Processing Biometric Data and Data Protection Impact Assessments
Posted in : Business Legal on Data Security on 26 September 2019 Issues covered:This month’s edition of the Business Legal Data Protection Newsletter focuses on Biometric Data processing; Data Protection Impact Assessment (‘DPIA’); implications of a no-deal Brexit scenario on international data flows and privacy; and examines a few recent cases from around the world.
Biometric Data processing.
To be legally compliant with data protection law, an employer must have a “lawful basis” or justifiable reason to process an employee’s personal data.
Ordinarily, under the GDPR, these reasons could include:
a) employee consent;
b) where the processing is necessary for the performance of a contract to which the data subject has agreed to;
c) for compliance with an employer's legal obligation;
d) where the processing is necessary to protect to protect an individual’s vital interests;
e) where the processing is necessary in the public interest;
f) where the processing is necessary for the purposes of legitimate interests pursued by the employer.
Biometric data used to uniquely identify individuals is considered a ‘special category’ of personal data under the GDPR. Processing of special categories of personal data is prohibited unless additional legal bases apply. Therefore, in addition to having one of the above legal bases for processing, the employer must ALSO have one of the following legal bases:
g) explicit consent;
h) where the processing is necessary for the performance of specific rights or obligations in employment/social security/social protection law or a collective agreement;
i) where the processing is necessary to protect an individual’s vital interests where the data subject is physically or legally incapable of giving consent;
j) where the processing is carried out by a non-profit body in certain circumstances;
k) where the processing related to personal data made public by the data subject themselves;
l) where the processing is necessary for the establishment, exercise or defence of legal claims;
m) where the processing is necessary for reasons of substantial public interest;
n) where the processing is necessary in some limited other circumstances as set out in Article 9 of the GDPR.
Consent
Explicit consent (i.e stated consent, or consent signified by some positive action such as ticking a box, not just consent which may be inferred from circumstances) given by the data subject to process their biometric data is one of these additional legal bases, however employee consent is often not considered true consent due the asymmetrical nature of the employer/employee relationship. Readers will also note from the list at g)-n) above that ‘Legitimate interests’ are not available as a legal basis to process biometric data.
Considering these stricter consent obligations under the GDPR and the Article 29 Working Party guidance (the Article 29 group is now effectively the European Data Protection Board, the overseeing body of the GDPR), an employer who is processing biometric data of employees used to uniquely identify individuals should seek alternative bases to explicit consent or ‘legitimate interests’ to process its employees’ biometric data. Unless an employer can make an argument that it is processing biometric data under a collective agreement, or is doing so in the public interest, no other alternative basis is currently available.
In our opinion, employees should be offered alternatives to biometric clock in systems used to uniquely identify individuals. This is based on a pre-existing pre-GDPR decision from the Irish Data Protection Commission to that effect, which has now been reinforced by a recent Swedish decision in which a school was fined 200,000 Krona (about €19,000) for processing biometric data.
One potential solution is to use biometric data for non-identification purposes. Biometric data which is used to authorise entry without identifying an individual, but only identifying the fact that they are one of a class of people who are entitled to entry or access is not ‘biometric data for the purpose of uniquely identifying a natural person’ and is therefore not Special Category Data and therefore only subject the less onerous legal bases in the list at a)-f) above.
When is a Data Protection Impact Assessment (‘DPIA’) required in Ireland?
Following the EDPB’s Opinion, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of processing activities which require a DPIA to be carried out. The list encompasses both national and cross-border data processing operations. It should be read in conjunction with Article 35 of the GDPR and the Article 29 Working Group Guidelines
The DPC has determined that a DPIA will be mandatory for the following types of processing operations:
- Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected (a compatibility test must also be carried out pursuant to Article 6(4) GDPR).
- Profiling vulnerable persons including children to target marketing or online services at such persons.
- Use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects;
- Systematically monitoring, tracking or observing individuals’ location or behaviour.
- Profiling individuals on a large-scale.
- Processing biometric data to uniquely identify an individual or enable the identification or authentication of an individual in combination with any of the other criteria set out in the WP29 DPIA Guidelines.
- Processing genetic data in combination with any of the other criteria set out in WP29 DPIA Guidelines.
- Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.
- Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for different purposes or by different controllers.
- Large scale processing of personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of individuals.
You will see that biometric data processing is at number 6. In our opinion that DPIA should conclude that you should offer an alternative to its employees. There is no requirement that such alternative be more convenient for the employees
Brexit: This advice from August is worth repeating.
Are you an Irish company that transfers personal data to the UK?
The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Without additional actions, UK based processing of EU personal data will be illegal.
How to ascertain ways you might be transferring data to a UK-based company
- Are you outsourcing your HR, IT or Payroll function to a UK based organisation?
- Are you using a UK based marketing company to send marketing communications to your customer database?
- Is your pension scheme based in the UK?
- Are you using a UK based company to analyse data on visitors to your website?
- Are you storing or processing data in the UK on a server or in the cloud?
- Are you using web-based tools provided by or via UK resources?
In a 'No Deal' Brexit scenario you will need to put extra measures in place to legally transfer this data. EU based data controllers are not permitted to transfer personal data outside the EU/EEA unless those standards are maintained.
In a “no-deal” Brexit scenario, the UK will no longer be a member of the EU; instead, it will become a ‘Third Country’. It will have to look for an Adequacy Ruling like Japan in time. This means that transfer of personal data from Ireland to the UK will be treated in the same way as transfers of personal data to countries like Australia or India etc.
What this means in practice is that, in order to comply with GDPR rules, an Irish company intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing.
This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” or “SCCs” or” Model Clause Agreements “and this is likely to be relevant to most Irish businesses that transfer personal data to the UK.
The Model Clause Agreements consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient both sign up to. The basic idea is that each of the parties to the contract gives contractually binding commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country. Importantly, the data subject is also given certain specific rights under the SCCs even though he or she is not party to the relevant contract.
Recent Cases from around the world
Recently the data protection authority of North Rhine – Westphalia in Germany has brought the matter into sharp focus into an investigation into the car industry.
It pointed at the following: –
- Vehicle data can be considered personal data if it can be linked to the customer’s name, or to a vehicle identification number;
- Data processing by a garage necessary for repair, service and maintenance including data transmission to the manufacturer is legitimate where that is necessary for the purpose of fulfilling a contract to which the data subject is party, but even in such circumstances the exact nature of the processing must be made clear to the data subject. The recommendation was that this be done at the time of the order, in an addendum to order documents;
- The data protection authority was more sceptical of transmission of personal data to manufacturers. In particular, it formed the view that the garages and manufacturers were possibly both joint controllers of the personal data;
It seems that the automotive industry is now becoming a focus for data protection, and that the data protection commission here will be aware of this German investigation, as there is a regular formal coordination process between all of the data protection authorities in the EU. We can expect that the DPC will be considering launching its own investigation, now that a large proportion of the work involved has already been done in Germany.
Breaking news in Ireland
We explained in our August Newsletter which covered the use of the PSC Card and Privacy Notices, that the State has been told it must delete data held on 3.2 million citizens, which was gathered as part of the roll-out of the Public Services Card, as there is no lawful basis for retaining it.
In a report on its investigation into the card, the Data Protection Commission found there was no legal reason to make individuals obtain the card in order to access State services such as renewing a driving licence or applying for a college grant.
While the card will still be sought from people accessing some services directly administered by the Department of Social Protection, the DPC has directed that the department cease processing applications for cards needed for such functions.
The Minister has now said she is going to challenge any outcome arising from the findings. Read the full report on The Public Services Card.
It seems that the government is waiting for the DPC to issue a prosecution or fine, before reacting, so we will have to await any such prosecution or fine and the inevitable Appeal/Judicial Review.
Polish DPA imposes €645,000 fine for data breach
Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards which led to personal data of 2.2 million data subjects being breached.
In the decision imposing the fine, the Polish DPA concluded that the company by failing to comply with the required technical means of data protection, had breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there had been unauthorised access to and obtaining of customers’ data. The authority considered that unsuccessful measures for the authentication of data access were put in place. The company had implemented additional technical security measures after the breach.
The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks.
Google wins landmark right to be forgotten case
The Court of Justice of European Union on 24 September 2019 has agreed with the earlier decision of the Advocate General (on 10 January 2019) in its ruling on this landmark case and found that the "Right to be Forgotten" as applied to Google search results only applies within the EU. Therefore, only domain names corresponding to EU Member States may be dereferenced together with geo-blocking preventing all access to that partially dereferenced material from within the EU.
This case was decided on jurisdictional grounds. It can just about be distinguished from Article 3.2 which does confer extra-territorial jurisdiction, as that extra-territorial jurisdiction is only in the context of the sale of goods or services, or of the monitoring of the behaviour of data subjects.
It does make the Right to be Forgotten of only very limited use, as the information can now be accessed by technical means or simply by accessing the information from outside the EU.
ECJ Decision 24 September 2019
Advocate General’s Decision 10 January 2019
Disclaimer:
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.