On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.
Key Takeaways
- Whether a behavioral characteristic is biometric data requires a case-by-case assessment. Under the GDPR, the concept of “biometric data” does cover not only physical or physiological characteristics (such as facial images, fingerprint, or iris pattern), but also individuals’ behavioral characteristics (such as gait pattern or keyboard, touch screen, or mousepad use patterns).[2] The DPA clarifies that behavior-related data will qualify as biometric data if it allows for the unequivocal identification of the individual concerned.
- Local storage. The DPA states that, as a rule, raw biometric data should be converted into biometric templates at the initial collection, after which the raw data should be immediately deleted.[3] Any data samples collected to perform a biometric comparison should not be kept for longer than necessary to compare the collected data with the template. The DPA further recommends that biometric templates should be stored on the individual’s device, or in a biometric sensor installed on a device that is separate from other IT systems (e.g., badge or token).[4] Controllers may only deviate from this in exceptional circumstances, for instance, where the loss of a token or badge could have serious consequences, such as by losing access to an emergency room or nuclear power plant. In addition, the DPA favors biometric verification over biometric identification, since biometric verification does not require data storage in a central database. Biometric identification entails comparing the biometric data of an individual with all pre-registered biometric data available in a database (‘one-to-many comparison’). In a verification function, biometric data is compared with the pre-registered information of a single person (‘one-to-one comparison‘).
- The GDPR’s household exemption[5] only applies under strict conditions. The GDPR does not apply to the processing of personal data by a natural person when carrying out a purely personal or household activity. To invoke this ‘household exemption’, the biometric service or device provider must prove that the following conditions are cumulatively satisfied:
- The data subject uses the biometric device or service privately (i.e., the biometric data can only be used by the data subject him/herself);
- The data subject independently decides to use the biometric feature (employers can thus not rely on the household exemption to roll out biometric authentication procedures) and an alternative non-biometric option must be provided;
- The biometric template must only be stored on the device itself and only be accessible to the data subject; and
- The biometric template must be encrypted.
- Split responsibilities between the controller and the biometric service provider. The DPA concludes that each actor involved will carry—and need to demonstrate compliance with—different responsibilities. For example, the device hardware or software developer is responsible for proving the technical integrity of its system. The provider of a service using biometric data is responsible, for instance, for demonstrating that an alternative authentication method is available and that biometric authentication can only take place using a template stored in the appropriate partitioned environment of the device.
- Explicit consent. The DPA states that biometric data processing is in principle prohibited, unless one of the legal grounds in Article 9 GDPR applies. Article 9 lists the available legal bases for the processing of special categories of personal data (also often named “sensitive data”), which includes biometric data that is processed “for the purpose of uniquely identifying a natural person.” However, the Recommendation does not distinguish between different use cases for biometric data. This implies that the DPA may consider all biometric data subject to Article 9, regardless of the purpose for which the data are used. The DPA states that the primary legal grounds for the processing of biometric data will be either the individual’s explicit consent (which must be freely given) or an overriding public interest.
- Examples of appropriate security measures. The DPA gives examples of security measures to address the risk of biometric data processing. These include encryption, fraud detection measures, an effective system for deletion of biometric data, strict retention policy, staff training, and continuous testing. In particular with regard to biometric authentication technologies, the DPA lists the following safeguards:
- The percentage of false positive/negatives should be appropriate to the required security level of the service (e.g., a low false positive rate for access to a smartphone, bank details, or encrypted documents);
- The technologies must at least be resistant to attacks which, according to the state of the art, are trivial (e.g., use of a photo to mislead facial recognition software or hardware);
- There should be only a limited number of authentication attempts allowed (e.g., after three failed attempts the individual will only be able to access an application via a pin code).
- Data Protection Impact Assessment is required. The DPA finds that any biometric data processing requires a data protection impact assessment (DPIA). This goes beyond the DPA’s previous guidance on DPIAs, in which the DPA only required a DPIA for biometric data processing for the purpose of uniquely identifying a natural person in spaces accessible to the public.[6]
Conclusion and Next Steps
Companies operating biometric solutions or considering the deployment of such solutions should review their (intended) practices in light of the Recommendation. In particular, companies should assess their responsibilities and how they can implement the recommended measures to reduce privacy risks.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
[1] Recommendation n° 01/2021, available in French at
https://www.autoriteprotectiondonnees.be/publications/recommandation-01-2021-du-1-decembre-2021.pdf and in Dutch at
[2] Art. 4.14 GDPR.
[3] Recommendation p. 14.
[4] Recommendation p. 14-15.
[5] Art. 2.2(c) GDPR.
[6] List of processing operations for which a DPIA should be carried out in accordance with Article 35.4 GDPR, available at https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf (in Dutch).