The processing of personal data is often necessary for many different purposes. One specific purpose, the recognition of individuals, largely consists of two main activities: identification and verification.
Both activities are a part of everyday practice in a manifold of sectors. A quick and often precise way to accommodate these activities, is by making use of biometric technologies and biometric data (often referred to as biometrics, in technical and legal contexts).
While the act of identification is focussed on comparing the data of an individual to that of numerous of others, verification is aimed at matching physical, physiological and/or behavioural characteristics to specific biometric data of a specific individual, that has been stored in a database.
Apart from criminal suspects being tracked down and identified through finger prints, DNA or facial recognition, the use of biometrics has also found its way into the daily lives of law-abiding individuals.
Biometric data stemming from fingerprints is already being implemented into the chips of passports to serve as an additional means of verification. And in some specially secured buildings, datasets containing information about someone’s facial dimensions are already being compared to the facial dimensions of the person standing in front of the door hoping to enter, in order to verify whether this person actually has the authority to enter the premises.
Although the use of biometrics seems to have become commonplace and national privacy authorities as well as the overarching European Article 29 Working Party have spoken publicly on numerous occasions about the preconditions attached to applying biometric technologies, specific and explicit European legislation on these forms of data and the use of relating technologies has been absent until recently.
With the introduction of the new General Data Protection Regulation (From here on: ‘GDPR’), which will enter into force in May 2018, biometric data is explicitly incorporated into actual legislation. The regulation of biometric data under the preceding Privacy Directive and national laws was only implicit, through the general framework of rules applying to all personal data.
The GDPR on the other hand, specifically defines biometric data as: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Art. 4 [14]).
Moreover, the GDPR explicitly labels biometric data as a new category of ‘special data’. The sensitivity of biometric data stems from the fact that it is often used for the purpose of identification, and unauthorized or unintentional disclosure of biometric data may pose serious risks of identity theft, unauthorized access to buildings or systems by criminals, and any resulting consequences.
Another factor that makes biometric data particularly sensitive, is that it may not be possible (barring drastic measures) to change one’s biometric properties. Whereas passwords can easily be changed in the event of a breach, faces and fingerprints can’t. Furthermore, advances in medical technologies may also enable the use of biometric data to draw conclusions about the health of an individual, causing such data to also qualify as medical data, which is also regulated under the GDPR as sensitive data.
Therefore, data about a person’s physiological or behavioural characteristics only qualify as biometric data under the GDPR when this data is processed through a specific technical means allowing the unique identification or verification of the identity of a natural person. This implies that a picture of someone’s face only qualifies as ‘biometric’ in terms of privacy legislation when the picture is used to either uniquely identify, or verify, a person’s identity. The technologies used for this purpose typically assess a variety of factors (e.g. the distance between one’s eyes and nose, nose and mouth, etc) in order to uniquely identify a person. Ordinary photos of a person thus may not qualify as biometric data.
However, as technologies advance, certain data that previously did not qualify as biometric data, because they could not or were not used for (reliable) identification or authentication, may become biometric data when new technology becomes available, which can uniquely identify, or verify, a person’s identity from the same data. (The use of facial recognition for unlocking smartphones is a relatively new phenomenon, for example.)
The qualification of biometric data as a category of ‘special data’ leads to several consequences for parties that are looking to process this kind of data and employ biometric technologies. As a rule, the GDPR prohibits the processing of biometric data unless a specific exception applies. Most regular companies will need consent of the data subject to process biometric data (but beware that employees normally can’t give consent!), whereas certain organisations in the field of social security or employment, or hospitals, may be able to apply other legal grounds for processing biometric data.
As the use of biometric data is still very much in development, and culturally determined views on how such data should be treated and regulated may vary widely across the EU, the European legislator has left room for national governments to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Although the GDPR contains a general prohibition of the use of biometric data, this does not mean that this technology will be banned altogether. With consent of the data subject, or in specific cases where the use of such data really is necessary and proportionate for a specific legitimate purpose, biometric technologies can be used under the GDPR.
Because the EU member states have not been able to reach a clear consensus about the use of biometric data, however, the legal requirements applicable to the use of biometrics can still vary between the member states. This means that the GDPR cannot entirely live up to its promise of completing the internal market by fully harmonising the requirements applicable to the processing of personal data, at least where the processing of biometric data is concerned.
Parties looking to incorporate biometrics into their daily operations, not only need to consider the specific national laws that may apply, but they also need to take into account the (other) novelties that the GDPR brings to the fore, which have implications of their own for the use of biometric data and biometric technologies. For example, a data protection impact assessment, and privacy by design are also important to consider under the GDPR, when implementing biometric technologies.
Authors: Jorden Bailey and Matthijs van Bergen