On 18 April 2013, the European Court of Human Rights (ECHR) held that storing fingerprints in a database used by investigators to fight crime violates the right to privacy enshrined in Article 8 of the European Convention of Human Rights.

In the case at hand, M.K., a French national was the subject of two investigations, both concerning book theft. In both incidents, investigators took his fingerprints which were then registered and stored in a database. In both cases however, all charges were dropped. Nevertheless, the public prosecutor refused to delete the fingerprint data from the database on the grounds that it would be in the interest of the individual itself to avoid being linked to crimes committed by others using his identity.

As this motivation was upheld by the French courts, Mr. M.K. subsequently brought his case before the ECHR. In its decision, the ECHR considered that storing fingerprint data indeed interferes with one’s right to privacy. Consequently, the interference would only be allowed if it (i) has a legal basis; (ii) serves a legitimate purpose; and (iii) is necessary in a democratic society.

In this context, the ECHR found that the legal basis for the interference is provided by the Decree of 8 April 1987. Moreover, the purpose of this decree can be said to be legitimate because it is aimed at the detection and prevention of crimes.

This brings the ECHR to analyse whether the interference is necessary in a democratic society. This would mean that the interference corresponds to a compelling social need; that it is proportionate in relation to the legitimate purpose being pursued and that the reasons brought forward by the French authorities are pertinent and sufficient.

The ECHR considered that although the conditions for consulting the database are sufficiently strict, this cannot be said for the conditions for collecting and retaining the data. Indeed, the Court noted that the purpose of the database, necessarily leads to the retention and addition of the largest amount of data possible. As a matter of fact, the argument of the prosecutor, that the retention of the data would be in the interest of the data subject itself, does not emerge from the text of the decree. Moreover, if this logic were to be followed, this would mean that the fingerprint data of the entire French population would be retained, which would obviously be excessive and not pertinent.

Moreover, the scope of the Decree is not limited to certain serious crimes, such as sexual offences or organised crime, but includes all offences, even the minor ones. The Court also noted that the database did not distinguish between those data subjects who were convicted and those who were not. Neither did it make a distinction on whether the data subjects had been officially charged.

Concerning data retention, the Court held that the possibility for one to request that his or her fingerprints or data be removed cannot be considered a concrete and effective guarantee, but that it is only theoretical and illusionary. The data retention period of 25 years, as stipulated in the Decree, will consequently come down to there being an unlimited data retention period or at least to a standard retention period of 25 years instead of a mere maximum. This seems to be disproportionate to the legitimate purpose.

The case can be found on http://hudoc.echr.coe.int/