DPA publishes final recommendation on the use of biometrics
On 6 December 2021, the Belgian Data Protection Authority published its final recommendation on the use of biometrics (Recommendation 01/2021 of 1 December 2021).
The final text of the recommendation highlights that, since there is currently no legal norm in Belgian law that authorizes the processing of biometric data for the authentication of individuals, and insofar as explicit consent cannot be invoked, such processing is currently performed without a legal basis. Many companies will be especially disappointed to read that the DPA has also deleted the notion of a ‘grace period’ from its final recommendation, contrary to what it had announced in the draft text published in July 2021.
Biometric data that is used for the unique identification of a person (e.g. for authentication purposes or access control) is qualified as a ‘special category of personal data’ subject to Article 9 GDPR. This provision includes a general prohibition to process such data, unless a specific ‘derogation’ (as listed in Article 9.2 GDPR) can be relied upon.
For the processing of biometric data, the ‘derogations’ generally relied upon are (i) the explicit consent of the data subject, and (ii) the necessity for reasons of substantial public interest, as laid down in EU or Member State law.
As Belgian law currently contains no specific provisions allowing for the processing of biometric data for reasons of substantial public interest, and consent is often deemed problematic, especially in an HR context, the Belgian DPA prioritized the publication of a recommendation in this respect as part of its “2020-2025 Strategy”.
Upon analysis of the final recommendation of the DPA, we have identified the following key takeaways:
- A valid consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her. In relation to biometric data, this consent must not only be unambiguous, but "explicit".
- Consent is only free if there is a “real choice” (meaning that there is no detriment attached to a refusal and that the data subject cannot feel pressured to consent). In determining whether a consent is "freely given", it is important to consider whether the performance of a contract or the provision of a service is conditioned on the consent being provided. A situation of “imbalance”, and a presumption of consent not being “freely given”, exists in particular in employer-employee relationships and where a product or services has a (quasi-)monopoly on the market.
- The DPA cannot take the place of the legislator. Therefore, any processing of biometric data for which it cannot be demonstrated that it is based on a valid, free and explicit consent, currently takes place without legal basis.
- Compliance with purpose limitation, data minimization and proportionality principles is particularly important for the processing of biometric data. This includes measures such as (i) storage of the biometric template on a card or device managed by the data subject (and not by the data controller), (ii) immediate deletion of raw biometric data after conversion to templates, etc.
- Data protection impact assessments will generally be required before implementing the processing of biometric data.
Finally, the DPA also sheds some light on the (limited) scenario’s in which the “household exception” of the GDPR is deemed to apply and biometric data processing may completely fall outside the scope of GDPR (e.g. where biometric authentication is used by smartphones or other devices as an alternative for password or pin code authentication).
No transitional ‘grace period’…
In the draft version of its biometrics recommendation, as published for public consultation in July 2021, the DPA had accepted to apply a "transitional period" of 1 year. During this period, the DPA would in practice tolerate situations where biometrics were used by employers "according to the old norm" (i.e. pre-GDPR, when biometric data were not a ‘special category of personal data’).
Although it remained unclear how this approach would work in practice (e.g. would no sanctions be imposed even in case of a data subject complaint) and whether 1 year would be sufficient for the Belgian legislator to implement a specific legal basis for the processing of biometric data for authentication purposes (cf. the Netherlands), this idea now appears to have been abandoned by the DPA. The final version of the recommendation no longer refers to any type of ‘grace period’.
Other points of attention
When processing biometric data as a data controller (or processor) subject to the Belgian Data Protection Act of 30 July 2018, note that Article 9 of this Act provides that the data controller (as the case may be, the processor) must:
(i) designate the categories of persons who have access to the personal data, whereby their role in relation to the processing of the data concerned needs to be precisely defined;
(ii) keep the list of the categories of persons thus designated at the disposal of the DPA; and
(iii) ensure that the designated persons are bound by a legal or statutory obligation, or by an equivalent contractual provision, to observe the confidential nature of the data concerned.
This provision, which also applies to the processing of health data, genetic data and criminal data (cf. Article 10 of the Act of 30 July 2018) is often overlooked.
We remain available to assist with any further question you may have on this topic.
Stéphanie De SmedtCounsel Attorney at Law
Stéphanie De Smedt, attorney at law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT & Commercial Contracts Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: [email protected]
Don't miss out. Stay up to date about our latest news and events.Stay informed