That images of people’s faces which allow or confirm the identification of a person are biometric data and therefore data controllers and processors require a lawful basis under both Article 6 and Article 9 of the GDPR to process that data.
1) The GDPR
Article 4(14) of the General Data Protection Directive defines biometric data as follows; (emphasis added)
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
2) Irish Data Protection Commission
The Data Protection Commission has issued an information notice on Biometrics within which it helpfully sets out a number of different forms of data which meet the definition of Biometric data in the Commission’s opinion.
To quote the first type as described is sufficient for our purpose;
1.2 Types of biometric data.
There are three principal types of biometric data
Raw Images, consisting of recognisable data such as an image of a face or a fingerprint, etc
3) Article 29 Working Party
Opinion 3/20123 set out two forms of Biometric data, as agreed by the Working Party of all of the EU’s Data Protection Authorities. (emphasis added below). This definition was also cited in the Article 29 Working Party’s Opinion on Facial Recognition:
Biometric data can be stored and processed in different forms. Sometimes the biometric information captured from a person is stored and processed in a raw form that allows recognising the source it comes from without special knowledge e.g. the photograph of a face, the photograph of a finger print or a voice recording. Some other times, the captured raw biometric information is processed in a way that only certain characteristics and/or features are extracted and saved as a biometric template
Although the GDPR has not yet been litigated before the CJEU, a number of national and EU cases have addressed the definition of facial images as sensitive or biometric personal data.
ECJ C-291/12, Schwarz v. Bochum, 20135 set out in Article 1.2 COUNCIL REGULATION (EC) No 2252/20046 is entitled “security features and biometrics in passports and travel documents issued by Member States” (emphasis added)
Passports and travel documents shall include a storage medium which shall contain a facial image. Member States shall also include fingerprints in interoperable formats.
Case Number LJN BK63317 Dutch High Court, 23 March 2010: specifically confirmed that images of faces alone were sensitive personal data, as they revealed sensitive data, such as ethnicity.
CASE OF S. AND MARPER v. THE UNITED KINGDOM
The European Court of Human Rights, which has an appreciation of the EU’s Data Protection Regime, but whose findings are not directly congruent with the CJEU’s on this matter, recognised nonetheless in Paragraph 81 of its judgment that facial records were on a par with fingerprint records and voice samples (which are not disputed to be biometric data)
The applicant’s fingerprint records constitute their personal data (see paragraph 68 above) which contain certain external identification features much in the same way as, for example, personal photographs or voice samples