Provisions on biometric data in the central register of identity cards to be improved
The position of the CJEU in its judgment on fingerprints and the image in identity cards should be taken into account in Polish law. This was the position of the President of the Personal Data Protection Office, Mirosław Wróblewski, in a letter to the Minister for the European Union, Adam Szłapka.
The Minister asked the Personal Data Protection Office for its position on the implications of the CJEU judgment of 21 March 2024 in Case C- 61/22 Landeshauptstadt Wiesbaden (identity cards - obligation to include and store fingerprints in identity cards - personal data protection).
In this judgment, the CJEU invalidated the Regulation 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement. The CJEU has given time to amend the provisions until 1 January 2027 - until then the old ones remain in force.
The reason for the invalidation is a procedural mistake (wrong legal basis). However, the CJEU noted what the key findings are - and what the new act should look like. It concerns the way biometric data are processed for identity cards in the European Union. These are to include a facial image and two fingerprints in interoperable digital formats. As these are particularly sensitive data to identify a person, the CJEU emphasises that the Regulation (recital 21) did not allow the data collected in this way to be put into national databases. When the citizen collects the identity card, the data from the central system should be deleted. Their place is only in the identity card.
However, legislators in member states have allowed such central databases to be established. In Poland it is similar, we have a central Register of Personal Identity Cards. Pursuant to Article 55 of the Act on Identity Cards, the Register collects, in particular, biometric data in the form of a facial image and two fingerprints. The Polish SA, in the course of legislative work, made comments and expressed criticism on the processing of fingerprint biometric data in one centralised database. The Polish SA also pointed out that the proposed solutions create a risk of violation of the rights and freedoms of persons, which justifies conducting a personal data protection impact assessment of the processing.
The President of the Personal Data Protection Office reminds that during the work on the Regulation specifying the method of maintaining the Register of Personal Identity Cards, he submitted comments on: the scale and methods of data and information processing assumed by the drafter resulted in a risk of violating the rights and freedoms of data subjects. These comments were not taken into account by the Minister of Digital Affairs.
This will now have to be carried out in light of the CJEU judgment: "The processing of the facial image and fingerprints on the ID card has its basis in the Act on ID cards, nevertheless the processing of these data does not have sufficient guarantees in this Act from the point of view of compliance by the Polish legislator with the principle of proportionality in terms of interference with the right to privacy and protection of personal data and the realisation of the objectives of the so-called general interest in the form of combating falsification of ID cards and identity fraud." "For the achievement of this general purpose, it is not necessary to store fingerprints and the image provided by the data subject for the purposes of obtaining an ID card for other purposes pursued by the operation of the Register."
The opinion of the President of the Personal Data Protection Office regarding the judgment C-61/22 of the CJEU is available in the file attached below.
