The use of biometrics and data protection: lessons from the AEPD echoed in Chile
The Spanish Data Protection Agency (hereinafter, "AEPD" or "Authority") issued a resolution regarding a complaint filed by members of a sports centre about the mandatory use of a facial recognition system for entry to the facilities when alternative, less invasive means exist that are proportionate to the activity.
In the decision analysed, the defendant argued that it did not process personal data, as it only generated a "mathematical algorithm" or a "single template" which, in its opinion, did not allow for the identification of the person. Under that premise, the sports centre considered that it was not necessary to seek prior consent or to comply with data protection regulations, including the performance of a Data Protection Impact Assessment (hereinafter, "DPA").
However, the AEPD determined that: (i) the system used did involve the processing of biometric data, and (ii) such processing constitutes a high-risk activity that requires the prior performance of a DPA. In this regard, the resolution concluded that the company failed to comply with three fundamental obligations: (i) it had not collected specific, unequivocal and informed consent for the processing of biometric data, (ii) it failed to carry out a prior risk analysis, and (iii) it did not clearly and sufficiently inform the members about the processing and its purposes.
The following are some of the criteria mentioned in the resolution, which should be considered in the processing of biometric data:
1. Full consent: the AEPD, in accordance with the provisions of Article 9.1 of the General Data Protection Regulation (hereinafter, "GDPR"), prohibits the processing of biometric personal data that are intended to uniquely identify a natural person. However, it determines in the following section that this may be possible in cases where the data subject gives his or her explicit consent, so it is of vital importance to have the competent authorisation to carry out the processing of biometric data.
2. Importance of a proper impact assessment: According to Article 35 of the GDPR, where a type of processing, in particular that which incorporates new technologies, considering its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of individuals, the controller must first carry out an impact assessment relating to the intended processing operations on the protection of personal data. In this sense, impact assessments allow, on the one hand, to evaluate all those risks to the rights and freedoms of individuals, and on the other hand, to propose security measures and safeguards for the interests of data subjects.
In this case, the defendant company should have carried out such an assessment, as the use of this type of technology requires by law the analysis of risks to the rights of data subjects - from the design stage - and the implementation of additional safeguards if required.
3. Technological innovation must consider the principle of proportionality. Article 5.1 (c) of the GDPR sets out the so-called "Principle of minimisation of personal data" and provides as follows: "1. Personal data shall be: a) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("data minimisation")". Respect for this principle should therefore be the starting point for any processing, and the controller should consider whether the processing is really necessary, appropriate and proportionate before starting it - it is even advisable to do so.
How will these matters be regulated in Chile?
The amendments imposed by Law No. 21.719 on Law No. 19.628 (hereinafter, "Law on the Protection of Personal Data") regulate the various matters mentioned with respect to the resolution of the AEPD.
Firstly, the "Law on the Protection of Personal Data" determines that biometric data will fall within the category of sensitive personal data, and therefore, in order to be processed, will require an express consent given through a written, verbal or equivalent technological means, as established in Articles 16, 16 bis and 16 ter. It is therefore necessary to re-emphasise the importance of having an enabling source as the forthcoming Personal Data Protection Agency will be able to impose extremely high fines in case of non-compliance.
Secondly, with regard to impact assessments, Article 15b provides, as does the GDPR, that for processing operations that are likely to result in a high risk to the rights of the data subject, the controller must carry out such an assessment in order to ensure that the rights and freedoms of data subjects are respected, as well as to consider additional protection measures in the event that the activity is carried out.
Third, on the principle of proportionality, Article 3(c) determines that the personal data processed must be strictly limited to what is necessary, adequate and relevant in relation to the purposes of the processing, which follows the standard set by the GDPR.
Finally, and after analysing this resolution, it is worth asking ourselves about the guidelines that the Data Protection Agency in Chile will follow regarding the use of this type of technology in consideration of the principle of proportionality. Should we adapt the standard to that established by the AEPD? Is technological progress more relevant than people's rights? Are we really aware of the cost of our personal data? These are undoubtedly relevant questions that still lack a clear and precise answer today.
