Biometrics under the GDPR: Stay compliant
Biometric data can be sensitive. Laws like the GDPR provide us with guidance around how to safely treat biometric data.
Biometric data as a special category
Biometric data is information collected through biometric technologies such as facial recognition or fingerprint scanners.
There are some very real privacy and data protection concerns. The misuse of facial features and fingerprints sounds considerably more ominous than the misuse of a cellphone number.
The General Data Protection Regulation contains a set of rules for the protection of personal data inside and outside the EU. The GDPR marks biometric data as a special category. This means that in principle you may not process biometric data. However, the regulation does allow you to process special categories of data if the processing falls within one of the lawful reasons for processing under the GDPR, such as explicit consent or public interest.
This type of information can be collected and stored and can include the person’s name, place of residence and date of birth.
Processing data is only allowed if the subjects have given their explicit consent to process biometric data and if they are provided with a choice including an alternative.
The protection of public health and safety and prevention of environmental damage are considered compelling interests that go beyond business or organizational interests.
Currently, there’s a rise in biometric data collection. Data can be collected for surveillance purposes. As biometrics become more popular, certain countries like the USA and UK, have begun using biometric tools as mass surveillance over their citizens. Legal and ethical questions have been raised on the collection, processing, and storage of biometric data such as facial images.
The Swedish Authority for Privacy Protection fined a school for taking attendance through facial recognition technology. The fine was issued because the reason for processing biometric data did not fall into one of the allowed reasons under the GDPR.
The school obtained parental consent to use facial recognition technology but the Authority found their consent defective as it was ‘forced’ due to the imbalance of power between the school and the parents. In addition, the GDPR states that if you can obtain data through less intrusive means such as signing a page, this should be opted for.