Bulgarian legislation allowing for the systematic collection of biometric and genetic data from any person under investigation for the purpose of police registration is contrary to European Union law protecting the processing of sensitive personal data, the Court of Justice of the EU (CJEU) ruled on Thursday 26 January (Case C-205/21).
In Bulgaria, a person, who is under investigation in criminal proceedings for their participation in a criminal group, refuses to submit to a police registration involving the collection of their genetic and biometric data.
On a reference from the country’s Specialised Criminal Court, which the Bulgarian police are asking to authorise the forced collection of this person’s data, the Court is interpreting the Directive (2016/680) on the protection of individuals with regard to the processing of their personal data in connection with criminal offences.
First of all, according to the Court, this Directive, read in the light of the EU Charter of Fundamental Rights (Article 52 - conditions for the limitation of rights and freedoms), allows the processing of biometric and genetic data by police authorities for the purpose of fighting crime and maintaining public order, provided that national law contains a clear and precise legal basis for authorising such processing.
The European judge recalls that the Directive (2016/680) requires Member States to ensure that a clear distinction is made between the different categories of data subjects so as to establish differences in the interference with their fundamental right to protection of their personal data. For persons in respect of whom there are substantial grounds for believing that they have committed a criminal offence by virtue of the presence of sufficient evidence, national law may provide for the compulsory collection of their sensitive data, following a decision by the competent criminal court.
This criminal court may take such a decision even if it cannot control the conditions of the data subjects’ indictment, but only during the preliminary phase of the criminal proceedings in order not to impede the investigation. This limitation of judicial protection is not disproportionate, as long as national law subsequently guarantees effective judicial review, the Court emphasises.
Nevertheless, the European Court is of the opinion that EU law precludes legislation which provides for the systematic collection of biometric and genetic data of an accused person in the context of a criminal offence, without providing for an obligation on the part of the competent authority to verify and demonstrate whether such collection is absolutely necessary and whether the objectives which such collection is intended to achieve cannot be achieved by means of a measure which constitutes a less serious interference with rights and freedoms of the data subject.
According to the Court, the indiscriminate and generalised collection of sensitive personal data in too many cases should be avoided, regardless of their nature, seriousness, the specific circumstances of the offences found, their link with other ongoing proceedings or the criminal record of the person concerned.
See the judgment: https://aeur.eu/f/53o (Original version in French by Mathieu Bion)