Facial Recognition at Airports: maximum control over biometric data
Legislation on facial recognition technologies
Biometric data processing systems are based on collecting and processing personal data relating to the physical or physiological characteristics of natural people by means of devices that succeed in creating biometric templates, signatures or patterns that enable identification, tracking or profiling.
The General Data Protection Regulation (hereinafter GDPR) defines in Article 4.14 the concept of biometric data as personal data obtained from specific technical processing, relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprint data.
As we already know, personal data are all data that allow the identification of a person, i.e. in determining the direct or indirect identity of the person.
Use of biometric data at airports
A biometric data contained in a system such as those used by airports to store these data in the form of a biometric template or pattern which is not oriented to be interpreted by a person but is oriented to be treated in an automated process, i.e. to be efficiently and effectively interpretable by a machine at the access controls of airports that collaborate with the flow of passengers.
In order to understand this case, it is important to bear in mind that these biometric templates act as unique identifiers of the person, since the fact that the original face cannot be reconstructed from the template is irrelevant, since it is a unique identifier that unequivocally singles out the person in the automated data processing. For a better understanding we can refer to the DNI number, from this unique identifier it is not possible to reconstruct a name or a face, i.e. personal data and additional attributes can be associated to it in a file. In contrast, the biometric template is not assigned to a person, but is generated directly from the observation of unique, inalienable and unalterable physical characteristics of the individual, without the need to resort to other documents, devices or third party data.
As a result of the growth of technologies and the availability of these technologies to facilitate and streamline day-to-day processes such as those encountered by airport operators in the flow of passengers, controversy has arisen over the assessment of the legitimacy of the use of devices that recognise users through biometric technology.
The French data protection supervisory authority requested clarification on this issue and the ECDC adopted an opinion on the use of facial recognition technologies by airport operators and airlines. This opinion based on Article 64.2 of the GDPR addresses the question of implementation by analysing the compatibility of the processing with the principle of storage limitation, integrity and confidentiality, data protection by design and by default, and security of processing.
Data processing and privacy
There is currently no uniform legal requirement in the European Union for airport operators and airlines to verify that the name on a passenger’s boarding card matches the name on his or her identity card, and this may be subject to national legislation. Therefore, where verification of passengers’ identity with an official identity document is not required, such verification should not be carried out with the use of biometric data, as this would lead to excessive data processing.
However, in the words of the ECDC, the use of facial recognition to streamline the flow of passengers at airports could be compatible with Articles 25 and 32 of the GDPR, the principle of integrity and confidentiality, provided that the biometric template is stored locally on the passenger’s device and under his or her exclusive control or centrally within the databases of each airport, but with the encryption key only in the possession of the data subject.
Therefore, and to conclude, it is very important that from now on airport operators and airlines must bear in mind that the processing of biometric data will not be compatible with the legal premises of the RGPD when the biometric templates are not encrypted and the keys are not in the passenger’s possession, being totally contrary to and incompatible with the provisions of articles 25 and 32 of the RGPD. The same applies to biometric templates that are stored in the airport or cloud, without the encryption key in the hands of the passenger.
In the opinion of the CEPD, individuals should have maximum control over their own biometric data and therefore the CEPD has clearly stated which are the only storage solutions that could be suitable and compatible with the principle of integrity and confidentiality, data protection by design and by default, and security of processing.
IP/IT lawyer.