On 29 June 2023, Advocate General (AG) Laila Medina expressed in her Opinion in case C-61/22 (Landeshauptstadt Wiesbaden) that the mandatory collection and storage of fingerprints on identity cards is valid. In the case at issue, a German citizen applied to the city of Wiesbaden (Germany) for the issuance of a new identity card. He specifically asked for the card to be issued without the inclusion of a fingerprint image in its chip. The City of Wiesbaden refused the application on the ground, among others, that Regulation (EU) 2019/1157 sets out the obligation to include an image of the fingerprints of the holder on any identity card newly issued by the Member States – on a highly secure storage medium – as from 2 August 2021. In this context, the Administrative Court of Wiesbaden raised questions as to the compatibility of the EU Regulation in question with primary EU law and the Union's rules on data protection. In detail, the court posed three questions:

• Was Art. 21(2) TFEU, rather than Art. 77(3) of that same treaty, the appropriate basis for the adoption of Regulation 2019/1157?
• Is Regulation 2019/1157 compatible with Arts. 7 and 8 read in conjunction with Art. 52(1) of the Charter of Fundamental Rights of the European Union (CFR)?
• Is said Regulation in conformity with the obligation to carry out a data protection impact assessment under Art. 35(10) of the General Data Protection Regulation?

With regard to the first question, AG Medina concluded that Regulation 2019/1157 had been correctly adopted on the basis of Art. 21(2) TFEU, because the reliability and trustworthiness of these identity cards has been improved through security standards, and therefore results in the facilitation of the exercise of the right of EU citizens to move and reside freely within the Member States.

As regards the second question, the AG confirmed that the limitations introduced by Regulation 2019/1157 are in conformity with the principle of proportionality and, in particular, that they are necessary and genuinely meet objectives of general interest recognised by the European Union (in this case, the objective is to prevent the risk of falsification and document fraud). As a consequence, the Regulation is in accordance with the second sentence of Art. 52(1) CFR.

Regarding the third question, the AG believes that the European Parliament and the Council were not obliged to conduct an impact assessment during the legislative process leading to adoption of Regulation 2019/1157, as the GDPR and Regulation 2019/1157 are acts of secondary legislation that rank equally. Futhermore, the GDPR does not specify any criterion in relation to which the validity of another secondary law norm of the European Union should be assessed. In conclusion, she proposes that the ECJ reply that examination of the questions referred has not revealed any factor affecting the validity of Regulation 2019/1157.