Facial Recognition: EDPB resolves the dispute between AEPD and APDCAT
Facial recognition dispute between AEPD and APDCAT has been resolved by the EDPB. Facial recognition has become a common and widespread practice in various contexts, including online exams.
However, the legal basis for the processing of personal data associated with these practices has recently been a subject of controversy, as it depends on determining whether its use involves the processing of special categories of personal data.
Unambiguous identification or biometric authentication?
AEPD stated in Report 0036/2020 that Article 9.1 of the GDPR should be interpreted in such a way that “biometric data would only constitute a special category of data if they undergo specific technical processing aimed at unambiguously identifying a natural person”.
Therefore, according to AEPD’s criteria, the processing of biometric data carried out for the purpose of verification or biometric authentication would not constitute processing of special categories of data.
To clarify the difference between unambiguous identification and verification or biometric authentication, it is worth mentioning that the European Commission’s White Paper on Artificial Intelligence understands that:
“In the case of facial recognition, ‘identification’ refers to comparing the facial template of a person with many other templates stored in a database to determine if their image is stored within it. ‘Authentication’ (or ‘verification’), on the other hand, usually refers to searching for matches between two specific templates. It allows the comparison of two biometric templates that are presumed to belong to the same person; thus, the two templates are compared to determine if the person in the two images is the same. This procedure is used, for example, in automated border control gates at airports.”
Despite AEPD’s position on this matter, APDCAT recently imposed a fine on the Open University of Catalonia for using facial recognition as a control method during online exams, arguing the absence of an appropriate legal basis to justify this data processing, which, in their view, should be considered a special category.
In fact, according to APDCAT’s established criteria, the processing of biometric data, such as facial data, through automated identification or verification methods to confirm an individual’s unique identification, is always subject to the restrictions of Article 9 of the GDPR.
Therefore, the legal bases claimed by the university to support the lawfulness of the processing, namely Article 6.1.f) and Article 6.1.a), are inadmissible.
The Role of EDPB in Resolving the Facial Recognition Conflict
The clear opposition between the criteria adopted by the different competent authorities in data protection not only poses a problem from the perspective of legal certainty but also affects the fundamental right to data protection of individuals whose data is processed by these mechanisms.
Recognizing this, the European Data Protection Board (EDPB) has resolved this conflict and the issues arising from it through the recent publication of a new version of its Guidelines on the use of facial recognition techniques in the area of compliance.
Specifically, the EDPB has ruled that although both functions, authentication and identification, are different, they both involve the processing of biometric data related to an identified or identifiable natural person and, therefore, constitute the processing of personal data, specifically processing of special categories of personal data.
Thus, the EDPB ends the dispute between the two entities by adopting the position of APDCAT and compels the AEPD to change the line followed by them up to now.
At Letslaw we are experts in Data Protection, and we can advise you on everything you need.