The processing of special category biometric data is behind epassport gates at border control, voice ID for telephone banking and services like Windows Hello and Apple Touch ID to unlock devices.

But the regulation of biometrics differs depending on the manner, impact and purpose of processing. Emotion recognition, for example, while considered a potentially intrusive biometric technology, may not constitute biometric data for the purpose of Article 4(14) GDPR / UK GDPR, which defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data”.

When biometric data, like a fingerprint, voice, retina or facial feature is used for the purpose of uniquely identifying a person it is treated as special category personal data under Article 9 GDPR / UK GDPR and processing is prohibited unless one of the special category conditions applies.

The Information Commissioner has commissioned or collaborated in the conduct of various research on the use of biometrics, seeking the views of the Citizens’ Biometrics Council and the British Youth Council. The former revealed a desire for specific legislation to address ethical and societal concerns regarding the use of biometrics, scepticism as to the ability to prevent unlawful and publicly unacceptable uses of biometric technologies and data, and the potential for the curtailment of the requirement for explicit consent as biometrics become more ubiquitous. In addition to demanding strong control over the use of biometrics, young people were also focused on the importance of transparency and the proven efficacy of biometric recognition.  

On 18 August 2023, the Information Commissioner published a consultation on the first phase of its draft biometric data guidance, stated to have been informed by this research, which is intended to explain how data protection law applies when you use biometric data in biometric recognition systems.

Handley Gill Limited submitted its response to the Information Commissioner’s consultation, which closed on 20 October 2023.

In our response we highlighted that it would be valuable to reflect more on the benefits and risks of the adoption of biometric recognition in the guidance. We also raised concern that there was a lack of clarity as to the circumstances in which the deployment of biometric recognition technologies, such as facial recognition, would meet the legal requirements set out in the UK GDPR and the Information Commissioner’s application of those obligations. This is particularly acute where biometric recognition is used in the context of employment and other workplace relationships. We argued that the Information Commissioner should ensure that its guidance is clear and consistent in relation to the requirements for deploying biometric recognition tools, such as when a Data Protection Impact Assessment (DPIA) will be required. Finally, we called for the guidance to reflect the need for caution before sharing biometric data with third parties or using it for additional purposes.

You can read our response to the Information Commissioner’s consultation on the draft Biometric Data Guidance phase 1 here.

If you require support in considering the lawfulness, privacy by design implications and regulatory requirements of developing or deploying biometric recognition and other biometric technologies, please don’t hesitate to contact us.