On 6 December 2021, the Belgian Data Protection Authority published a Recommendation on the processing of biometric data.
On 6 December 2021, the Belgian Data Protection Authority published a Recommendation on the processing of biometric data (available in French and in Dutch). This text is obviously in line with the European regulatory framework and in the continuity of an older opinion of the “Article 29 Data Protection Working Party” on developments in biometric technologies (WP193, adopted on 27 April 2013). Among others, three questions are clarified thanks to the Recommendation.
1) What is biometric data?
The General Data Protection Regulation defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (article 4, 14)). They are different from genetic data and data concerning health, (defined by GDPR in article 4, 13) and article 4, 15)).
The Recommendation distinguishes two categories of biometric data. The first one concerns physical or physiological characteristics (e.g. fingerprint, iris of the eyes, information about the face). The second category is broader and concerns behavioural characteristics. It is impossible to exhaustively list all possible treatments for these characteristics. The Recommendation gives some examples: gait recognition, how a person uses the keyboard or touch screen, its navigation habits, its behaviour at work.
2) What are the legal basis for processing biometric data?
In the GDPR, biometric data is considered as one of the special categories of personal data (article 9) which implies that its processing is in principle prohibited, unless the controller invokes one of the legal basis listed in article 9(2). In addition, the processing must have a legal basis as proposed in article 6(1).
According to the Belgian DPA, there are essentially two legal basis: the consent (article 9(2), a)) and the substantial public interest (article 9(2), g)).
The consent must obviously meet several characteristics to be valid: it must be free, explicit, specific, informed, unambiguous, and meet the requirements of article 7 GDPR (“Conditions for consent”).
The substantial public interest has to be recognised by the Union or Member State law. In Belgian law, this legal basis can only be used for the processing of biometric data in the context of the eID and the passport. According to the Recommendation, where the legislator simply requires “sufficient security measures”, this does not validate and justify the use of biometric data. Furthermore, even if there is a more explicit legal provision, the controller must still check whether the purposes he is pursuing make the processing of biometric data unavoidable.
3) What can be the purpose of processing biometric data?
According to the principle of data minimisation (article 5(1), b)), biometric data has to be processed to meet a specific purpose. The Recommendation gives some examples of purposes: direct marketing, DNA analyse in the medical sector, screening of public places to prevent criminality, or recording working time in a professional context.
This Recommendation addresses several other points with some clarifications, by elaborating on some of the principles of the GDPR and by highlighting the key points in the context of biometric data processing. Without being revolutionary, the content of this recommendation remains useful for a perfect understanding of these highly sensitive data.
By Edouard Cruysmans and Erik Valgaeren