Processing of biometric data - Recommendation of the Belgian DPA

Previously, we sent a newsflash on the Belgian DPA’s draft recommendation on the processing of biometric data in which the DPA provided a one-year tolerance period for companies processing biometric data.  On 6 December 2021, the DPA published its final version of the recommendation on the processing of biometric data of 1 December 2021. In it, the DPA not only sets out the rules of the General Data Protection Regulation (“GDPR”) on the processing of biometric data, but also confirms that there can be no “free” consent in employment relationships, given the power relationship that exists between employer and employee. Consequently, the employer must look for another legal basis, but is there one today?

The DPA recommendation is quite extensive and deals with all aspects of the processing of biometric data in light of the GDPR. Below, we briefly discuss the main points:

  • Biometric data are personal data resulting from a specific technical processing operation related to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unequivocal identification of that natural person.
    Physical or physiological characteristics refer to the physical properties of persons, e.g., facial information, fingerprints and iris scans. Behaviour-related characteristics are behavioural characteristics that allow for the unique identification of the person, for example the use of keyboard, touch screen and mouse patterns and surfing and working behaviour at a computer for authentication of persons or identification based on the unique step pattern of persons.
  • The DPA indicates that the functioning of a biometric system should be split into 2 collection phases and 2 comparison phases.

The collection phase

The first collection phase is the moment when the biometric identifier of the data subject is collected and recorded either on an individual medium (e.g., badge or token) or in a database (enrolment or recording). It concerns reference information, being either the raw biometric data (e.g., image of the face, hand, iris or digital fingerprint) or the set of encoded information obtained from the individual and unique characteristics of the raw data (a template). In principle, raw data are converted into templates during the collection phase and will be deleted immediately afterwards.

The second collection phase is the moment when the data subject again presents his/her biometric characteristics to the system that has to authenticate him/her. This second biometric sample is then compared with the reference information to see if they match sufficiently.

Comparison of biometric data

There are two ways to compare the information obtained during the collection phases, namely the identification function and the verification function.

The identification function is to compare the information of the second collection phase with all the biometric information available in a biometric system and stored by definition in a database (“one-to-many comparison”).

The verification function compares the information of the second collection phase with the pre-registered information belonging to one person (one-to-one comparison).

The DPA indicates that the verification function is preferred, as the reference material does not necessarily have to be stored in a database. The identification function will only be used in exceptional and well-founded cases.

  • In its recommendation, the DPA distinguishes three ways to store the biometric templates.
  1. Management of the template by the person concerned (“actual verification”);
  2. Shared management;
  3. Exclusive management by the data controller.

The shared and exclusive management of biometric templates will only be possible in exceptional circumstances.

  • The DPA recognises that when biometric data is stored exclusively on the individual’s device and the biometric authentication process can take place locally and autonomously without external access, it can fall under the domestic exception, if the conditions are met, and consequently the rules of the GDPR do not apply. This could include, for example, personal authentication via smartphones and other electronic devices where facial recognition software and fingerprint sensors act as alternatives to a traditional PIN.
  • The DPA confirms that biometric data are a special category of personal data, the processing of which is prohibited under Article 9.1 GDPR, unless the data controller can cumulatively rely on a legal ground in accordance with Article 6 GDPR and one of the exception grounds exhaustively listed in Article 9.2 GDPR.

The DPA considers that the processing of biometric data can be based on two possible grounds for exception: “explicit consent” or “compelling public interest”.

Explicit consent

In order for biometric data to be a basis for the processing of biometric data, consent must be valid, which means that consent must be free, specific, informed and unambiguous. The DPA reiterates its position that there cannot be free consent in the context of an employment relationship, as in this case there is a power relationship between the data controller and the data subject. The DPA refers to a fine of EUR 725,000 imposed by the Dutch Personal Data Authority on a company that unlawfully processed fingerprints of its employees.

Compelling public interest

According to the DPA, the data controller may also invoke “substantial public interest” as a legal ground for processing biometric data when the conditions for explicit consent cannot be met due to an existing power relationship between the data controller and the data subject.

However, this legal ground can only be invoked if EU law or Member State law explicitly recognises these interests and allows the processing. At present, there is only one Belgian law that explicitly authorises the processing of biometric data, namely the law on population registers, identity cards, foreigner cards and residence documents. Furthermore, there is also the EU Regulation on the standards for security features and biometrics in passports and travel documents issued by Member States.

Unlike some of our neighbouring countries, the Belgian legislator has not chosen to provide for a general legal basis allowing for the processing of biometric data in the framework of the unique identification or authentication of a person for security purposes.

With the exception of the processing of biometric data in the context of the eID (electronic identity card) and the passport, the DPA underlines that there is a void in Belgian law which makes any other processing of biometric data in the context of the authentication of persons without a legal basis.

Moreover, the DPA is of the opinion that a generally formulated legal obligation of the data controller to take adequate security measures cannot justify the use of biometric data. There will always have to be a legal provision (general or sectoral), which explicitly authorises the processing.

In this regard, the DPA emphasises that the existence of a legal provision will not exempt any processing of biometric data and that it does not relieve the data controller of the obligation to substantiate the necessity and proportionality of the processing. The data controller will need to consider whether the purposes it is pursuing are such that the use of biometrics is unavoidable.

The DPA invites the Belgian legislator to provide a legal basis for the processing of biometric data insofar as it wants to (continue to) allow the use of biometric data in certain contexts. To this end, it is open to the sectors, organisations or professional bodies concerned to inform the legislator of their intentions.

In this final recommendation, however, the DPA no longer reiterates that it will respect a period of tolerance.

Otherwise, the recommendation also provides that when using biometric data, all other data protection principles must also be respected, especially, purpose limitation, proportionality, security and transparency.

Key message

According to the new recommendation of the DPA, companies can only rely on the legal basis of “consent” for the processing of biometric data. However, the DPA points out that the consent must be free, which will usually not be the case in a work context or in a school. Given that at present any legislative initiative explicitly authorising the processing of biometric data has failed to materialise, the employer who would process such data is left out in the cold. The Belgian legislator is urged to act quickly on the legal framework as it is obvious that some security measures require the use of biometrics. Previously, the DPA had explicitly announced a one-year grace period - since July 2021. This period is no longer mentioned in the final version of the recommendation.