Regulation of Biometric Data under the General Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) offers the broadest protection for biometric data which it defines as “personal data resulting from specific technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See GDPR Art. 4(14).  The GDPR designates biometrics as a “special category” data and prohibits its processing absent certain enumerated exceptions, such as data subject’s explicit consent, or reasons of public health or substantial public interest.  See GDPR Art. 9.

A recent decision by the Dutch Data Protection Authority (DPA), which fined a local company €725,000 ($790,000) for processing its employees’ fingerprints in violation of the GDPR, illustrates the challenges facing European organizations trying to comply with these requirements.  In that case, the company required its employees to scan fingerprints for attendance and time registration. The DPA concluded that the employer could legitimately rely on two exceptions to processing biometric data: if the employees are asked for explicit consent or if the use of biometrics is necessary for authentication or security purposes.  In the latter case, however, the employer must consider whether the company’s buildings and information systems must be so well secured that this can only be done by using biometrics.  As the company had other identification methods available that did not include biometrics, it could not establish this exception to collection of biometric information.

The DPA also concluded that the company failed to demonstrate that its employees “explicitly” consented to collection of their fingerprints.  The GDPR requires that consent must be “freely given, specific, informed and unambiguous.”  See GDPR Art. 4(11).  The burden is even higher where the data subjects “explicitly” consent to processing of special category of personal data.  The DPA concluded that the company’s employees experienced recording of their fingerprints as an obligation and therefore the company could not demonstrate that they have given their express permission to collect biometrics.

In another recent case, the Polish Data Protection Authority imposed a fine on a school that was using a fingerprint reader at the entrance to the school cafeteria to identify children in order to verify payment of the meal fee.  The DPA concluded that the school could have carried out the identification by other means that do not interfere so much in the children’s privacy.  Thus, in the Authority’s view, the use of biometric data, considering the purpose for which it was processed, was significantly disproportionate.

Considering a highly sensitive nature of biometric data and the consequences of its breach, its processing under the GDPR will often require data controllers to perform a data protection impact assessment, a process that helps companies identify and minimize the data protection risks of a project.  Under the GDPR, the data protection impact assessments are required where “a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.”  See GDPR Art. 35. The UK’s data protection authority, the Information Commissioner’s Office, specifically requires companies to conduct a data protection impact assessment if they plan to process biometric data.

Data protection impact assessments generally consider the necessity and proportionality of the processing, risks to the rights and freedoms of individuals, as well as measures to address those risks.  See GDPR Art. 45.  If the assessment does not eradicate the risks identified, it should help companies to at least minimize them and assess whether the remaining risks are justified.

Conducting a thorough data protection impact assessment prior to collecting and processing biometric data would allow companies to proactively assess the necessity and proportionality of their biometric data processing, identify the risks to data subjects and data security, as well as measures to address those risks, and would help avoid compliance issues encountered by the Dutch company and the Polish school.

Would you like to know more about regulation of biometric information? Check out Clarip’s whitepaper What Your Company Needs to Know About Regulation of Biometric Data and follow our daily Privacy Blog! Call Clarip at 1-888-252-5653