On 6 December 2021, the Belgian Data Protection Authority (the BDPA) published a recommendation on the processing of biometric data (the Recommendation). The aim of the Recommendation is to provide guidelines to controllers and processors on how to interpret, and comply with, the GDPR when processing biometric data.
As you will know, with the entry-into-force of the GDPR, the legal qualification of biometric data has considerably changed. While prior to the GDPR biometric data were considered ‘regular’ personal data, under the GDPR biometric data are considered ‘special category data’ (also referred to as ‘sensitive data’) within the meaning of Article 9 (1) GDPR. As a result, the processing of biometric data is prohibited, unless the controller can rely upon both a legal ground under Article 6 GDPR and a ground for exemption under Article 9 (2) GDPR.
Below are some of the key take-aways from the Recommendation.
Definition – ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4 (14) GDPR). The BDPA however points out that even when such data are not processed with a view to unique identification, such data will be considered as biometric data when unique identification would nevertheless be possible.
Types – The GDPR distinguishes between two (2) categories of biometric data: biometric data based upon physical or physiological characteristics (e.g., facial images, fingerprints, etc.) and biometric data based upon behavioural characteristics (e.g., gait recognition).
Role of the parties – Attention must be paid to the role of the parties in the context of biometric systems. Where a biometric service provider may also use the biometric data for its own purposes (e.g., to enlarge its database, improve its systems, etc.), the service provider will have a double role as processor (for the purposes defined by the controller) and controller (for its own purposes).
Household exception – The so-called ‘household exception’ applies to the use of biometric systems for access to personal devices (e.g., smartphone, tablet, etc.), but subject to strict conditions:
- the data subject uses the device or service for private purposes (the Recommendation does not address the mixed use of devices for professional and private purposes);
- the data subject him/herself has decided to activate biometric identification/authentication (i.e., the household exception cannot be relied upon when employers render the use of biometric identification/authentication mandatory or the device/service provider does not offer an alternative);
- the biometric template must be stored on a partitioned environment of the device and subject to a high degree of security; and
- the biometric template must be encrypted by a state-of-the-art technology.
Processing operations – Within any biometric system, three (3) processing operations can be distinguished:
- during the enrolment phase, biometric data of a data subject is collected and registered (e.g., a fingerprint is registered); this can be in the form of raw data or a template; only in very exceptional cases, raw biometric data may be registered; in principle, raw biometric data must immediately be converted into a template and subsequently discarded;
- during the identification/authentication phase, biometric data of a data subject is (again) collected in order for it to be compared with the template registered earlier (e.g., a data subject places his finger on a fingerprint reader attached to an access system); here, the threshold used (i.e., as of when the biometric system will consider there is biometric similarity) is important; and
- during the comparison phase, a distinction must be made between identification (one-to-many comparison) and verification (one-to-one comparison); the latter is preferred and identification can only be used in exceptional and motivated cases.
Storage – Three types of storage can be distinguished:
- exclusive management of the template by the data subject, including storage on the device, without any links to other IT systems; this is the preferred storage method; other storage methods can only be used in exceptional cases;
- shared management of the template: a central database managed by the controller, but the controller cannot use the template without the data subject’s consent (e.g., the template is encrypted and the key is held by the data subject); and
- exclusive management of the template by the controller: a central database managed by the controller, in which the templates are accessible and exploitable by the controller; in this case, the most stringent conditions must be observed.
Legal ground – The Recommendation only recognises two (2) possible legal grounds for the processing of biometric data in Belgium: explicit consent (Article 9 (2) (a) GDPR) and substantial public interest (Article 9 (2) (g) GDPR).
Substantial public interest – ‘Substantial public interest’ can currently only be relied upon in connection with the processing of biometric data in the context of the Belgian electronic identity card (eID) and the European passport. There are currently no other Belgian of EU laws permitting the use of biometric data in Belgium for substantial public interest reasons. Importantly, the BDPA clarifies that ‘substantial public interest’ must be foreseen in a law that explicitly permits the processing of biometric data. For example, the GDPR’s general requirement to take appropriate organisational and technical measures to secure the data (or sectoral laws regarding security/safety) cannot be relied upon to justify the processing of biometric data.
Explicit consent – The Recommendation goes to great lengths to explain the requirements to obtain (i) valid consent and (ii) explicit consent. Notable recommendations are the following:
- it is unlikely that consent can be relied upon by employers (with respect to their employees) or school directions (with respect to their students) because of the imbalance of power (the Recommendation however does not consider the scenario where use of biometric data is optional);
- it is up to the controller to prove that consent is freely given;
- consent must be specific, which means that function creep (i.e., broadening or blurring of purposes after consent has been obtained) must be avoided;
- consent must be informed, meaning that the data subject must perfectly understand for what consent is sought; here, the Recommendation lists the minimum information that must be provided;
- consent must be an unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action;
- consent must be explicit, but various means exist to obtain such explicit consent (e.g., written statement, electronic form, sending of an e-mail, scanned document with signature, electronically signed document);
- the controller must prove the existence of valid consent; to this end, the controller may retain personal data, however such retention must end when the processing has been terminated, unless the data must be kept to comply with mandatory retention obligations or in the context of legal claims; and
- the data subject has the right to withdraw his/her consent; in such case, all data must be discarded, even where the data subject did not (explicitly) exercise his/her right of deletion.
Proportionality – Specific attention must be paid to the proportionality of the processing of biometric data. Biometric data can only be processed in case the controller can demonstrate that the purpose(s) cannot reasonably be achieved by other means. The manner of storage of biometric data (see above) plays an important role in the context of the proportionality test. Also the biometric data used are an important factor in that analysis. Any use of biometric systems must also be limited to the areas or services that justify the use of such systems.
Security – The Recommendation suggests a series of technical and organisational security measures that can be taken in order to secure the processing of biometric data. Specific attention must be paid to the implementation of the principles of data protection by design and data protection by default.
Transparency – The transparency obligations are closely linked to the requirements regarding valid explicit consent and must hence be complied with (see above).
DPIA – Any processing of biometric data must form the subject of a prior Data Protection Impact Assessment. This is not only the case for the implementation of biometric systems for unique identification of data subjects in a public area or a publicly accessible private area (as mentioned in Decision 01/2019), but also for other processing of biometric data.
Please do not hesitate to contact us in case of further questions.