Question: My technology company has perfected a new product that requires the collection of biometric information about customers. I’d like to roll out the product into the European market. What kinds of laws do I have to be concerned about in E.U. countries around data privacy and facial recognition technology? Does the GDPR have any impact on my ability to bring this product to Europe?
First, congratulations on your company’s new product. We hope that it has a successful rollout. To that point, the biggest statutory hurdle in the E.U. is, of course, the GDPR. Under the GDPR, privacy is a fundamental right and the protection of biometric data is specifically singled out as a category of personal information requiring heightened levels of protection. Biometric data is defined broadly as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.”
Generally speaking, processing sensitive personal data i.e. biometrics is prohibited unless there is explicit consent of the individual or the processing is for some other specific purpose as delineated by Article 9(2). Consent or a legal reason to process biometrics is not enough, though. Article 35 of the GDPR requires companies processing high risk data—biometrics—to conduct privacy impact assessments. In the event that the privacy impact assessment shows a high level of risk to the data subjects and there are no mitigating measures in place, the GDPR requires the company to consult with the supervisory authority. Note, the GDPR is extremely stringent and any violations of its rules could result in fines of up to 4 percent of your company’s profits.
Another consideration for your product rollout in the E.U. is that the GDPR permits Member States to impose additional conditions and/or limitations on the collection and use of biometric information. Germany, specifically, has the Federal Data Protection Act (BDSG) which aims to align itself with the provisions of GDPR. The BDSG, though, goes beyond the scope of the GDPR and limits the permissible purposes for processing special personal data without explicit consent.
Beyond Germany, other E.U. countries have enacted various forms of biometric regulations. Portugal’s Data Protection Law and, by reference, its Labor Code, limits the collection of biometric data to instances where the purpose is clearly stated and agreed to, and where the collection is not excessive for the purpose given. The Netherlands, through the Dutch Personal Data Protection Act, purports a sweeping definition of personal data that no doubt includes biometrics and institutes similar purpose and consent requirements as the GDPR. Similarly, the UK and France have both amended their Data Protection Acts to closely mirror the privacy and data protections as set forth in the GDPR.
The bottom line: Biometric data is an exciting new technology. It’s “cutting edge,” more (or less) secure, and it provides so much convenience.
The caveat: biometric data is as much a liability and risk as it is a tool. With that being said, it is imperative that your company check, double-check, and triple-check to make sure that you are in compliance with the GDPR and the potentially more stringent regulations of the E.U. Member States.
This article first appeared on Law.com’s Inside Track on March 7, 2018.