While biometrics and associated technology is not new and, as it seems, is often used in Poland by different stakeholders – it is still controversial. At least for the Polish data protection supervisory authority ("DPA" or “authority”). Below you will find a brief description of a dispute between the DPA and the Polish court which – when it comes to biometrics – seems to be more flexible than expected by most privacy professionals in Poland.
In 2018, the DPA received information about possible irregularities in the processing of personal data of students in one of the elementary schools in Poland. The irregularities involved the collection of fingerprints of children who use the school canteen. During the formal proceeding, the DPA learned that the school uses a biometric reader located at the entrance to the school canteen, which identifies children in order to verify payment of the meal fee on a given day. From the perspective of the school, it seems that the alternative means of verification did not fully meet the intended purpose of verifying payment of the meal charge in limited time, i.e., during the school break. The school explained that the parents have the choice of agreeing or disagreeing to the use of the fingerprint reader. Parents were informed of this option on the school canteen website. Interestingly, according to policy posted on the canteen website maintained by the school – students who did not have biometric identification would have to let everyone else pass and wait at the end of the line.
Polish DPA’s decision
Based on the above facts, the DPA decided to oblige the school to delete personal data in the scope of digitized information on fingerprint characteristics and to cease processing of such data for the above purpose. It has also imposed a fine on the school in the amount of PLN 20,000 (about EUR 4500).
Several key points were highlighted by the DPA in the reasoning of the decision. First, the special nature of biometric data. Second, the requirement of special protection of children's personal data. Third, the question of the legal basis for the processing of personal data by the school. Fourth, and finally, the meaning of the principle of personal data minimisation.
The DPA pointed out that Article 9(1) of the GDPR prohibits the processing of biometric data to uniquely identify a natural person. The authority stated that a biometric system identifies those characteristics that are, in principle, unchangeable and sometimes (as in the case of fingerprint data), impossible to change. Due to the uniqueness and permanence of biometric data, which translates into their unchangeability over time, their use should, in the opinion of the DPA, be carried out with particular care and caution, which was not the case in the described context.
The authority also made it clear that special protection of personal data is required for children, as they may be less aware of the risks, consequences, safeguards and their rights in relation to the processing of personal data. Children are particularly at risk in this context as the decision to share their data of this nature and its possible leakage would be impossible to reverse in time.
The DPA also considered issues relating to the lawfulness of the legal basis for the processing. In its explanations, the school noted that the processing of biometric data is based on the voluntary consent of the parents. However, the authority pointed out that the legal basis for the school's processing was found in the provisions concerning educational law. Thus, according to the authority, the consent could not be the basis for the processing, as the basis for processing the children's personal data for this purpose is set out in Article 6(1)(e) of the GDPR. This is because – according to the DPA – consent is the basis that legalizes the processing of personal data only if there are no other prerequisites for the processing. This means that the school processes the student's personal data on the basis of the law, for the performance of a task carried out in the public interest. Considering the fact that parents have given their consent as a basis for legalizing the collection of data from their children that is different from the data required by the Polish legislator – such conduct constitutes a circumvention of these provisions.
Judgment of the Provincial Administrative Court
In the view of the provincial administrative court’s (“Court”) view, the school's complaint questioning the DPA’s decision deserved to be upheld. The reason is that the contested decision substantially violated the applicable provisions of law. Accordingly, the decision was cancelled by the Court.
In the justification of the Court’s ruling, the Court concludes that the authority, in issuing the decision in question, committed a substantial breach of the GDPR by incorrectly finding that the school had committed a breach of the principle of data minimisation and a breach involving the processing of sensitive data in violation of the prohibition on processing such data.
The Court found that the authority correctly concluded that in this case biometric data was being processed. As a result of the matching of the biometric pattern registered on the device with the fingertip of the child (a school student using the services of the school canteen) placed on the biometric reader, as well as other information (including the item number, first name, surname, class, and the right to receive lunch), it was possible to identify the child. The Court also held that, contrary to the authority's position, the School did not violate the general prohibition on the processing of personal data laid down in Article 9(1) GDPR, as the school had the parents' explicit consent to process the students' biometric data.
In the Court's opinion, according to the principle of data minimization, the data must be adequate and relevant, but at the same time it may not be excessive. The data may be processed only to the extent that is necessary in relation to the purposes for which they are processed. What is crucial from a practical point of view, according to the Court, the data minimization principle should be considered jointly with the other principles, in particular the purpose limitation principle. The implementation of the proportionality of data processing depends on the correct determination of the purpose of processing, which determines the scope of data collected that are necessary to achieve this purpose. Indeed, proportionality of data processing implies the obligation to ensure that the personal data collected by the controller is appropriate for the purposes of the processing and appropriate to them in terms of quantity, content and scope.
In the Court's opinion, however, the interpretation of Article 5(1)(c) of the GDPR and the data minimisation principle expressed presented by the DPA is incorrect because it unjustifiably omits the important aspect of adequacy and relevance in its assessment, which in consequence leads to an overly rigorous perception of this principle. The Court notes – and in view of the authors of this note is right – that the term "adequate" used in the provision of Article 5(1)(c) of the GDPR means "appropriate, compatible, proportionate, not excessive" and can be treated as a synonym for the word "relevant". Adequacy and relevance can be understood as the necessity to keep the data in appropriate proportion to the purposes of the processing and to process only those data which are necessary for the fulfilment of specific purposes.
The principle of necessity is undoubtedly binding. However, in the opinion of the Court, the DPA's interpretation of the provision analyzed as an obligation to limit the data only to the minimum necessary and to process only such data without which the purpose cannot be achieved should be regarded as too far-reaching. According to the Court, the necessity requirement should be read together with the requirement of adequacy and relevance, which should allow taking into account the circumstances and allowing processing of data which significantly helps to achieve the purpose of processing.
Therefore, the Court found that the two not entirely consistent requirements of adequacy and minimization could be reconciled, holding that their fulfillment should be assessed jointly. Consequently, the primacy of minimization should not be given at the expense of adequacy. Therefore the Court concluded that processing of data to a slightly broader scope than the necessary minimum should be regarded as admissible, provided that the processed data are closely related to the realization of the purpose (e.g. facilitate its achievement). In the Court's view, there is no doubt that the School – as the controller of the disputed biometric data – justified in the course of the investigation the existence of a legitimate link between the purpose of the processing and the scope of the data it planned to process. It also explained in a precise manner why the data verification methods previously used had proved to be ineffective (i.e. did not allow for verifying payment of the meal charge during the school break with alternative methods).
DPA cassation appeal
The DPA filed a cassation appeal with the Supreme Administrative Court (“SA Court”). The authority upheld its position expressed in the contested decision, highlighted the most important arguments and supported them with national and European case law.
The DPA explicitly accused the Court of failing to address the DPA's finding of sending students (by virtue of the website's canteen policy) who have not given their consent to the processing of biometric data – to the end of the queue. According to the authority, such a practice does not meet the condition of voluntariness because failure to provide consent results in adverse consequences for students.
DPA brought up the decision issued by the Swedish supervisory authority. The latter imposed a fine on a school that used a technical solution that automatically identified students' facial profiles to confirm their attendance in class. Then, the DPA cited Guidelines 3/2019 of the European Data Protection Board (“EDPB”), which takes the view that the use of biometric data involves increased risks for data subjects. Afterwards, the authority recalled that the EDPB points to the need to assess the impact of using biometrics technologies on fundamental rights and freedoms and to consider less intrusive means to achieve the legitimate purpose of the processing.
Further on, the DPA reminded that the administrative court of Marseille considered that the decision to install a facial recognition system in two secondary schools, set up to improve access and security, was not in compliance with the GDPR. According to the court, the students could not freely and knowingly consent to the data collection due to the relationship of authority binding the students and the school administration. The court (and independently, the French authority CNIL) concluded that facial recognition was a disproportionate measure for managing school entrances and exits (especially in the context of the existence of alternative measures).
The authority also referred to the position of the Dutch authority, which in one of its decisions stressed that it is the responsibility of the controller to consider whether buildings and information systems should be secured using biometrics. The Dutch authority points out that while biometrics-based access control may be justified in a nuclear power plant, at the same time it is not justified for a repair shop garage. Lastly, the DPA referred to the guidelines of Consultative Committee of Convention 108 on the Protection of Individuals with Regard to Automatic Processing of Personal Data. These state that biometric data should not be routinely processed in educational establishments, except in exceptional circumstances. According to the DPA, it follows from the guidelines that this is only permitted if no less intrusive method can achieve the same purpose, in accordance with the principle of absolute necessity, following a data protection impact assessment and with adequate safeguards provided by law. In view of the arguments raised, the DPA requested the Court's judgment to be overturned in its entirety.
The case is currently still pending. Finally, it should be pointed out that the Court's judgment should be assessed as bold and pro-business, which is a good sign for entrepreneurs. In 2019, SA Court settled more than 42% of the total number of cases within 12 months - and within 24 months - about 80%. Thus, we will still have to wait for the final resolution.