When are images and in particular customers’ pictures biometric data? And what are the obligations triggered under the GDPR at the age when the automation is meant to increase?

A frequent question that I have been asked during the last months is whether images are biometric data. As most of the questions, we as lawyers usually respond

it depends…

Indeed, the definition of biometric data is not 100% clear as it provides that they are

“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data

So when it comes to the picture of an individual taken for instance as part of a KYC process, there is a technical processing, but

is the processing able to uniquely identifiying the individual?

A considerable support is given by the recitals of the European privacy regulation which clarify that

“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”

Therefore, in our example above, it might be possible to argue that if customers’ pictures are reviewed by the customer support which is made only of “humans” that look at the pictures, no biometric data is expected to be processed. But if the same pictures are analyzed by a machine able to uniquely distinguishing an individual from another, such images – subject to a case by case review – might be qualified as biometric data.

What happens if your customer’ pictures are biometric data?

Biometric data is under the GDPR a special category of personal data. This means that for instance the performance of the contract with a customer or an employee cannot be the legal basis under which they are processed. This is a “tricky” scenario since if the legal basis is consent, the point is whether consent is actually free if it is compulsory in order to enjoy a service and whether alternative solutions which do not require the collection of biometric data need to be offered.

Also, the other options granted by the GDPR shall be “tested” under the local laws of each EU Member State. Indeed, the scenarios when a processing occurs in the “public interest” shall be assessed by the data controller or expressly provided by local law?

The situation is even more complex in an employment relationship when the consent from an employee is not a strong legal basis since it might not be free…