According to the GDPR of the General Data Protection Regulation, with certain exceptions, the processing of biometric data should generally be prohibited. Data processed using special technical methods, such as fingerprints, facial images, retina, eye iris, human behavior or psychological characteristics, because these data are not easy to change to a certain extent, so they can be uniquely identified and defined To the individual. Therefore, individuals generally cannot change the biometric data like changing data such as name and residential address. If this kind of special type of personal data is leaked, the risk of infringement on the rights and freedom of the individual will be very high, and the duration will be very long, and it is very likely to accompany the individual for life. Therefore, data controllers and data processors should only read biometric data for processing under very exceptional circumstances.
The main provisions of the GDPR: Individuals agree to terms and related conditions
The GDPR stipulates that for the collection and processing of biometric data, the data subject must give clear, voluntary, informed and direct consent in the form of written (including Electronic) or oral statements. Therefore, the basic premise of consent is voluntary, specific, conscious and clear. In addition, the consenting party should know the purpose of consent.
The requirement of voluntary consent means that in terms of expressing consent, the data subject must have real freedom of choice, and can freely refuse or withdraw consent without adverse consequences. Therefore, if an individual does not grant consent to the processing of his personal data, it should not lead to the adverse consequences of discrimination against the individual, deterioration of the quality of the service provided, or unavailability of the service.
Real-world applications of biometrics: both universal and attractive
In practice, data controllers increasingly want to use personal biometric data. There are many reasons for this situation. The most important of these is that the use of biometric data can bring great convenience to data controllers in providing services and conducting business. In practice, the data controller can easily obtain some biometric data to make the service more efficient. For example, the personal identity verification can be achieved by placing the finger on the reader or the eye on the scanner; The use of fingerprint data can control the entry and exit of a room or building. The collection and use of these biometric data is more efficient and accurate. Compared with the previous password input and the use of proximity cards, it has great advantages. It is faster, more convenient and more accurate.
The application range of biometric technology is very wide, which also means that European data protection regulators will encounter more and more personal data protection issues related to biometric technology in law enforcement and other practices.
However, at the same time, it should be determined that if the use of biometric data does not meet the minimum principles prescribed by the relevant field or industry, then the data controller will not be able to process the biometric data. Therefore, in practice, data controllers should pay special attention to the processing of personal data by obtaining only the data necessary to achieve a specific purpose.
The Polish Data Protection Agency pointed out this in its April 28, 2020 guidance, emphasizing that data controllers and data processors should assess whether biometric data must be used to authenticate individuals and whether they have considered possible Security issues, etc. The Polish data protection agency stated that the use of biometric data requires security, so biometric technology can be used to give individuals the right to control access to the room, but biometrics should not be used when entering other rooms (such as workshops). Identify the data.
In addition, in 2019, the Swedish personal data protection supervisory agency also investigated a school’s handling of biometric data. The school uses the facial feature data of the students to confirm the relevant status of the students. The school’s consent is the legal basis for this data processing behavior. But in this case, the Swedish personal data protection agency still fined the school. The reason given by the Swedish Personal Data Protection Agency is that the processing of special categories of data must have a legal basis for processing, and must also comply with the basic principles of personal data processing. Therefore, if the agreed matters do not comply with the basic principles of minimization and purpose restriction stipulated in the GDPR, then consent cannot be the legal basis for processing personal data. The Swedish court also raised an objection to the school’s basis for processing biometric data. The court ruled that based on the “unequal” relationship between students and the school’s administrative department, students cannot freely express their consent to the processing of personal data.
Problems: Individuals are identified and discriminated
The collection and processing of biometric data should generally be carried out within the limits of the following objectives: one is to meet the wishes of the data subject, the other is to analyze and demonstrate the possible risks through a sufficient level of risk assessment, and the third is to Minimize possible violations of personal privacy. In Poland, data controllers and data processors tend to use biometric data. However, the processing of such data does not always achieve the above goals.
In the case of a school in Poland using the biometric identification data of students, the school set up a biometric identification system at the entrance of the cafeteria so that students can pay for meals in this way. When a lawsuit was filed against the administrator of the school, the Office of Personal Data Protection determined that the Polish legislation has clearly stipulated the types of data that the school can collect and use from students, and that the school is not allowed to process biometric data. In this case, the school still obtained the biometric data in the form of fingerprints and claimed to have processed the biometric data based on the written consent of the parent or legal guardian. In its decision, the Office of Personal Data Protection pointed out that the processing of biometric data is not necessary to achieve the goal of paying students to pay for meals and thus normal lunches. The school can perform identity recognition in other ways that will not interfere with student privacy. For example, in addition to the fingerprint identification system, the school has also set up an electronic card-based identification system. However, those children whose parents disagree to process their biometric data must be placed behind all the children who perform fingerprinting in the cafeteria queue. Therefore, the regulator concluded that there was discrimination against these people. In addition, in this case, the processing of such biometric data is out of proportion to its purpose.
Regarding the court’s decision and previous precedents
The chairman of the Polish Office for the Protection of Personal Data (UODO) fined the school 20,000 Polish zloty and ordered the school to delete the data. However, the school filed an appeal with the Provincial Administrative Court, which overturned UODO’s decision. In this case, the provincial administrative court ruled that both the “Civil Procedure Law” and the GDPR have stipulated the consent of the guardian to legalize the collection and processing of child biometric data.
However, UODO believes that the consent granted by parents to process the child’s biometric data cannot be considered voluntary, because failure to give consent will have negative effects, such as having the children to eat last. Based on this, parents can only agree.
At the same time, UODO believes that the reference document (OSK 249/09) provided by the Polish Supreme Administrative Court in its judgment on December 1, 2009 clearly stated that the use of employees’ biometric data to control working hours violates the adequate processing of personal data. The principle of sex, the use of biometric data to control employees’ working hours is not proportional to the expected purpose of processing the work. The ruling of the Provincial Administrative Court is in conflict with the previous ruling of the Supreme Administrative Court.
However, the Provincial Administrative Court held that UODO is too strict in applying the principle of data minimization. The court pointed out that the necessity requirements should be considered together with the sufficiency and appropriateness requirements. At the same time, considering various circumstances, the court believes that allowing the processing of biometric data in such cases may greatly help achieve the purpose of processing.
UODO disagrees with this ruling and believes that the data controller can only process the data needed to achieve a specific purpose. If unnecessary data processing is allowed just to help achieve a certain purpose, it may lead to processing an unlimited range of data under various excuses. The data controller can explain that although the data is not necessary, it may be useful for achieving a given purpose. This approach obviously violates the principles of minimization and appropriateness of personal data protection.
Taking into account the risks related to data processing and the basic principles stipulated in the GDPR, UODO filed an appeal to revoke the original judgment to the Supreme Administrative Court in response to the judgment of the provincial administrative court above, thereby annulling the decision.
GDPR attaches great importance to the protection of children’s personal data. Taking into account the risks, consequences, guarantees and rights to children and the immutability of biometric data, the possible negative consequences of the use of biometric data will last a lifetime. The problem should be handled carefully.