GDPR and biometrics: an overview

Biometrics and GDPR: definition, processing restrictions, and steps for compliant use.
Roy Jeunen

Understanding Biometric Data in the Context of GDPR

Biometric data, as defined by the GDPR, represents a unique set of personal data derived from specific technical processes linked to an individual's physical, physiological, or behavioral attributes. Examples include facial recognition, iris scans, and fingerprint data, which offer a distinct identification of a person.

While a mere photograph doesn't qualify as biometric data, a face print calculation derived from that photograph does, due to the technical processing involved. The inherent uniqueness of biometric data, unlike replaceable passwords, underscores its sensitivity and the heightened need for data protection.

The GDPR prohibits the processing of biometric data with a few exceptions

Can you process biometric data under the GDPR?

At its core, Article 9.1 of the GDPR restricts the processing of biometric data for identifying individuals. Yet, Article 9.2 introduces certain exceptions:

  1. Explicit Consent: The data subject must provide clear, informed, and unequivocal consent for data processing. This consent should be revocable at any time. Notably, several facial recognition initiatives in public spaces were halted post-2018 for not adhering to this clause. While this exception is generally valid in B2B contexts, it's often inadequate in employment scenarios due to potential consent coercion.
  2. Vital Interests: Applicable in emergency situations where the data subject's vital interests are at stake.
  3. Employment and Social Rights: Biometric data processing is permissible if it's crucial for upholding obligations or rights in employment, social security, or social protection domains.
  4. Legal Claims: If processing is essential for establishing, exercising, or defending legal claims.
  5. Public Interests: In cases where biometric identification is pivotal for public safety and security.

It's crucial to note that while these exceptions are standardized across the EU, individual member states can introduce additional national exceptions.

Non-compliance can lead to significant penalties.

Types of Biometrics and Their Implications

1. Fingerprint Recognition

Overview: Fingerprint identification involves analyzing the line patterns on the finger's surface. It's a widely accepted method due to its familiarity and cost-effectiveness.

Advantages: Ease of use, affordability, wide public acceptance.

Challenges: Vulnerable to spoofing, high false acceptance and rejection rates, issues with aging or damaged skin.

2. Facial Recognition

Overview: This technology compares facial features and shapes for identification. It's increasingly used for remote recognition and in security applications.

Advantages: Effective in crowd scanning, evolving rapidly with technology advancements.

Challenges: Requires direct camera engagement, variable security levels, cultural and religious considerations.

3. Iris Recognition

Overview: Involves scanning the iris using a specialized scanner, converting unique characteristics into a secure code.

Advantages: High security, consistent accuracy over time.

Challenges: User resistance, discomfort for individuals with certain eye conditions, slower processing.

4. Finger Vein Pattern Recognition

Overview: This method captures the vein patterns in the finger, offering more security than traditional fingerprint recognition.

Advantages: Faster, more secure, and user-friendly.

Challenges: Higher cost, issues with cold or 'dead' fingers, relatively unknown.

5. Palm Vein Pattern Recognition

Overview: Similar to finger vein recognition but uses the palm's vein patterns, providing even greater security.

Advantages: Highly secure, quick, and easy to use.

Challenges: Confusion with outdated hand geometry recognition, niche application.

6. Voice Recognition

Overview: Uses unique vocal characteristics for identification, commonly in banking and e-commerce.

Advantages: High security, user-friendly, cost-effective.

Challenges: Risk of mimicry, environmental noise interference.

7. Behavioral Biometrics

Overview: Based on individual behavioral patterns like keystrokes, gait, or lip movement.

Advantages: Subtle, continuous authentication, adds an extra layer of security.

Challenges: Privacy concerns, accuracy in diverse scenarios.

The stakes are high: Notable Fines and Cases

Processing biometric data under GDPR is a sensitive matter, and non-compliance can lead to significant penalties. Here are some notable instances:

  1. Swedish School's Oversight:

    A school located in northern Sweden embarked on a pilot project, utilizing facial recognition technology to monitor student attendance. This initiative, however, was met with stern disapproval by the Swedish Data Protection Authority (DPA). The DPA's investigation revealed that the school had violated multiple GDPR articles, leading to a fine of approximately 20,000 euros. While the school had sought to justify its actions based on obtaining consent, the DPA found this basis invalid due to the evident power imbalance between the students (data subjects) and the school (controller). This case marked the first instance of the Swedish DPA issuing a fine under the GDPR, highlighting the importance of ensuring lawful bases for processing biometric data, especially in sensitive environments like educational institutions.
  2. Dutch Company's Misstep:

    Employees of a Dutch company were mandated to scan their fingerprints for attendance and time registration purposes. However, the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, determined that the company had no legal grounds to process these biometric data, which are categorized as special personal data. The company faced a substantial fine of 725,000 euros for this oversight. Monique Verdier, vice-chair of the AP, emphasized the heightened protection required for biometric data, noting the irreversible harm that could arise if such data were mishandled, such as potential blackmail or identity fraud.
  3. Clearview AI's Controversy:

    Clearview AI Inc., known for its facial recognition products, came under scrutiny from the Italian Data Protection Authority following reports about its data collection methods and subsequent complaints from privacy-focused organizations. The company was found to have unlawfully processed personal data, including biometric and geolocation information, without a valid legal basis. Clearview AI's actions were deemed to have violated several core GDPR principles, including transparency, purpose limitation, and storage limitation. The Italian Authority imposed a hefty fine of 20 million euros on Clearview AI. Additionally, the company was ordered to cease further data collection in Italy, delete existing data of Italian citizens, and appoint a representative within the European Union.

The EU's Advocacy for Biometrics: Safety and Security at the Forefront

While the GDPR and other regulations emphasize the protection of personal data and have led to significant fines for non-compliance, it's essential to recognize that the EU also actively promotes the use of biometrics in contexts where safety, security, and efficiency are paramount. Two notable instances underscore this stance:

  1. Maritime Security Legislation:

    The maritime industry, a linchpin of global trade, is responsible for transporting billions of tons of goods across the world's oceans annually. Given the vastness and significance of its operations, the industry requires stringent security measures. Belgium, as a key player in the maritime sector within the EU, introduced legislation in 2022 that emphasizes the integration of biometrics in maritime security. This move is not just about setting guidelines; it's a vision for the future of maritime security in the face of modern challenges. By mandating the adoption of advanced security solutions like biometric authentication, Belgium is not only ensuring the safety of its maritime operations but potentially setting a precedent for other EU nations to follow.
  2. Entry/Exit System (EES):

    The EES is a transformative initiative aimed at automating the registration of third-country travelers when they cross EU external borders. By capturing biometric data, including fingerprints and facial images, the system aims to replace the manual passport stamping process, which has its limitations. The EES is designed to prevent irregular migration, enhance the security of EU citizens, and streamline the border-crossing experience for legitimate travelers. The system also plays a pivotal role in detecting over-stayers and instances of identity or document fraud. Managed by eu-LISA, the EES is a reflection of the EU's commitment to balancing security needs with technological advancements.

The EU's dual approach—regulating biometrics on one hand and promoting it for security on the other—brings to the forefront a perennial debate: privacy versus safety and security. While the protection of individual rights and data is undeniably crucial, there are contexts, such as border management and maritime security, where the broader public interest might necessitate the use of advanced technologies like biometrics. The challenge lies in striking a balance, ensuring that while leveraging these technologies for safety, individual rights are not unduly compromised.

In essence, the EU's stance on biometrics is not monolithic. It recognizes the technology's potential in bolstering security and efficiency while also emphasizing the importance of safeguarding individual rights. The ongoing dialogue and legislative actions in the EU serve as a testament to its commitment to navigating this intricate balance.

The new Belgian Maritime Security Legislation aims to bolster security.

Best Practices for Lawful Biometric Data Processing under GDPR

  1. Country-Specific Regulations: Enumerate the countries in question and familiarize yourself with their specific regulations.
  2. Assess Lawfulness: Ensure the legitimacy of the consent based on both European and national standards. This includes explicit consent, the data subject's vital interests, and more.
  3. Conduct a DPIA: Undertake a Data Protection Impact Assessment to pinpoint potential risks associated with biometric identification.
  4. Transparent Communication: Maintain open channels with data subjects, elucidating the reasons for data collection, usage, retention, security measures, data transfer protocols, and their rights, especially the right to be forgotten.
  5. Robust Data Protection: Implement stringent measures to secure and safeguard biometric data, ensuring compliance with GDPR mandates.

By adhering to these guidelines and understanding the nuances of GDPR in relation to biometrics, organizations can ensure they're on the right side of the law while respecting individual privacy rights.

Roy Jeunen

Co-founder & Co-ceo

About the author:

Roy Jeunen is co-ceo & co-founder of NineID. His expertise lies in biometric access control, modern access flows, physical safety for highly regulated businesses, and fostering innovation. Roy has been a prominent speaker at various security events including ASIS International (#gsx2023 and #gsx2022), and IFMA World Workplace Europe, where he shared his deep insights and knowledge of the security industry. Known for his in-depth analysis and thought leadership, Roy continues to contribute valuable content to our blog, helping readers familiarize themselves with the intricacies of today's complex security landscape.