Use of biometric data: Assessment from a data protection perspective

The GDPR is aimed at the adequacy of processing. The technologies used in the processing are part of the nature of the processing and the processing is defined by its purposes, which must be specified, explicit and legitimate.

Biometric technologies are not processing operations in themselves, but a means to carry out operations within a processing operation, which will have a well-defined ultimate purpose.

One (or more) biometric technology can be used in the framework of a processing operation to implement different purposes within the processing operation:

• Detection of human beings
• Detection of a face or other anatomical feature
• Evaluation of patterns and behaviours
• Profiling, classification, and decision making
• Authentication
• Identification
• Tracking of individuals

The order shown above could be ranked from least to most intrusive operations or with the most impact on subjects' rights.

The legal framework for biometric operations will depend on data protection regulations, specific regulations on biometrics and also the sectoral regulations that are applicable to the controller and the specific processing.

This may entail enabling or restricting the use of biometric operations, as well as additional obligations (e.g. they may require the performance of a DPIA), as well as the legal validity of their results.

The greater the scope of the processing in which the biometric operation is included, in relation to the number of subjects affected, the volume of biometric parameters used, the geographical extension, the duration in time of the processing, biometric data collection rate or the data retention period, among others, the greater the impact it may have on the individuals.

In particular, it is necessary to take into account the extent in relation to the categories of data subjects concerned, taking into account the typology of the data subjects, for example, when applying to vulnerable groups (minors, elderly, sick, migrants, refugees, etc.), taking into account the possibility that they may be opposed to the biometric operation and that this may be adequate.

Qualified human intervention is an additional guarantee for resolution of problems related to the biometric operation, as well as for immediate identification of biases.

In addition, certain biometric features allow for easier detection by a human of exposure attacks, such as facial recognition, than others, e.g. the iris, where it is more difficult to recognize a manipulation.

On the other hand, if the processing has legal effects on the data subject or significantly affects the data subject and the result of the biometric operation, Art. 22 GDPR provides for additional prohibitions and safeguards, including possible qualified human intervention.

In this way, the degree of qualified human involvement in the biometric operation diminishes some of the risks inherent in this operation.

Some biometric techniques could or do process special categories of data beyond their possible involvement in identification and authentication processes.

In that case, a cause for lifting the prohibition will have to be determined for each of the special categories of data referred to in Article 9 of the GDPR, on which a processing operation is intended to be carried out. If there is no cause for lifting the prohibition laid down in Article 9.1 of the GDPR for each of the categories of data processed, the processing will not only be intrusive, but also prohibited.

The collection of data for biometric processing in a data processing, can take place in one of two extreme situations:

• Data collection is done consciously by the individual, and even requires a positive action from the individual to initiate biometric data processing
• Or, at the other extreme, the individual is not aware that biometric information is being taken, nor what kind of data, nor when, nor requiring any positive action from the individual

The latter case is the most intrusive to the individual's privacy.

The processing may be designed so that the biometric procedure is an option which the data subject can choose freely, specifically, informed and unequivocally. In particular, if the submission to a biometric operation requires a positive and conscious action by the data subject.

To the extent that these conditions are not actually met, the processing will become more and more intrusive.

The biometric technique used in the processing has to meet the performance parameters appropriate to the context in which the data processing is deployed.

The accuracy associated with relative biometric features or techniques varies, as well as the performance of different implementations and the peculiarities of each context. The latter need to be assessed throughout the life of the data processing, especially before deployment by having the necessary tests, audits and/or certifications in the specific data processing context provided that the implemented biometrics allow the purpose of the data processing to be fulfilled.

To the extent that a lack of accuracy of the data obtained in relation to the biometric operation such as profiling biases, incorrect identifications, identity theft, discrimination in segments of the population (elderly, disabled, racial types, sick, ...), denial of access to services due to errors in the capture of the data, etc.; the greater the intrusion that the operation causes in the rights of the data subjects, the greater the intrusion that the operation causes in the rights of the data subjects.

Not all biometric technologies, nor all specific implementations of a technology, process the same amount of personal data or process the same number of physical aspects of the data subject.

In that sense, the biometric operation needs to be adapted to the purpose of the processing. For example, if the purpose of the processing is only to determine that a human exists or to find a random face, it is not necessary to use a biometric operation with such a granularity that it allows identification (that is able to distinguish between two faces or two humans).

Some techniques, depending on how they are implemented, may reveal information about the subject (e.g., emotional state, race, health, ...) that goes beyond the purpose of the processing.

The use of multibiometrics, which aims to improve accuracy, may involve taking excessive additional data on individuals contrary to the minimization principle required by Article 25.2 of the GDPR.

Finally, some processing operations combine biometric data with other types of personal data, which may result in excessive data collection in relation to the purpose of the data processing.

Different means can be used to achieve the purpose of a data processing, and biometrics can be one of them.

It needs to be assessed whether biometric operations are really necessary to achieve its the purpose and whether other less intrusive means cannot be used. Therefore, performance metrics required in the processing should be defined, and assessment of the suitability of the different options, including biometrics, should be done regarding such requirements.

In a simplified way, a biometric process can involve the collection of a physical characteristic (e.g., face), its processing with a biometric analysis machine, and its storage or comparison with an already stored biometric pattern.

If the last two are done by the controller (or third parties) we would have the configuration with less user control. Another situation could occur if the biometric pattern is stored by the user (e.g., on a card), and only the process of analyzing the characteristic against the pattern is performed outside the user's control. The least intrusive form appears when all three elements are controlled by the user (e.g. match-on-card) and the output to the controller or third parties is only a yes or no match.

The reality of technology is that every day new technological or social engineering ways of generating vulnerabilities appear.

In the framework of the processing where the biometric operation is located, it is necessary to consider breach scenarios, and to determine the impact that a personal data breach derived from the use of biometric techniques may have on the rights and freedoms of data subjects.

These can result in the filtering or loss of biometric patterns, spoofing of stored patterns, intrusion into the biometric analysis system and its results, by-pass of communication between subsystems, denial of service attacks, discontinuity of third-party services, etc. All scenarios must be analyzed independently of the estimated probability of their materialization and measuring the degree of intrusion they may cause to rights and freedoms.

Likewise, it is necessary to know the reality of what breaches are already occurring and which could determine the inadequacy of biometric technique or biometrics in general. This implies a continuous assessment of the processing according to the events that are occurring.