Biometric data (such as fingerprints and facial recognition) benefit from special protection under the GDPR due to their sensitive nature. The Data Protection Authority (DPA) has recently published a draft recommendation that controllers can use as a guide when processing such data. Below we take a closer look at this recommendation.
In contrast to the situation before the GDPR entered into force, according to Article 9.1 of the GDPR, biometric data are a special category of personal data,. The processing of biometric data is therefore prohibited, unless the controller can legitimately invoke one of the legal bases listed exhaustively in Article 9.2. of the GDPR.
Two of the legal bases referred to in the DPA’s recommendation are "explicit consent" and "substantial public interest".
Although the DPA previously accepted consent as the legal basis for processing biometric data in specific cases and imposed to provide an alternative in case there is no consent (ex. badge) (see our previous newsflash on this matter, the DPA now seems to take a different view, insisting that for consent to be used as an legal basis, it must be valid (i.e. freely given, specific, informed, unambiguous indication and explicit). According to the DPA, it is deemed that consent cannot be freely given in the context of the employer-employee relationship due to the relationship of subordination between the employer and the employee. For this reason, the DPA considers it problematic for employers to process biometric personal data of employees on the basis of consent, as it is unlikely that the consent will be freely granted.
Consent as the legal basis to process other types of personal data was already excluded by the DPA. Additionally, we should keep in mind that the employee can withdraw his or her consent at any time. Therefore "consent" cannot be considered a "solid" legal basis.
Secondly, the DPA addresses in its recommendation the legal basis of "substantial public interest".
Questioning the legal basis of ‘consent’, especially in the relationship between employer en employee, indeed implies invoking ‘substantial public interest’ as a legal basis for processing biometric data, which can only be invoked in specific cases specified by the law. However, the only law that currently explicitly provides for the processing of biometric data is the Act of 19 July 1991 on population registers, identity cards, foreigners cards and residence documents.
Unlike some of our neighbouring countries, such as the Netherlands, the Belgian legislator did not provide in a general legal basis authorising the processing of biometric data in the context of the unique identification or authentication of a person for security purposes.
With the exception of processing of biometric data in the context of the eID (electronic identity card) and passport, the DPA underlines that there is a gap in Belgian law such that any other processing of biometric data in the context of authentication of persons is currently without legal basis.
The DPA therefore concludes that although the processing of biometric data in the framework of the identification or authentication of persons can be justified in certain cases (i.e. authentication of persons for security purposes, etc.), basing a processing on the legal basis of substantial public interest without any legal provision to that effect seems incompatible with Article 9(2)(g) of the GDPR.
However, the DPA recognises that these new requirements result in a split with the regime prior to the entry into force of the GDPR.
Therefore, taking into account the principles of good governance, as soon as its recommendation is published, the DPA provides a transition period of one year during which the processing of biometric data will be tolerated in accordance with the old standard. During this period, the DPA will not proactively intervene. This one-year period should allow controllers and the legislator to provide a legal basis to bring the processing of biometric data into compliance with the provisions of the GDPR.
The DPA also recalls that, when dealing with biometric data, the general principles in the GDPR should always be carefully considered, including:
- Purpose limitation: The DPA emphasises that even with explicit consent, biometric data may not be used for any other purpose, for example simply because it is easy for the controller. The processing must be necessary for the intended purpose and the benefit for the controller must outweigh the disadvantages and risks for the data subject. Furthermore, where biometric data can be processed for a specific purpose (e.g. access control), they cannot be processed for other purposes (e.g. time registration);
- Proportionality: even if the controller has a legal basis for processing personal data, such data must always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, in order to secure the registration of access control, the processing of biometric data must be limited to the areas for which this processing is necessary;
- Security: the controller must use the appropriate technical (e.g. encryption, integrity code, ...) and organisational (limited access, training, ...) measures to secure biometric data and limit their storage. The DPA also recalls that a data protection impact assessment (DPIA) is required when processing biometric data;
- Transparency: data subjects (employees) must of course be well informed about what, how and why their biometric data are processed.
Finally, the DPA confirms that the domestic use of biometric data (e.g. on smartphones or apps) falls outside the scope of the GDPR.
Many employers currently use the legal basis of “explicit consent” to process their employees’ biometric data, which seemed to be tolerated by the DPA. However, in its draft recommendation, the DPA now questions the 'free' nature of consent in the context of the employer-employee relationship due to the relationship of subordination between the employer and employee. Pending an appropriate legal ground for exception, free consent remains the only defensible basis for the processing of biometric data (provided, however, that all conditions are met for such consent to be considered 'valid'). In addition, the general principles of the GDPR should always be considered and a DPIA should be carried out.
However, doubts will remain what will happen after this transitional period, . To be continued ...