On August 18, 2023, the UK Information Commissioner Officer (“ICO“) issued a guidance for public consultation (available here) explaining how the UK GDPR applies when using biometric data in biometric recognition systems (“Guidance“) for the purpose of identifying an individual (“Who is this person?”) and verifying his identity (“Is this person who they claim to be?”).
Biometric recognition systems are mostly used for access control verification replacing the use of passwords and swipe card. However, such biometric recognition systems are also used to authenticate an individual’s identity, for example, using a remote authentication process (e.g., requiring customers to upload a scan of an official photo identity document, such as a passport, and another photo of themselves, allowing the company to compare the two images to confirm that they are of the same person). This remote authentication process involves the processing of special categories biometric data as detailed below.
As provided under the UK GDPR, personal data is considered as biometric data where all three criteria are met:
1. The data relate to someone’s behavior, appearance, or observable characteristics (e.g., the way someone types, a person’s voice, fingerprints, or face, gaze analysis (eye tracking), etc.);
2.The data have been extracted or further analyzed using technology (e.g., an audio recording of someone talking is analyzed with specific software to detect things like tone, pitch, accents and inflections). This means that merely using a digital photograph is not enough – photographs are covered by the definition of biometric data only when processed through a specific technical means that allow the unique identification of an individual; and
3.The data can uniquely identify the person it relates to. Where it is possible to identify someone, even if this is not the intention, this part of the definition will be met.
Further, where biometric data is used for the purpose of uniquely identifying an individual (i.e., using a biometric recognition system), such data is also special categories biometric data as provided under Article 9 UK GDPR. Note, even if comparing a biometric template against another template did not result in a match, such comparison is still considered as processing special category biometric data. If, at any stage, processing biometric data requires the unique identification of an individual, then you are processing special category data.
The guidance provides for the following example – where an organization can identify a staff member from an audio recording, even if they didn’t state their name, the recording is therefore personal data, however it is not biometric data as the personal data did not result from specific technical processing of the staff member’s voice. However, where the same organization uses a voice recognition system to transcribe audio recordings and attribute what was said to particular people who attend the meetings, such audio recordings are biometric data as it involves enrolling all meeting attendees onto the system to create a biometric template of their speech patterns and comparing the recordings against these stored templates. Further, as the organization processes the biometric data for the purpose of uniquely identifying the attendees, it is also special category biometric data.
Using a biometric recognition system on large scales or for the purpose of monitoring a publicly accessible area or where the processing includes a high risk operation as provided by the ICO here, requires organization to conduct a Data Protection Impact Assessment (‘DPIA“) (a draft initial assessment is available here).
Further, as provided under Article 9 UK GDPR, processing special category biometric data will, in most cases, requires the controller to establish explicit consent. In cases where such consent may not be freely given (this is particularly an issue for public authorities and employers), controllers must offer a suitable alternative to people who choose not to consent. Nevertheless, as provided under article 22 UK GDPR, and as most biometric recognition systems inherently involve making solely-automated decisions about people, such decisions require explicit consent.
In addition, as biometric recognition systems are designed to detect physical characteristics, they are susceptible to bias and discrimination. Therefore, organizations must assess whether it is likely to have a discriminatory impact on people, and comply with a fairness principle.
The second phase of this Guidance (biometric classification and data protection) will include a call for evidence early next year. The public consultation will run until 20 October 2023.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.