Is the use of biometrics for access control allowed? New legal report from the Spanish Data Protection Agency.
On 18 July last, a legal report was issued by the Spanish Data Protection Agency (hereinafter, "AEPD" or "Authority"), in its role as supervisory authority, with regard to a previous consultation on the use of biometric systems for access control to Civil Guard facilities. This resolution is of great importance as it marks an important turning point with respect to the criteria used by the AEPD in the use of biometric data for this purpose.
In accordance with the guidelines followed in the resolutions and guidelines published prior to this report, the AEPD considered that the use of biometric systems for access control was highly intrusive and disproportionate to the purpose for which they were intended, there being alternative, less invasive means that fully met the same purpose, such as access cards.
Although we cannot ignore the fact that this new legal criterion refers to the use of these systems in specific contexts and provided that certain technical and organisational guarantees are applied, it opens up the possibility of considering this treatment as a viable and appropriate option for controlling access to certain facilities.
What you should know about the Authority's new legal approach:
1. Consent as a valid basis of lawfulness: the AEPD previously questioned the sufficiency of this basis of lawfulness for this type of processing, as it was considered a high-risk processing operation that did not pass the necessity requirement. This new interpretation could suggest the use of these systems for access control in unregulated environments, provided that certain guarantees are met and the proportionality test is passed.
2. Determining the context and carrying out an impact assessment: The AEPD recognises that access control by means of biometrics is more effective than other methods, such as cards or passwords, as it allows a more reliable verification of identity and prevents unauthorised access. Furthermore, and considering that the processing of biometric data involves a high risk to the data subject's rights, whenever the data controller wishes to implement this type of system, it must carry out an impact assessment to analyse the suitability, necessity and proportionality of the processing. Along these lines, the AEPD points out that the perimeter and type of biometric system to be implemented must be defined, since its use in critical facilities is not comparable to that of less sensitive environments, due to the differences in risks and guarantees required.
3. Difference between identification and authentication: The AEPD stresses that the level of risk is also determined by the biometric identification system used. In other words, if there is univocal authentication or verification (1:1), which makes it possible to determine whether the person is who they say they are by comparing their data with a unique template linked to their identity, it is less risky than if the identification is (1:N), i.e. identification that answers the question "who are you among all possible people? On this basis, it determines that the former generates lower risks than the latter by performing a more limited processing.
4. Proportionality and adoption of appropriate technical and organisational measures: Finally, the AEPD determines that, considering the purpose of the processing, the mitigation measures implemented are proportional and that there are no equally effective alternatives with respect to the purpose pursued, i.e. the security of the Guardia Civil's facilities. In addition, it stresses that the design developed is appropriate as there is no centralised storage and there is a strict limitation to the purpose of authentication, which reduces the risk of accidental or massive processing.
What is happening in Chile with regard to these matters?
First of all, let us recall that last May, Law No. 21.734 was published, which modifies article 5 of Decree Law 2.460 that regulates the Chilean Investigative Police ("PDI"). It establishes that PDI personnel may use suitable technological devices or means, including the processing of biometric data, to verify the identity of persons entering, leaving or moving within the country, in accordance with the provisions of Law No. 19.628 on the Protection of Privacy.
On the other hand, on 22 July, the Office of the Comptroller General of the Republic ("Contraloría General de la República") issued an official communication regarding the attendance control systems in the services and bodies of the state administration.
In this regard, the Comptroller's Office stresses the need to modernise attendance control mechanisms, as systems based on physical or paper-based books can generate multiple errors or omissions. In this way, it determines that there are currently technological tools that provide the ideal certainty and reliability to modernise attendance control, mentioning among them those that use biometric systems by means of fingerprint or facial recognition.
Although this official communication from the Comptroller's Office, unlike the AEPD resolution, provides guidelines on attendance control, a matter on which the Directorate of Labour has also pronounced itself in the private sector, it provides guidance on the vision that local authorities are adopting with respect to the use of these systems. It also shows that no attempt has been made to carry out a proper assessment of the impact associated with this type of treatment.
Will these be guidelines that will flourish once the Personal Data Protection Agency begins to operate in Chile?
Undoubtedly, this entity will have an interesting challenge with respect to reconciling the modernisation of the State, private interests, and the protection of the fundamental rights of data subjects.