German Courts v. EU-Standards – The question of breaking down biometric protections by force

A German Police officer recommends on an independent police journal’s online blog, to “assist [the phone user] in unlocking their phone, if needed by force”, if they are present. Meanwhile, grassroots groups, protest organizers and human rights organizations are warning citizens “to not have face or fingerprint lock on your phone, as the police can use those to unlock your phone without your consent”.

In October 2024’s, the ECJ laid out in its Landeck-ruling (Case C-548/21) how the EU-rights-framework limits and imposes requirements on law enforcement’s access to personal phones, even to access attempts. Due to the sensitive nature of the data stored on them – including biometric information, personal recordings, photographs, cloud keys, health data and business secrets, which can be used to create movement or personality profiles – the court declared that any attempt to access phones and bypass locking measures seriously interfere with the fundamental right to privacy and the protection of personal data. The thresholds are therefore high: While not completely precluded access to mobile phone data must be based on suitable enabling provision and guided by the principles of data minimization and proportionality. The respect of these principles is to be guaranteed by prior review by a judge or an independent administrative body.

In Germany, the prevailing judicial practice is such that law enforcement officials are authorized to unlock smartphones through fingerprint scans – and other biometric features – on the basis of Section 81b, which stipulates the collection of photographs and fingerprints of the accused. Post-Landeck, two decisions by a higher regional court and the federal court have upheld this reasoning, that severely misinterprets the ECJ’s ruling. Both the higher regional court in Bremen and the federal court recognize Landeck as a landmark ruling. Still, both courts come to conclusions, that accessing the device and processing/storing the information are two separate measures, that can be assessed separately and find their legal basis in different provisions.

Moving beyond a superficial approach that focusses on the use of biometrics, the actual substance of the investigative measure comes to light: A prelude to the use of and access to data. Unlocking the device is merely a necessary preparatory or accompanying measure to searches of the device, chats, cloud storage, etc.

It is recognized, that accompanying legal measures intended to enforce the primary measure, can be based on the provision allowing the primary measure, if their impact is negligible. This is because many of these (primary) measures will have to be carried out against the will of the person concerned. For example, a search of an apartment may involve breaking down the front door. Now if a police officer uses my finger as a crow bar to break down the digital door to my smartphone – why shouldn’t this be treated as an annex to the subsequent search of my device?

Hence, what is needed is a suitable basis for a device search that first has to overcome security mechanisms. A specific regulation for forcing biometric unlocking has not been put in place by the German legislator. It cannot be simply seen as part of the general search of an apartment, as this would disregard key differences with regards to the direct impact on the fundamental  right to informational self-determination when accessing a secured device against the will of the user.

Section 81b on the other hand is also clearly unsuitable: Albeit created in an open manner to encompass technological advancements (as the courts pointed out, OLG Bremen para. 13, BGH para. 62), this does not absolve a measure from the necessity to align with the purpose of the clause, determining physical characteristics and conducting biometric/dactyloscopic comparisons – which the unlocking of a phone clearly goes beyond. Due to the intensity and the often highly personal nature of the data stored on an information technology system, the intrusion rather compares to the (secret) intrusion into the sanctity of the home – or the secret.

As Cyber-investigations expert Dr. Felix Ruppert pointed out in Legal Tribune Online: Section 81b offers no protection against the extent and intensity of smartphone access, nor does it impose correspondingly high barriers to intervention. This comes as no surprise, as the regulation was never intended to interfere with fundamental IT rights. The fact that it is unsuitable for this purpose is a logical consequence.

In conclusion, German court practice stands in direct contradiction to the ECJ’s Landeck ruling and in disregard of the importance of the right to privacy. By abandoning procedure codes, and making all means available to the sacred cause of prosecuting crime the courts are exceeding their authority, and creating significant uncertainty surrounding the requirements for breaches of security measures designed to protect the data on mobile phones – devices, that store the most intimate information. The only true solution to this worrying trajectory is a legislative one: Either the scope of section 100b should be broadened, or an appropriate provision should be found that takes into consideration fundamental rights as specified by Landeck. The fact that, despite almost a decade of debates, there have been no legislative efforts, is concerning. Let us hope that the ECJ’s decision will finally prompt the German legislature to act. Or will we have to wait for an intervention from the Constitutional Court?

Until then, until there is clarity on the legal basis and procedure, courts must rule that any evidence obtained through forced biometric unlocking is inadmissible.

Prof. Dr. Carsten Momsen is a member of Fair Trials Europe’s LEAP network.