The application of biometrics is omnipresent, from unlocking phones or accessing voice assistants like Siri and Alexa, to the user’s palm or iris reading for benefitting e-government services or clearing airport security. Its steadily growing penetration and vulnerability to abuse has led lawmakers worldwide to enact rules and regulations for businesses to comprehend the risks associated with its processing.

Used in computer science as a form of identification and access control, biometrics encompass a person’s physiological or behavioral characteristics that can be used to label and describe individuals. A sensitive category of personal data, physiological biometrics are measurements unique to a person’s physical characteristics, such as fingerprints, palmprints, voiceprints; facial, retinal, or iris scans, etc. Behavioral biometrics pertain to a person's specific movements and actions or even thought patterns.

Data collected through biometric technologies such as facial recognition or fingerprint scanners make the biometrics. As biometrics prove to be a great tool for mass surveillance, both private and government bodies in countries like the US and the UK have expanded the scope of indoor and outdoor surveillance, which has raised a lot of privacy concerns and a need for biometric law around collection and usage of biometric data.

Biometrics under the GDPR

General Data Protection Regulation (GDPR) addresses biometric data as “personal data resulting from specific technical processing relating to the physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.”

GDPR classifies biometrics as a special category of personal data and restrains its processing in general for the purpose of uniquely identifying natural persons. However, GDPR does allow the processing of sensitive personal information (and so the biometrics):

• Provided an explicit consent for processing is obtained from the data subject.

• Processing is necessary for the performance of specific contracts.

• Where the processing is necessary for reasons of substantial public interest, as stated under Article 9 (2).

In addition to the above legal requirements, GDPR also mandates data controllers and processors to conduct a DPIA (data protection impact assessment) in case the processing of sensitive personal data may likely result in a high risk to the rights and freedoms of data subjects.

Recent cases involving collection and usage of biometric data under GDPR have clarified many grey zones.

• The Swedish DPA in 2019 fined a school with EUR 20,000 for its use of facial recognition technology that violated the GDPR. The DPA found the school’s method of filming the students for registering attendance too intrusive and lacking a valid reason. Even though the school had obtained parental consent to use facial recognition technology, the DPA found their consent defective and rather ‘forced’ due to the imbalance of power between the school and the parents. This case transpires that businesses in all cases possible should obtain data through less-intrusive means (such as sign in sheet) in exchange for biometrics.

• In 2020, a school in Poland was fined EUR 4,600 for processing students’ fingerprint data to verify whether they had paid for the lunch. The Poland’s Personal Data Protection Office (UODO) found the school violating the GDPR, for the method was “without a legal basis.” The students who opted for biometric systems received their lunches before those who opted not to use the system. While parental consent was obtained to carry out the biometric ID program, the UODO found that the system was “not essential for achieving the goal of identifying a child’s entitlement to receive lunch.” UODO issued a fine against the school because the grounds for processing biometrics was not proportionate with the interests of the data subjects.

• The Dutch DPA in 2020 issued a EUR 750,000 fine against a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes. The DPA found that the processing was unnecessary and disproportionate. Moreover, the company lacked valid legal grounds and the purpose for processing biometrics did not qualify the exemptions stated under the