Recent EU court cases on biometric data retention in travel?

1. EU top court: “No blanket, indefinite retention”

The Court of Justice of the European Union (CJEU) has repeatedly ruled that police cannot keep biometric and genetic data of convicted persons or suspects on an indiscriminate, life‑long basis; retention must be limited, proportionate and subject to periodic review, and blanket retention until death was found incompatible with EU law ^{[1] [4]}. Reporting frames this as a high standard that forces national authorities to justify retention on an individual or clearly delimited legal basis rather than by default ^{[5] [4]}.

2. Newer judgment clarifies what “Member State law” means

A 20 November 2025 CJEU judgment in Case C‑57/23 clarified that where national rules provide for collection, storage and erasure of biometric/genetic data, the phrase “Member State law” requires a generally applicable provision setting out minimum conditions, interpreted by national case law insofar as it is accessible and sufficiently foreseeable ^[2]. That means national legislatures and courts must write and interpret rules so individuals can foresee when their biometric data may be taken or retained ^[2].

3. Practical limits for police: necessity, purpose and safeguards

The CJEU and subsequent reporting insist police must demonstrate “absolute necessity” or specific justification on a case‑by‑case basis for collecting biometric data — mass or routine fingerprinting/collection without such proof was struck down in earlier cases, notably in litigation linked to Bulgarian police practices ^{[5] [4]}. National authorities retain discretion to process such data but only within narrow, rights‑respecting parameters and with procedural guarantees ^{[6] [2]}.

4. Passport biometrics and the Bosphorus equivalence debate

A related strand involves biometric passports: the ECtHR reviewed a Dutch case (Willems v. the Netherlands) where refusal to give fingerprints for a passport raised Convention rights issues. The Court applied the Bosphorus presumption — concluding that, because EU rules left Member States little choice about storing fingerprints in passports and databases, a “manifest deficiency” in protection had to be shown to find an Article 8 breach; the applicant failed to show such a deficiency ^[3]. This shows courts balancing EU regulatory harmonisation (e.g. passport standards) against individual privacy rights.

5. Tension between public‑order arguments and data‑protection safeguards

Coverage highlights a recurring tension: Member States and police argue biometric retention aids prevention, detection and prosecution, while the CJEU and privacy advocates require strict proportionality, purpose limitation and safeguards under EU data‑protection principles ^{[1] [4]}. The November 2025 reporting stresses that even when retention is permitted, controllers processing sensitive biometric/genetic data must comply with all specific GDPR‑style requirements and guarantee individual rights ^[6].

6. Wider institutional monitoring and guidance

The European Data Protection Supervisor (EDPS) and EU bodies continue to monitor and publish guidance on biometric use, reflecting the dynamic legal landscape: the EDPS tracks case law, issues formal comments (for instance on VIS biometric specs) and pushes for strong impact assessments and safeguards around biometric deployments ^{[7] [8]}. That institutional scrutiny supplements court decisions by shaping procurement, standards and assessments.

7. What reporting does not (yet) show

Available sources do not mention detailed implementation outcomes in every Member State after these rulings — for example, which national laws were amended, how police databases changed in practice, or whether mass collections have ceased everywhere (not found in current reporting). Some secondary commentary (law‑firm blogs) asserts wide‑ranging ECJ rulings on facial recognition and public‑space surveillance, but those accounts are not corroborated by the core CJEU/ECHR reporting in the search results provided ^[9].

8. Takeaway for readers and policymakers

The jurisprudence makes clear: EU courts have restricted blanket biometric retention and demanded legal clarity, necessity and safeguards; national authorities retain limited powers to keep biometric data but must justify, limit and review that retention under foreseeable laws ^{[1] [2] [4]}. Expect continued friction as states adapt legislation, and watch EDPS and court follow‑ups for how “foreseeability,” proportionality and erasure rules are applied in practice ^{[7] [8]}.