On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.
Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data). The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.
There were several other noteworthy points mentioned in the draft recommendation, including:
- The SA appears to consider all biometric data to be within scope of Art. 9 GDPR. The fact that Art. 9 is limited to biometric data used “for the purpose of uniquely identifying a natural person” appears to be interpreted by the SA in an overly broad manner to capture all biometric data. This explains why the regulator (erroneously) applies these rules to DNA research in the medical sector – even though such research does not use DNA to uniquely identify a person. The same is true for most commercial DNA-testing. These activities may be covered by Art. 9 GDPR to the extent they result in the processing of data concerning health, but not because they involve biometric data.
- On the obligation to conduct a data protection impact assessment (“DPIA”), the draft recommendation reminds readers that, in Belgium, a DPIA is mandatory for the processing of biometric data “for the purpose of uniquely identifying a natural person” in spaces accessible to the public. This requirement arises from the list of processing operations subject to a mandatory DPIA adopted by the SA pursuant to Art. 35(4) GDPR – in that list, the “purpose-of-identification” criterion is mentioned explicitly. However, the SA goes one step further by saying that a DPIA should be conducted for the processing of any biometric data, given the sensitivity of the data. This then begs the question why it was not included on the Art. 35 list drafted by the SA to begin with.
- Lastly, the SA considers secondary use of biometric data to be virtually prohibited unless the party seeking to further process the data identifies a new, valid legal basis to justify this. The SA makes no reference to the scientific research exemptions found in the GDPR.
Interested parties short on summer holiday plans should send in their response via email to firstname.lastname@example.org by September 1st.