CJEU: Systematic Collection of Biometric and Genetic Data Contrary to EU Law
15 February 2023
2018-Max_Planck_Herr_Wahl_1355_black white_Zuschnitt.jpg Thomas Wahl

The systematic collection of biometric and genetic data of any accused person in order for them to be entered in a police record is contrary to the requirement of ensuring enhanced protection with regard to the processing of sensitive personal data. This statement was made by the CJEU in its judgment of 26 January 2023 in Case C-205/21 (V.S.). The case concerned Bulgarian legislation on police records and data protection.

Facts and background of the case

In the case at issue, criminal proceedings for tax fraud led to V.S. being accused of participation in a criminal organisation. V.S. opposed to consent to the collection of her dactyloscopic and DNA profile data for the purpose of creating a police record. According to Bulgarian law, the police authorities are empowered to take such data from any person “who is accused of an intentional criminal offence subject to public prosecution.”

The Spetsializiran nakazatelen sad (Specialised Criminal Court, Bulgaria), which was called to enforce the data collection vis-à-vis V.S., had doubts as to whether the Bulgarian legislation applicable to such “creation of a police record” complies with EU data protection law and referred several questions on the interpretation of Directive (EU) 2016/680 “on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties” (in short: LED).

Findings of the CJEU: Restrictions on effective judicial protection proportionate

The CJEU ruled that neither Directive 2016/680 nor the EU Charter of Fundamental Rights preclude national legislation under which the court is obliged to authorise the compulsory collection of biometric and genetic data from accused persons, even though it is not yet in a position to assess at that time whether there are actually reasonable grounds for suspicion against the accused person. The accompanying restriction of effective judicial legal protection is not disproportionate, provided that national law later guarantees effective judicial control of the preconditions of the accusation. Otherwise, there would be a risk of obstructing the course of criminal investigations and unduly restricting the ability of investigators to solve further criminal offences by means of a data comparison.

Right to presumption of innocence observed

The right to the presumption of innocence also does not prevent such an obligation of the court: Firstly, the collection of data is limited to those persons whose criminal liability has not yet been established. Consequently, this collection could not reflect the authorities’ impression that these persons were guilty. Secondly, the fact that the court, which has to decide on the guilt of the person concerned, cannot assess at this stage of the criminal proceedings whether the evidence on which the accusation of that person is based is sufficient, constitutes a guarantee of observance of his or her right to be presumed innocent.

But: Systematic data collection without proportionality test unlawful

However, Directive 2016/680 precludes national legislation which provides for the systematic collection of biometric and genetic data of any person accused of an intentional offence subject to public prosecution, without requiring the competent authority to verify whether the collection is also proportionate. The national legislation must provide for an obligation on the part of the authorities to verify and prove, on the one hand, whether or not the collection is strictly necessary for the attainment of the specific objectives pursued and, on the other hand, whether or not those objectives can be attained by measures which represent a less serious interference with the rights and freedoms of the data subject.

In this context, the CJEU argued that Directive 2016/680 is intended to ensure enhanced protection against the processing of sensitive data, which include biometric and genetic data, as such processing may present significant risks to fundamental rights and freedoms. The requirement stated therein that such processing is allowed “only where strictly necessary” must be interpreted as laying down stricter conditions for the lawfulness of the processing of such sensitive data.

According to the judges in Luxembourg, national legislation which provides for the systematic collection of data from any persons accused of an intentional offence is in principle contrary to that requirement. This approach could lead to the indiscriminate and general collection of data from the majority of accused persons, since the concept of “intentional criminal offence subject to prosecution” is particularly general and can be applied to a large number of criminal offences, irrespective of their nature, their gravity, the particular circumstances of those offences, their possible link with other ongoing proceedings, the criminal record of the person concerned or his/her individual profile.

Put in focus

The CJEU’s judgement in V.S. is the second within a short period of time to deal comprehensively with the interpretation of the “Law Enforcement Data Protection” Directive 2016/680 (→ related link). It shows that the Directive is becoming increasingly important in data protection practice. Although the ruling concerns the specific legislation in Bulgaria, the CJEU’s statements may also have impacts in other EU Member States. This relates firstly to registration practice for police records and secondly to the treatment of sensitive data by law enforcement authorities (Art. 10 LED).