In recent years, the Spanish Data Protection Agency has issued several opinions on the processing of biometric data for various purposes, but only once has it imposed a sanction because it considered such processing to be unlawful. Here we look at the evolution of its thinking on this issue.
The Spanish Supervisory Authority for data protection matters, the Agencia Española de Protección de Datos (AEPD) is one of the most active EU supervisory authorities, with fines in 2022 amounting to 40,2% of those imposed in the European Economic Area.
Some of these sanctions were related to the use of biometric technology, which has also been the subject of multiple reports in which the AEPD analysed compliance with data protection regulations in different use cases. The most relevant of these pronouncements are the following:
- Report 0047/2021 in relation to facial recognition in the customer registration process for identity verification for compliance with anti-money laundering regulations and fraud prevention purposes.
- Report 36/2020 on the use of facial recognition techniques in online tests to facilitate the task of identifying students.
- Report 10308/2019 on the implementation of facial recognition systems in video surveillance services to improve the security of facilities.
- Report 0098/2022 on the installation of facial recognition systems by sports clubs for the control of access to the supporters' stands to enable the unique identification of entering supporters.
- Sanctioning procedure PS/00218/2021 concerning the use of a facial recognition system to record working time.
- Sanctioning procedure PS/00120/2021 in relation to the implementation of a facial recognition system in a supermarket chain to detect individuals with restraining orders against the company or its employees.
The reasoning followed by the AEPD in these pronouncements is generally consistent and follows the same steps. First, the AEPD analyses whether the personal data processed in the specific case is to be considered biometric data under Article 4(14) GDPR. In this regard, the AEPD highlights that the following aspects should be considered: (i) the nature of the data, as it must be data relating to the physical, physiological or behavioural characteristics of a natural person; (ii) the means and ways of processing, as the data must be “obtained from a specific technical processing”, meaning that, for example, a mere image of a person cannot be systematically considered as special category data; and (iii) the purpose of the processing, as the data must be processed to uniquely identify natural persons.
Next, it determined whether the biometric data processed is special category data pursuant to Article 9(1) GDPR.
At this point, it should be noted that there has been a recent shift in the AEPD's approach. Until its Report 0098/2022, published in January 2023, it maintained that since Article 9(1) GDPR, when listing special category data, refers to biometric data "intended to uniquely identify a natural person", biometric data is not special category data by nature, and that such classification depended on the use or context in which it was processed, the techniques used for its processing, and the resulting interference with the right to data protection (as explained in PS/00218/2021).
In order to determine which biometric data was special category data, the AEPD referred to the distinction between biometric identification and biometric authentication or verification, as established by the Article 29 Working Party in its Opinion 3/2012 on the development of biometric technologies. Therefore, when biometric data was used for identification (1:N), ie the biometric template of an individual was compared with a set of biometric templates in a database, such biometric data would be considered special category data. Alternatively, where the biometric data was used in a one-to-one (1:1) authentication process, where an individual’s biometric data is compared to their previously stored biometric template, this data would be deemed as non-special category biometric data and therefore Article 9 GDPR would not apply to its processing.
This interpretation was followed by the AEPD until its Report 0098/2022, when it considered the European Data Protection Board’s Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, which were then in the consultation phase. Here, the EDPB stated that both functions – authentication and identification- relate to the processing of biometric data of an identified or identifiable natural person and therefore constitute processing of special category data.
Against this background, the AEPD consequently stated that, if this view was maintained at the time of the final adoption of Guidelines 05/2022, it would review its interpretation to align it with the EDPB's. Guidelines 05/2022 were duly adopted on 26 April 2023, so from that date the AEPD's position has been the processing of biometric data, in both authentication and identification cases, involves the processing of special category data.
Continuing with the steps generally followed by the AEPD in its pronouncements, once the classification of biometric data as special category data has been established, the AEPD analyses the lawfulness of the processing, ie whether a lawful basis among those listed in Article 6 GDPR applies, and whether an exception to the prohibition on processing of special category data under Article 9(2) applies.
Regarding the applicability of an Article 9 exception, organisations have tended to rely on the condition that the processing was necessary for reasons of substantial public interest, or that the processing was necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
Where substantial public interest was invoked, the AEPD broke down its analysis to establish the following requirements for the application of such an exception:
- The substantial public interest must be provided for in a rule of European law or a national regulation with the status of law, which must respect the principle or proportionality.
- Such law must specify (i) the substantial public interest that justifies the limitation of the right to the protection of personal data, (ii) the circumstances in which it may be limited, and (iii) the precise rules that make the imposition of such a limitation and its consequences foreseeable for the data subject.
- This law must also include appropriate technical, organisational and procedural safeguards to prevent risks of varying likelihood and severity and to mitigate their effects.
This exception was relied upon by several companies, which argued that Spanish legislation provided for it (in among others, anti-money laundering legislation or private security legislation). Nonetheless, the AEPD concluded that none of the laws cited by data controllers met the above requirements to be considered as a basis for the substantial public interest exception.
Another exception for the processing of biometric data that has been argued before the AEPD has been that the processing is necessary for the purpose of carrying out the controller’s obligations in the field of employment (Article 9(2)(b)). This was the case in the sanctioning procedure PS/00218/2021, which concerned a company that required its employees to record their working hours using a facial recognition system. The company argued that the recording of working hours was a legal obligation under Spanish labour law, and therefore Article 9(2)(b) applied. In this regard, the AEPD noted that the following requirements must be considered for the application of this exception:
- The processing of special category data must be necessary to comply with the legal obligation,
- The processing must be authorised by European or Member State law, or by a collective agreement under Member State law, and
- Such law or collective agreement must provide appropriate safeguards for the fundamental rights and the interests of the data subject.
Considering the above, the AEPD concluded that the Spanish regulation requiring the recording of working hours did not meet these requirements, and therefore Article 9(2)(b)did not apply.
The AEPD consequently concluded that the only exception suitable for these cases was explicit consent (Article9(2)(a)) following the conditions for valid consent set out in Article 4.
Notwithstanding the many statements made by the AEPD on the processing of biometric data, it should be noted that to date, the AEPD has only once imposed an economic sanction for a breach of Aricle 9 GDPR in relation to the processing of biometric data.
This was in PS/00120/2021, where the implementation of a system in a large Spanish supermarket chain that used facial recognition to detect individuals with restraining orders against the company or its employees resulted in an initial fine of €3.15m (subsequently reduced to €2.52m), of which €2m corresponded to the infringement of Articles 6 and 9 GDPR.
In the remaining cases where the AEPD analysed the processing of biometric data in enforcement proceedings, it concluded that the sanctionable infringement was the failure to carry out a Data Protection Impact Assessment.
Overall, as evidenced by some of its most relevant pronouncements, the AEPD has historically been reluctant to consider the processing of biometric data as lawful unless the explicit consent of the data subject has been obtained, which limits its potential use in practice. It will be important to monitor future pronouncements from this authority to confirm whether it will continue to follow this trend, particularly in light of its recent change of position on the issue of what constitutes special category biometric data.
This article was written by Elena Peña at our partnered law firm ECIJA.