Regulation (EU) 2016/679 (GDPR or Regulation) is a complex and lengthy piece of legislation, which impacted all functions of organisations in the public and private sector like a bull in a china shop. Data Protection compliance specialists have spent the past two years redrafting, privacy policies, records of processing, and personal data breach processes among other documents.
Nonetheless, despite its length and complexity, the GDPR does not address all processing practices. In an attempt to regulate the use of new technologies that require extensive data processing practices, the EU legislator did not provide any legal coverage for some existing processing practices. One key example of this is the regime for the use of biometric data in the workplace.
The Legal Bit
The GDPR provides that every data processing, with no exceptions, can be initiated only if the data controller can identify one or more lawful ground(s) for processing such data. These lawful grounds are codified in Article 6 GDPR, and include, consent, contractual obligations, legal requirements, tasks in the public interest, and others.
An exception to this standard regime is represented by the processing of the so-called special categories of personal data (Article 9 GDPR). This sub-group of personal data roughly matches the old terminology of ‘sensitive data’. Under the GDPR, the processing of such data is prohibited, unless data controllers are able to identify and thoroughly justify the existence of one of the very few and strict exceptions to such prohibition. Such exceptions include the existence of explicit consent, the necessity to process such data for employment-law purposes, the requirement to fulfil a substantial public interest, and a few others.
Among the special categories of personal data, the GDPR includes biometric data used for the purpose of uniquely identifying a natural person. As per the Regulation’s explicit definition, biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images (i.e. facial recognition) or dactyloscopic data (i.e. fingerprints).
As a result, under the unified EU regime, biometric data can only be processed if
i) a valid lawful ground for processing ex Article 6 and
ii) a valid exception under Article 9 are identified.
The GDPR lack of regulation on biometric data in the workplace
As one may imagine, Data Protection Authorities are less inclined to look favourably on poorly-considered data processing practices when special categories of personal data are concerned, and data controllers are rightfully updating their records of processing to justify the already-established practice of processing biometric data in the workplace.
In fact, the use of biometric data in the workplace is increasing, as it represents a quick and secure way to grant access to premises and authenticate employees. Fingerprint scanners, iris scanners, and facial recognition are deployed to open doors, unlock elevators, and to decrypt computers and files on a regular basis by big corporations and public organisations.
The pre-existing regime of the Directive 95/46/EC (Data Protection Directive) did not address this matter at all, and this is not surprising considering the year in which it was enacted. However, the GDPR’s silence on the matter is thunderous and even the Article 29 Working Party (now European Data Protection Board) failed to take a firm position on this matter in its Opinion 2/2017 on data processing at work.
In fact, while the identification of a lawful ground under Article 6 is not necessarily problematic, none of the given Article 9 exceptions seems to comfortably accommodate biometric data processing in the workplace.
If one excludes the ostensibly inapplicable exceptions, such as the protection of vital interests (letter c), membership (d), manifestly public data (e), health and occupational medicine (h), public health (i), archiving purposes (j), the only remaining applicable exceptions seem to be consent (a), employment law (b), legal claims (f), and substantial public interest (g).
It is hard to see explicit consent as a solid lawful ground for data processing in employment relationships, given the disparity in the parties’ negotiating power. The legal claims exception is also difficult to apply, because this justification, if accepted, would represent a very wide opening towards the use of such data. Substantial public interest is also a candidate, but the GDPR underlines that this must be ‘substantial’, which raises the threshold for organisations. Employment law is a good candidate, but the GDPR requires that national law regulates the processing of special categories of data for employment purposes.
The reason for the GDPR abstaining from regulating these matters lies in the purpose of the provisions on special categories of data. With the prohibition of processing special categories of data, the legislators aimed at preventing organisations from misusing highly sensitive information, such as in the case of large-scale processing of health data, and biometric monitoring by law enforcement.
The French proposal
To address, this silence, national law and Data Protection Authorities have started addressing this in their draft guidance and decisions.
The new text of the French data protection law (which completes and implements certain parts of the GDPR) provides that biometric access and device control at work can be used by employers provided that they comply with the yet-to-be-issued French Data Protection Authority (CNIL) standard regulation. The CNIL recently launched a public consultation on a draft text that would allow employers to do so.
According to the draft, biometric controls would be restricted to premises-access and device control by the employee, and the data controller would be required to document and justify fully and thoroughly why they consider such elevated security measures to be strictly necessary (making examples such as for locking doors of rooms where dangerous chemicals and medicines are stored).
In addition, further restrictions are provided as to the retention schedules of such data (3 months), and data controllers must ensure that strong security measures and default processes are adopted to protect the stored biometric data such as those alternatives to biometric access are provided in particular circumstances.
Finally, the CNIL proposes that employing these systems requires a compulsory data protection impact assessment (DPIA), and that the records of processing clearly document the justifications for such a sensitive processing.
The UK and Irish laws
To date, neither the British nor the Irish new Data Protection Laws include specific provisions on the use of biometrics in the workplace. The UK Data Protection Act 2018 makes a reference to the processing of special categories of data in the workplace in compliance with national employment laws and regulations, but it stops short of referring to any specific rules. Both the Information Commissioner’s Office (UK) and the Data Protection Commission (IE) have yet to tackle this issue at the time of writing. A general guidance on the processing of special categories of data is being drafted by the ICO, and we expect the DPC to update their outdated online guidance in the medium-term.
What to do in the short term
Though the GDPR lacks a clear provision that specifically applies to the processing of biometric data in the workplace, it does not mean that organisations should switch off their fingerprint scanners at once.
The aim of the GDPR is to regulate, not prohibit, technology-driven data processing. The use of biometric system is skyrocketing, and while the GDPR does not aim to stop this, it still aims at ensuring that this use is proportionate, and that adequate check-and-balances are in place.
Data Protection Authorities and, most relevantly, the European Data Protection Board will soon tackle the GDPR silence and issue opinions and declarations to guide data controllers in their assessment of the best applicable exception under Article 9 GDPR.
In the meantime, organisations should duly assess whether their processing of special categories of data is adequately justified by assessing the proportionality of biometric systems in use with relation to the alleged purposes of this data processing. To this end, the French initiative is a good example of the approach that organisations may expect from supervisory authorities in the UK and Ireland and adjusting their assessment to the French requirement may make the final adaptation to the UK and Irish approaches simpler and faster.
For more information visit Trilateral Data Governance page and contact our team.