The use of biometric data in an employment context is increasingly popular and seems to become a "quick-fix" modern security or fraud prevention solution. The increased use of biometric data for personal use (e.g. for the use of smartphone functions) seems to have increased the perceived acceptance of the use of biometric data. Data controllers should be aware however that the processing of biometric data may expose them to significant risks in case of data breach.
This has been painfully demonstrated by 2 Israeli researchers who discovered that they were able to access a database with the fingerprints of over 1 million people and facial recognition data that security company Suprema managed on behalf of its clients across the globe (including the UK Metropolitan police, defence contractors and banks). These researchers also showed that they were able to tamper this data, adding their own fingerprints to existing users or adding new users. Although it is uncertain whether the unsecured biometric data was in fact maliciously accessed and used, the major concern is that, contrary to passwords, biometric data cannot be reset following a leak and it is therefore very difficult to mitigate the risk.
It is no surprise therefore that the processing of biometric data is subject to significant legal thresholds under data protection law (in particular the General Data Protection Regulation or "GDPR") which are particularly difficult to comply with in an employment context.
This is illustrated by a ruling of the Court of Amsterdam (ruling of 12 August 2019) concerning the use of a biometric (fingerprint) based authorisation system for employee cash access and time registration.
The shoe retailer Manfield (the "employer") unilaterally rolled out a fingerprint based authorisation system to control employee access to the cashier system. This system replaced the former personal code based access system. The employer proclaimed to have a company interest:
to prevent fraud and theft by employees;
to protect sensitive personal data accessible via the cashier system (i.e. financial data and personal data of employees and customers).
Later on, the employer also admitted to use the system for time registration purposes.
The employer argued that, as a data controller, it is required to implement appropriate technical and organisational measures (pursuant to article 32.1 GDPR). In this respect, the former personal code based system was considered no longer appropriate in the current time frame and risked being circumvented or hacked.
In addition, the employer stated that the use of biometric data is becoming generally accepted and that it is widely used, e.g. to access smartphone functions.
An employee refused to provide her fingerprint stating that the imposed system infringed her data protection rights.
What does the GDPR say about the processing of biometric data?
Article 9.1. of the GDPR includes biometric data as a "special category of personal data" for which the processing is in principle forbidden.
Are there any legal exceptions to this rule that might be relevant in the employment context?
Yes, article 9.2. includes limited exceptions to this principle prohibition, including where the data subject has explicitly consented to the processing (article 9.2. (a) GDPR).
Note: In order for consent to be valid, the GDPR requires it to be "freely given, specific, informed and unambiguous" (article 4 (11) GDPR). The data subject should also have the right to withdraw its consent at any time (article 7 3. GDPR). The threshold for valid consent is particularly difficult to obtain in an employment relationship where there is an (inherent) relation of subordination between the employer and its employee. In particular, employees might fear retaliation and feel pressured to consent, in which case consent would not be valid under data protection law.
Article 9.2. includes other exceptions that might be relevant as well, such as the case where the processing is necessary to protect the vital interests of the data subject (article 9.2. (c) GDPR) (e.g. medical emergencies); where the processing relates to personal data which are manifestly made public by the data subject (article 9.2. (e) GDPR) or where the processing is necessary for the establishment, exercise or defence of legal claims (article 9.2. (f) GDPR). The application of any of these additional exceptions is subject to very strict conditions which will typically require a case-by-case analysis.
In addition, article 9.2. (b) GDPR allows member states to include additional national exceptions in the employment context where the "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject".
The Netherlands have introduced a national exception on the basis of this article 9.2. (b) GDPR in article 29 of the Dutch Act in execution of the GDPR, i.e. "where the processing is necessary for authentication or security purposes". This exception was introduced to meet the concern that the processing of biometric data of employees may be justified in cases where valid consent cannot be obtained (e.g. because the measure is imposed unilaterally and the employees have no choice/alternative). This national exception is subject to a high threshold however and should be interpreted narrowly. In particular the parliamentary documents refer to situations where access is required to be "(very) restrictive", illustrating this with the example of power plants. Finally, the processing must also be proportionate.
It is important for controllers to note that, even where the processing of biometric data would meet the requirements of article 32 GDPR in a given circumstance, controllers will always and firstly need to determine if the processing of biometric data is authorized pursuant to article 6 and 9 GDPR.
In the case at hand, the processing of biometric data of employees was imposed unilaterally (the employees had no alternative) so consent could not be relied on as a lawful ground.
The national exception in the Dutch Data protection act, i.e. where the processing is necessary for authentication or security purposes, could not be relied on either:
the company interest (i.e. to prevent fraud and theft by employees) does not quality as "necessary for authentication purposes" (i.e. referring to the high threshold example of nuclear plants);
the processing is not proportionate since no other security measures were available in the shop, i.e. no entrance/exit alarms, no safe deposit and no camera surveillance;
the employer has insufficiently demonstrated why other less privacy intrusive systems were not considered, for instance a combination of an access card and a personal code.
The Court decided that the employer could not impose the fingerprint-based authorisation system because, in the given circumstances, this infringes the GDPR as well as the Dutch Data Protection Act.
Conclusion and initial guidelines
The requirement for employers-data controllers to implement appropriate technical and organisational measures (article 32.1 GDPR) cannot be "quick-fixed" by introducing biometric data based systems across the board. Employers will need to be very cautious about the legal requirements and risks and meticulously apply the data protection principles in this regard.
As a first step, employers should look into alternative measures that simply do not require the processing of biometric data but which might attain the same envisaged purpose in a less intrusive manner (i.e. which are more appropriate). In this respect, employers should definitely consider combining various less invasive solutions to achieve a specific purpose, e.g. a combination of both a personal access code and a personal badge to protect the local shop's cashier system from theft. As this may not always be a straightforward exercise, employers are advised to thoroughly document this assessment, their reasoning and its outcome.
If the processing of biometric data still seems more appropriate to achieve the envisaged purpose, employers need to carefully assess the lawfulness for the processing biometric data under article 6 and 9.2. GDPR.
(Explicit) consent can typically not be relied on as a lawful ground for processing of biometric data in an employment context. As already mentioned, it is generally difficult to obtain valid (freely given) consent in an employment context because of the inherent relation of subordination. Moreover, assuming employees would indeed be able to freely consent (or not), a situation in which a certain percentage of employees do not consent to the processing of their biometric data will typically not allow the employer to achieve its intended purpose (e.g. if the measure is motivated by security concerns, it is important that it applies to all employees).
Article 9.2. GDPR includes other exceptions that allow the processing of biometric data and employers should check if any of these can be applied in the case at hand. Employers might for instance rely on article 9.2. (b) to process biometric personal data under e.g. national social protection law, article 9.2. (f) to defend the company-employer against a legal claim before a national court or article 9.2. (g) in case the processing is justified by substantial public interest under applicable Member State Law. In case national exceptions exist in execution of article 9.2. GDPR, both the letter and spirit of these exceptions (in conjunction with the GDPR) must be respected.
In absence of applicable exceptions under article 9.2. or national law data protection law, consent may seem the only remaining option for employers. In limited cases consent may be relied upon as a lawful basis, provided that the employer can offer employees alternatives and reliable reassurance that there will be no retaliation in case they do not wish to consent. If employees feel in any way forced to consent, consent will not be valid and consequently the processing will be unlawful.
In addition, controllers should also consider the need to carry out a data protection impact assessment for their processing of biometric personal data as this is likely to result in "high risks to the rights and freedoms of natural persons". It is important to note that pursuant to article 35.3. (b) GDPR the large scale processing of special categories of personal data (i.e. including biometric data) will in any case require a data protection impact assessment. On top of this, national supervisory authorities have also drafted country-specific lists of processing activities that require a data protection impact assessment and controllers should be aware that the processing of biometric data will for many countries trigger this requirement. In any case, it would always be most prudent and diligent for controllers to carry out a data protection impact assessment whenever biometric data are involved in processing activities.
The compliance with other requirements of data protection law must be considered as well. This includes e.g. compliance with:
The transparency requirement, e.g. are the data subjects/employees sufficiently informed of the biometric data processing and their rights under data protection law?
The data minimization requirement, i.e. is the processing of biometric "adequate, relevant and limited" to what is necessary for the purpose of e.g. a modest grocery shop's security requirements and
The data retention requirement, i.e. have we limited the retention of biometric data in a form which permits identification of data subjects (e.g. "this fingerprint belongs to person X") to what is necessary for the purposes for which the personal data are processed. E.g. the biometric personal data of person X is deleted or anonymized one week after it was processed.
In its Opinion 3/2012 on developments in biometric technologies (d.d. 27 April 2012) the EDPB (i.e. the previous Article 29 Working Party), strongly advised against a centralised storage system for biometric data as this typically has the weakness of offering one single point of target/exploitation. While recognizing that for specific purposes and in presence of objective needs, a centralized database with biometric data might be considered as admissible, the use of encrypted templates on media exclusively held by the data subject (i.e. smart cards or similar devices) is considered generally preferable. In such a case, a specific encryption key for the reader devices should be used as an effective safeguard to protect the biometric personal data from unauthorised access. As the data subject stays in physical control of his biometric data and there is no single point that can be targeted or exploited, the biometric personal data are protected "by design" (article 25 GDPR). On the basis of article 28.1. GDPR controllers are advised to carefully consider which processors they engage for the processing of their biometric personal data:"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (article 28.1. GDPR).As processor-compliance is thus also partly a controller responsibility, controllers should put legal warranties and checks in place to ensure the processing of (biometric) personal is and remains in compliance with data protection law.
Finally, even when the processing of biometric data is lawful and complies with all data protection requirements, controllers should be conscious that any breach of biometric data is extremely delicate as it allows for a unique personal identification and it cannot simply be replaced. Breaches of biometric personal data are therefore by nature more difficult to contain. As a result, these types of breaches are likely to draw additional media attention causing significant and persistent damage to the company/employer image.
It should be clear that the processing of biometric data is not to be taken lightly, particularly in an employment context where valid consent is typically not a good option. With technology evolving and e.g. fingerprints being included on EID this is probably only the tip of the iceberg and we are likely to see many more cases concerning the use and/or loss of biometric data.