On May 25, 2016 the EU Data Protection Regulation came into force. The new legislation, which was several years in the making, encompasses all recent technological developments including social networks, data analysis, the Internet of Things (IoT) and many other advances besides.
In this post we will explain how the new European Regulation defines and regulates biometric data processing and right to privacy, looking specifically at data protection issues and the free movement of such data.
This post is also available in Spanish.
The processing of biometric data referred to in Regulation (EU) 2016/679
To understand the topics covered in this post, it is important to note the following two points: firstly, what is "data processing" in the context of data protection and; secondly, what it is meant by "biometric data."
What is "data processing"?
"Data processing" means the treatment and handling of an individual’s data by a professional or entity, and involves basic access to their personal data for purposes of providing a service to the said individual, or to provide a service on behalf of another company or person. Data protection rules do not apply to legal entities.
In short, data processing means being able to access and even modify the private data of an individual person for a specific purpose.
What is meant by "biometric data"?
According to the definition in the new EU Regulation 2016/679 of 27 April 2016 (amending Directive 95/46 / EC), biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.”
Simply put, biometric data is any information that can uniquely identify an individual and is obtained through a variety of digitally-based techniques.
What impact has the new EU Data Protection Regulation had on biometric data?
Paragraph 1 of Article 9 of Regulation 2016/679 highlights that biometric data is to be considered a special category of personal data that it is prohibited from being used for the purposes of an individual’s identification.
It states the following:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.
Extenuating circumstances: when can biometric data processing be used for identification purposes?
Article 9 also provides a number of exceptions to this rule:
- when persons affected by such treatment have given their explicit consent for one or more of the purposes specified, unless that there is a legal ban at a European or national level;
- when data processing is necessary for the fulfillment of obligations and for the exercise of specific rights of the data controller (the company or person who treats the data initially) or for the exercise of specific rights of the affected or interested party itself, in regards to labor law, safety and social security;
- when it is necessary to protect vital interests of the concerned individual or other natural person if the he/she is not able to give consent;
- when data processing involves private data that the concerned individual had previously made manifestly public;
- when it is in the general public’s best interest;
- for all issues relating to preventive or occupational medicine, when it is necessary to evaluate an employee’s mental state, a doctor’s medical diagnosis, and the health and/or social care being provided.
The new regulation also permits Member States to introduce additional conditions or limitations, especially when genetic data, health-related and biometric data processing are concerned.
The objective of limiting biometric data processing is simply to avoid the risk of infringing upon the rights and freedoms of citizens, ensuring that they can move freely within the European Union, especially when data analyses are being increasingly performed on a large scale. To achieve this, all entities must now conduct impact assessments before proceeding with this type of data processing.
If biometric data was not collected for the sole purpose of uniquely identifying a user, this particular limitation would not exist. Still, we recommend the following precautions (discussed below) regarding the legal requirements established by the Regulation.
Data processing: legal precautions
1. Data quality or relevance
In a similar way to its predecessor, Regulation (EU) 2016/679 states that personal data should be treated in a lawful, fair and transparent manner in relation to the applicant; it should only be collected for specified, explicit and legitimate purposes.
The data collected should also be adequate, relevant and limited to what is necessary for their intended purpose(s).
Data must also be accurate and, if necessary, updated. Reasonable measures should be taken to delete or correct it without delay if inaccurate anddata will only be stored for the duration that is strictly necessary.
2. Legitimizing principles
The new legislation also emphasizes the importance of providing adequate security when processing data, declaring that it shall be deemed legally valid (Article 6) when it meets at least one of the following conditions:
- “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
It also holds that Member States may introduce more specific measures to best implement the provisions of the Regulation, fixing more precisely specific treatment requirements and other measures to ensure lawful and equitable treatment provisions. The regulations of each EU member state will be able to tailor various aspects of the Regulation in response to cases arising in each territory.
In terms of consent, the new regulation establishes the following requirements:
- The controller must be able to demonstrate that the concerned party consented to the processing of his/her personal data.
This point had already been established in the previous legislation but is now emphasized as one of the first requirements of consent.
- If the person's consent is given in the context of a written statement that also refers to other matters, the request for consent shall be submitted so that it is clearly distinguishable from any other matters in an intelligible and accessible way using clear and simple language.
Several guidelines previously issued by the Article 29 Working Party, as well as by the Spanish Data Protection Agency in some of its resolutions and reports, had underlined the need for transparency during data processing with the appropriate provision of evidence of consent.
Who are the members of the "Article 29 Working Party"?
The Article 29 Working Party is an organization launched in 1996 and is made up of data protection authorities from each Member State of the EU, the European Data Protection Supervisor and the European Commission.
Their objectives are: issuing expert advice to States in relation to data protection; promoting the implementation of the Data Protection Directive in all EU member states and the European Commission; providing opinions on Community laws affecting data protection rights.
- The person concerned shall be entitled to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the data processing based on consent before its withdrawal.
This last point is something of an innovation, because until now the ease of being able to withdraw consent had not been emphasized in the same way.
- In assessing whether the consent was given freely, it must be assessed as accurately as possible if, among other things, the execution of a contract, including the provision of a service, it is subject to the consent of the processing of personal data that were not in fact necessary for the execution of the said contract.
This last point rightly points out the importance of not processing more data than strictly necessary for the service or execution of a contract, especially because it’s known that companies often tend to collect more data than is strictly required for their service(s). Consequently, it is important that companies in their capacity as service providers assess what data they do need to serve and omit what does not contribute to that effort.
In short, the new regulation means that data controllers wishing to use biometric data must take into account that they will not be able to use such data for the merely purposes of identification. However, if this is necessary, any conduct must be in strict adherence to the legislation and, when using biometric data for the provision of services, processing should not go beyond what is necessary. The regulation insists on especially biometric data processing showing adequate evidence of user explicit consent, ensuring that other principles such as appropriateness or data quality are fulfilled, as well as secure processing and stressing the importance of withdrawal of consent being a straightforward process. As stated in this article, the above considerations have been deemed particularly important due to the potential risks associated with biometric data processing.
Important: although the new regulation has been in force since May 2016, will not be fully implemented until May 25, 2018.
This post is also available in Spanish.
This is a guest post by Vanesa Alarcón Caparrós.
This is a guest post by Vanesa Alarcón Caparrós.
- Essential guide to Europe's new Data Protection Regulation.
- Are eSignatures legal in Europe?
- What exactly is an audit trail and what electronic evidences does it contain?