is clear from the wording of the second sentence of Article 1(3) of Regulation No. 2252/2004, interpreted in the light of the findings in paragraphs 32 to 37 of the present judgment, that the EU legislature expressly decided to exclude from the scope of that Regulation identity cards issued by Member States to their nationals.”
[5] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23/11/1995. Can be accessed here.
[6] ECJ Opinion in Case C-291/12, 17 October 2013 (hereinafter referred to as ‘Schwarz’). Can be accessed here.
[7] ECJ Opinion in Joined Cases C-293/12 and C-594/12, 8 April 2014 (hereinafter referred to as ‘Digital Rights’). Can be accessed here.
[8] ECJ Opinion in Case C‑617/10, 12 June 2012. Can be accessed here.
[9] Willems’s case, para 50.
[10] See Peers, Steve, ‘Biometric data and data protection law: the CJEU loses the plot’, EU Law Analysis Blog, 17 April 2015. Can be accessed here.
[11] See Gill-Pedro, Eduardo, ‘Joined Cases C-446/12 – 449/12 Willems: The CJEU washes its hands of Member States’ fingerprint retention’, EU Law Blog, 29 April 2015. Can be accessed here.
[12] Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006 L 105, p. 54 (hereinafter referred to as ‘Data Retention Directive’). Can be accessed here.
[13] Data Retention Directive, Art. 1.
[14] Digital Rights, para 34 – 37.
[15] Digital Rights, para 37; Similar concern was expressed in Schwarz, See Schwarz, para 25 & 30.
[16] Digital Rights, para 57.
[17] “…Nor does it lay down a specific obligation on Member States designed to establish such limits…”, Digital Rights, para 62.
[18] Digital Rights, para 69.
[20] Willems’s case, Opinion of Advocate General Cruz Villalon, para 109. Can be accessed here.
[21] Data Retention Directive was declared invalid by the Court riding on a similar interpretation.
[22] It simply made a reference to the Schwarz case. See Willems’s case, para 46.
[23] Schwarz, para 62.
[24] Willems’s case, para 27.
[25] ECJ opinion in Case C-131/12, 13.05.2014, Google Spain and Google, (hereinafter ‘Google Spain’). Can be accessed here.
[26] ECJ opinion in Case C-399/11, 26.02.2013, ECLI:EU:C:2013:107. Also see Canor, “My brother’s keeper? Horizontal Solange: ‘An ever closer ‘distrust’ among the peoples of Europe’, Common Market Law Review, 50, p. 383 – 422, 2013, p. 420 f.
[27] Gstrein/Zeitzmann,“Die ‚Åkerberg Fransson‚Ne bis in idem‘ als Wegbereiter für einen effektiven Grundrechtsschutz in der EU?‚ZEuS, 2/2013, p. 239 – 260, p. 240 f.
[28] 1 BvR 1215/07, 02.03.2013, ECLI:DE:BVerfG:2013:rs20130424.1bvr121507. In Section C the judges in Karlsruhe state in the last paragraph: „Accordingly, for the questions that were raised, and which only concern German fundamental rights, the European Court of Justice is not the lawful judge according to Art. 101 sec. 1 GG. The ECJ’s decision in the case Åkerberg Fransson (ECJ, judgment of 26 February 2013, C-617/10) does not change this conclusion. As part of a cooperative relationship between the Federal Constitutional Court and the European Court of Justice (cf. BVerfGE 126, 286 <307>), this decision must not be read in a way that would view it as an apparent ultra vires act or as if it endangered the protection and enforcement of the fundamental rights in the Member States (Art. 23 sec. 1 sentence 1 GG) in a way that questioned the identity of the Basic Law’s constitutional order (cf. BVerfGE 89, 155 <188>; 123, 267 <353 and 354>; 125, 260 <324>; 126, 286 <302 et seq.>; 129, 78 <100>). The decision must thus not be understood and applied in such a way that absolutely any connection of a provision’s subject-matter to the merely abstract scope of Union law, or merely incidental effects on Union law, would be sufficient for binding the Member States by the Union’s fundamental rights set forth in the EUCFR. Rather, the European Court of Justice itself expressly states in this decision that the European fundamental rights under the Charter are “applicable in all situations governed by European Union law, but not outside such situations” (ECJ, judgment of 26 February 2013, C-617/10, para. 19).“
Suggested Citation: Bagchi, Kanad, Gstrein, Oskar Josef, The inconsistent guardians of Human Rights in the Digital Age: Differing Standards and a Missed Opportunity, jean-monnet-saar 2021, DOI: 10.17176/20220308-164834-0