Uncertainties regarding the processing of biometric data persist; experts’ opinions on their processing differ

In recent months, the Office for Personal Data Protection (the “Office”) has attracted the attention of both the professional and non-professional public with its decisions or statements on the processing of biometric data, specifically in relation to dynamic biometric signature and attendance systems. As there are a number of open issues with regard to the new data protection legislation, the opinions and approaches of experts regarding the conditions under which data may be processed differ as well. What does the professional debate currently deal with?

The Office commented on the issue of biometric data processing in Opinion No. 2/2014 (dealing with dynamic biometric signature from the perspective of the original Data Protection Act) and Opinion No. 1/2017 (dealing with biometric identification and authentication of employees, which is an update of earlier Opinion No. 3/2009 on this topic). In relation to this opinion, in spring 2018, the Office issued a statement that with the effectiveness of the General Data Protection Regulation (the “GDPR”) the legal view of personal data processing technologies will have to be changed.

A quarter million penalty for breach of the data minimisation principle in concluding credit agreements

Nearly a year after the above-mentioned opinion had been updated, the Office issued a relatively controversial decision imposing a fine of CZK 250,000 on a branch of a foreign bank for breaching the data minimisation principle in concluding credit agreements with its clients using a dynamic biometric signature which was assessed by the Office as a collection of sensitive data. In this case, the Office concluded that the scanning of biometric signatures, despite the consent given by the client, is superfluous and for the purposes declared by the bank it is sufficient to record the image of the client’s signature.

The processing of sensitive data, referred to in the GDPR terminology as “special category data”, is generally prohibited, unless specific exceptions to this rule may be applied, which can be understood as specific legal titles whose application is generally more difficult than in the case of one of the legal titles pursuant to Art. 6 of the GDPR, on the basis of which the processing of “conventional” personal data may take place.

Debate topic no. 2: The Office’s comment on the proposed amendment to the Labour Code issued in June

Further debate was then triggered by the Office’s comment on the proposed amendment to the Labour Code from the end of June of this year. While the purpose of the amendment (which should also apply to the Employment Act) was to transpose the EU Directive on the assignment of workers in the framework of the provision of services, as one of the points of comment, the Office proposed to amend the Labour Code with a completely new and with the stated amendment unrelated provision in the Czech law to anchor the employer’s authorisation pursuant to Art. 9 (2) (b) of the GDPR, on the basis of which biometric data of employees could be processed (for the purpose of unique identifiers – see below) for the purpose of attendance systems. The question is whether the amendment proposed by the Office in the framework of the legislative process as a legislative rider has a chance to succeed. However, it is important that with the proposed amendment to the forthcoming amendment to the Labour Code, the Office indicated that from its legal point of view, the processing of employees’ biometric data (for the purpose of their unique identifiers) has currently no legal basis within attendance systems.

Unacceptable: Consent to data processing for the purpose of an attendance system

The Office concluded that the practice of employers collecting employees’ consents to the processing of personal data for the purpose of attendance systems is unacceptable. These are considered by both the European Data Protection Board and the Office a priori as unfree as a result of the employee’s dependent relationship with the employer; therefore, the legal title of explicit consent pursuant to Art. 9 (2) (a) of the GDPR is not applied.

The professional public expressed an opinion that the legal title of processing also includes the determination, exercise or defence of legal claims or the exercise of jurisdiction by the court (refer to Art. 9 (2) (f) of the GDPR). However, this legal title implies the commencement of a legal dispute (in this case, for example, a dispute over the presence of an employee at the workplace), i.e. it is inherently a secondary legal title which may only apply in certain situations. The processing must be based on a different legal title before the actual dispute arises. Moreover, if the Office acknowledged the latter legal title, the aforementioned amendment would have not been needed and it would have been sufficient to state that the practice of collecting consents is incorrect. In view of the above, the Office proposed just an amendment to the Labour Code, which, in its view, is intended to solve the “legislative gap” in the Czech law so that the processing of employees’ biometric data (for the purpose of attendance systems) can be based on the aforementioned Art. 9 (2) (b) of the GDPR (in simplified terms, it is a legal title of the performance of duties and an exercise of special rights of an administrator in the field of labour law).

Academics vs. professional public: Can biometric data be treated as any conventional data?

In addition to discussing the appropriate legal title, there is another open question (which, strangely, remains largely unnoticed abroad), i.e. the purpose of the texting of Art. 9 (1) of the GDPR as it only includes, in the special category data, those biometric data that are processed for the purpose of a unique identifier of an individual. Some academics and the professional public assign great importance to this formulation and interpret it from a purely linguistic point of view. Therefore, it appears that if biometric data are processed for “mere” authentication, Art. 9 does not need to be taken into consideration at all and biometric data can be treated as any conventional data and the processing can be based on one of the legal titles of Art. 6 of the GDPR since Art. 9 (1) refers only to identification and not authentication.

Such an approach, however, rather neglects the intended purpose of protecting biometric data as such and is particularly favourable from a business perspective, but not in terms of the protection of such data themselves. Indeed, if such data are leaked, the consequences will be equally negative, whether authentication (i.e. verification of the identity of an individual by comparing data 1:1) or identification (i.e. direct recognition of an individual by comparing data 1:n) takes place.

Consequently, there are a number of open questions on the issue of biometric data processing and the above text is only a brief outline of the current professional debate. It is expected that with the technological progress the issue of biometrics and the processing of these data will be increasingly addressed. We have no other choice but to hope that the current confusing situation and inconsistent interpretation will soon be clarified by the Office (or other authority) and the Office will thus fulfil its promise to issue a completely new opinion in which it will unambiguously comment on the current debate.

The article is part of dReport – September 2019, Legal news.

Personal Data Protection Biometric data GDPR dReport newsletter

Rising prices of construction material complicate the public procurement process and performance of public contracts

In early September, the Czech Ministry of Regional Development and the Office for the Protection of Competition issued an opinion on the price increase of construction material. This way, the authorities respond to the rising prices of reinforcing steel, thermal insulation, scrap iron and other material by tens or even hundreds of per cent. The reason for the price rise is a lack of the mentioned goods on the market and related long delivery times. The authors of the opinion present possible solutions to the problems that can arise in the public procurement market as a result of this situation. 

22. 9. 2021

Private financial institutions are the new supervisors of environmental regulation. The courts’ approach is also changing

Regulations in the area of environmental law are constantly increasing, which means that sustainability is an increasingly important topic that directly affects individuals, companies and states. However, oversight of compliance with the new rules is no longer exercised only by environmental inspection authorities, but also by private financial institutions. The courts whose decisions directly affect the corporate and state responsibility for climate change have also adopted a new approach to this issue. Read about the most important events in environmental law in Q2 of 2021 and get acquainted with regulatory news that will affect the future of sustainable business throughout the European Union. 

28. 7. 2021

The EU wants to achieve climate neutrality by 2050, then it will aim for negative emissions

The existential threat resulting from climate change demands that the EU as well as its member states heighten their ambitions and intensify their measures. This is reflected not only in the EU’s approach to the European Climate Law and in the constant collection and analysis of data (referring to carbon rates, for example), but also in a change of the judicial ruling practice. In a recent ground-breaking verdict, a Dutch court ordered a private company to adjust its activities with regard to the need for tackling climate change. 

28. 7. 2021