Four years have passed since the inception of probably most ambitious Pan-European regulation. With GDPR growing up to be big and strong, we have seen wide-spread progress in both understanding and enforcing the European tradition of data protection and privacy. Yet, GDPR still seems to struggle with most innovative and groundbreaking technologies.
Take biometrics, for example. Biometric data is derived from or based on human biological parameters – it may either function as an identifier (such as a fingerprint, eye’s retina, face geometry) or information in itself (one’s physical activity data, case history etc.).
Identification, onboarding, security, management optimization and general convenience – biometric data opens many valuable opportunities for businesses to take its operations to the next level.
However, GDPR is somewhat coy on biometrics. It barely states that, generally, processing of sensitive data (including biometric data) is prohibited. Full stop. Does not give that much leeway, does it?
Even if the data controller (i.e., an employer) might still hold number of very legitimate reasons to collect and use such data, processing of biometric data can only be based on a painfully narrow list of exceptions, listed in Article 9. One of such exceptions – individual has given his/her explicit consent to use their biometrics. Usually this is where the trouble starts at least in employment context. European Commission as well as many other authorities consider an employment relationship an imbalanced one, where the employer wields more power than the employee. Since consent has to be freely given, and in light of the inherently imbalanced employer-employee relationship, businesses in most cases can’t rely on consent for biometrics.
Employer may still navigate through fine equilibrium nearby the regulatory silver lining. This task is very dangerous, although not impossible. These are the three questions to keep in mind:
Does the employee have alternatives if they opt-out from processing? Be sure to present the employee with a genuine opportunity to disagree with data processing and actual scenario where their privacy would not be significantly affected.
Does the processing benefit the employee in any way? If the processing is aimed at meaningfully pleasing the employee (e.g., to issue bonuses or discounts), consent may become a reliable ground for processing.
Is the purpose of processing valuable and important enough? Or is it just another nice to have comfy feature? In the end, it all boils down to the core principle of GDPR – data minimization. Consider whether there are less invasive methods available; fingerprint scanning for security reasons may be justifiable, but to print out copies or vend coffee – not so much.