Uncertainties regarding the processing of biometric data persist; experts’ opinions on their processing differ
In recent months, the Office for Personal Data Protection (the “Office”) has attracted the attention of both the professional and non-professional public with its decisions or statements on the processing of biometric data, specifically in relation to dynamic biometric signature and attendance systems. As there are a number of open issues with regard to the new data protection legislation, the opinions and approaches of experts regarding the conditions under which data may be processed differ as well. What does the professional debate currently deal with?
The Office commented on the issue of biometric data processing in Opinion No. 2/2014 (dealing with dynamic biometric signature from the perspective of the original Data Protection Act) and Opinion No. 1/2017 (dealing with biometric identification and authentication of employees, which is an update of earlier Opinion No. 3/2009 on this topic). In relation to this opinion, in spring 2018, the Office issued a statement that with the effectiveness of the General Data Protection Regulation (the “GDPR”) the legal view of personal data processing technologies will have to be changed.
A quarter million penalty for breach of the data minimisation principle in concluding credit agreements
Nearly a year after the above-mentioned opinion had been updated, the Office issued a relatively controversial decision imposing a fine of CZK 250,000 on a branch of a foreign bank for breaching the data minimisation principle in concluding credit agreements with its clients using a dynamic biometric signature which was assessed by the Office as a collection of sensitive data. In this case, the Office concluded that the scanning of biometric signatures, despite the consent given by the client, is superfluous and for the purposes declared by the bank it is sufficient to record the image of the client’s signature.
The processing of sensitive data, referred to in the GDPR terminology as “special category data”, is generally prohibited, unless specific exceptions to this rule may be applied, which can be understood as specific legal titles whose application is generally more difficult than in the case of one of the legal titles pursuant to Art. 6 of the GDPR, on the basis of which the processing of “conventional” personal data may take place.
Debate topic no. 2: The Office’s comment on the proposed amendment to the Labour Code issued in June
Further debate was then triggered by the Office’s comment on the proposed amendment to the Labour Code from the end of June of this year. While the purpose of the amendment (which should also apply to the Employment Act) was to transpose the EU Directive on the assignment of workers in the framework of the provision of services, as one of the points of comment, the Office proposed to amend the Labour Code with a completely new and with the stated amendment unrelated provision in the Czech law to anchor the employer’s authorisation pursuant to Art. 9 (2) (b) of the GDPR, on the basis of which biometric data of employees could be processed (for the purpose of unique identifiers – see below) for the purpose of attendance systems. The question is whether the amendment proposed by the Office in the framework of the legislative process as a legislative rider has a chance to succeed. However, it is important that with the proposed amendment to the forthcoming amendment to the Labour Code, the Office indicated that from its legal point of view, the processing of employees’ biometric data (for the purpose of their unique identifiers) has currently no legal basis within attendance systems.
Unacceptable: Consent to data processing for the purpose of an attendance system
The Office concluded that the practice of employers collecting employees’ consents to the processing of personal data for the purpose of attendance systems is unacceptable. These are considered by both the European Data Protection Board and the Office a priori as unfree as a result of the employee’s dependent relationship with the employer; therefore, the legal title of explicit consent pursuant to Art. 9 (2) (a) of the GDPR is not applied.
The professional public expressed an opinion that the legal title of processing also includes the determination, exercise or defence of legal claims or the exercise of jurisdiction by the court (refer to Art. 9 (2) (f) of the GDPR). However, this legal title implies the commencement of a legal dispute (in this case, for example, a dispute over the presence of an employee at the workplace), i.e. it is inherently a secondary legal title which may only apply in certain situations. The processing must be based on a different legal title before the actual dispute arises. Moreover, if the Office acknowledged the latter legal title, the aforementioned amendment would have not been needed and it would have been sufficient to state that the practice of collecting consents is incorrect. In view of the above, the Office proposed just an amendment to the Labour Code, which, in its view, is intended to solve the “legislative gap” in the Czech law so that the processing of employees’ biometric data (for the purpose of attendance systems) can be based on the aforementioned Art. 9 (2) (b) of the GDPR (in simplified terms, it is a legal title of the performance of duties and an exercise of special rights of an administrator in the field of labour law).
Academics vs. professional public: Can biometric data be treated as any conventional data?
In addition to discussing the appropriate legal title, there is another open question (which, strangely, remains largely unnoticed abroad), i.e. the purpose of the texting of Art. 9 (1) of the GDPR as it only includes, in the special category data, those biometric data that are processed for the purpose of a unique identifier of an individual. Some academics and the professional public assign great importance to this formulation and interpret it from a purely linguistic point of view. Therefore, it appears that if biometric data are processed for “mere” authentication, Art. 9 does not need to be taken into consideration at all and biometric data can be treated as any conventional data and the processing can be based on one of the legal titles of Art. 6 of the GDPR since Art. 9 (1) refers only to identification and not authentication.
Such an approach, however, rather neglects the intended purpose of protecting biometric data as such and is particularly favourable from a business perspective, but not in terms of the protection of such data themselves. Indeed, if such data are leaked, the consequences will be equally negative, whether authentication (i.e. verification of the identity of an individual by comparing data 1:1) or identification (i.e. direct recognition of an individual by comparing data 1:n) takes place.
Consequently, there are a number of open questions on the issue of biometric data processing and the above text is only a brief outline of the current professional debate. It is expected that with the technological progress the issue of biometrics and the processing of these data will be increasingly addressed. We have no other choice but to hope that the current confusing situation and inconsistent interpretation will soon be clarified by the Office (or other authority) and the Office will thus fulfil its promise to issue a completely new opinion in which it will unambiguously comment on the current debate.
The article is part of dReport – September 2019, Legal news.