In our last blog, February 15th, we looked at some arguments raised in the continuing debate surrounding the public services card. There are other aspects to the debate that we will consider now. Amongst these aspects are the special categories of data that are treated differently under the GDPR than more ‘ordinary’ categories. Any general data processing rules, applicable in the case of ordinary categories of personal data, change or become redundant if the data falls within the ‘special category’ definition. Two topical data protection issues dominate this blog: the prohibition, or otherwise, on biometric data processing; and whether the public services card photograph is within the definition of ‘biometric data’.
GDPR and Special Categories of Data.
Art. 9 GDPR delineates the categories of data that are covered under the special category umbrella. Their treatment under GDPR differs from other categories because of the sensitive nature of the data. Biometric data, “for the purpose of uniquely identifying a natural person” is included under Art. 9 (1). Art. 9 (1) also includes a prohibition on processing of all the other special categories of data. It is difficult to understand why this prohibition has caused so much confusion and erroneous interpretation. In order to avoid doubt as to the intent, practical application and effect of Art. 9, it is prudent to first examine it in its entirety.
Recently the following appeared on the RTE website, “Article 4 of the GDPR especially says facial images are biometric data, Article 9 of the GDPR specifically says it is illegal to process biometric data. (https://www.rte.ie/news/2019/0207/1028028-public-services-card/) The reference to Art. 9 is not correct. In the first place, it does not use the word ‘illegal’, and secondly, although Art. 9 lays out a prohibition on processing of special category data that includes biometric data, it immediately sets out the exceptions to the general rule. There are many exceptions and these range from Art.9 (2) (a), through to Art. 9 (2) (j). Initially, the general rule is laid out and then the exceptions to the rule follow. Reading the text fully helps to avoid broad misstatements of fact.
There are exceptions to the rule!
A Taste of the Exceptions to the General Rule.
• processing where the data subject has given ‘explicit consent’ to the processing (unless where Union or MS law provide that the prohibition may not be lifted);
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent ;
• processing relates to data which are manifestly made public;
• processing is ” necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security law, in so far as it is authorised by Union or MS law…providing for appropriate safeguards for fundamental rights…” ; (So if the Dept. was processing biometric data in relation to the data subject’s PSC, then this would be legitimate if provided for by law. Again, the prohibition is not a blanket prohibition, as the quote from RTE website would suggest.)
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• processing is necessary for reasons of substantial public interest, on the basis of Union or MS law (but is proportionate, respects rights and provides safeguards).
Another nibble at the exceptions to the rule.
There is also an exception for processing that is necessary for the purposes of preventive or occupational medicine and where necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health. What all this shows is that there are numerous exceptions to the general rule. Section 73 DPA 2018 closely follows GDPR on this with S. 73 (2) providing that regulations may be made permitting the processing of special categories of data for reasons of substantial public interest. This flows from the discretion allowed to Member States under Art. 9(3). Art. 9(3) gives discretion to the member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
On this issue, therefore, there is only one conclusion. GDPR does not set out a blanket prohibition on the processing of biometric data. It is a prohibition that is subject to and qualified by, numerous exceptions. Prohibition on processing is waived in the situations expressly stated under Art. 9(1) and 9 (2).
Public Services Card and Biometric Data.
Biometric data is a recurring theme in the public services card debate. This debate centres around one particular feature of the card. It focuses on the photograph taken when applicants present themselves at designated offices to register for the card as part of the SAFE process. SAFE stands for Standard Authentication Framework Environment. It is a standard for establishing and verifying an individual’s identity for the purposes of accessing public services. Is this photograph biometric data? Many people take the view that this photograph is exactly that. The GDPR has laid out a position on this topic.
Art.4 (14) defines biometric data as, “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Section 69, DPA 2018 shares this definition except where it replaces ‘natural person’ with ‘individual’. There is a view that ordinary photographs do not constitute biometric data. It may be the case that all photographs are facial images, but not all facial images are biometric data. This is not to initiate an exercise in semantics, but there are technical differences that distinguish one from the other. GDPR has attempted to clarify the distinction by the precise nature of its text. Accordingly, it is the text itself that is most instructive in this particular context.
Verification and Identification.
An obvious purpose for biometric data is recognition of individuals and this takes two forms; identification, followed by verification. Identification is the less complicated of the two, and centres on comparing the data to that of numerous other individuals. Verification aims at matching the physical, physiological and behavioural characteristics to biometric data of a specific individual that have been stored in a database. Identification may be made with a high degree of probability. Identification answers the question, “Who are you”, whereas verification answers the question, “Are you really who you say you are”. (See diagram and note in the appendix below) Verification is made with almost 100 % certainty.
What GDPR is clear about is this; only data concerning a person’s physical, physiological or behavioural characteristics that have gone through specific technical processing allowing the unique identification or verification of a natural person, qualify as biometric data. The essence of the distinction centres on the word ’unique’. There are no degrees of uniqueness. Something is not more unique, or less unique. It can only be unique, or not unique. Therefore, identifying something as unique sets it apart from all others. Can even a mother of identical triplets uniquely identify her three children individually, from a photograph of all three together (presuming that no one has identifiable scars)? GDPR had this in mind when including the word ‘unique’, and this is because it is the specific process after a photograph is taken that enables ‘unique’ identification or verification.
A quite specific process has to be carried out before it qualifies as biometric data. Special and varied aspects of a facial image can be assessed to aid the goal of unique verification. In the context of a facial image, distances from nose to mouth , between nose and mouth, between eyes and nose and from earlobe to earlobe, are examples of, and variations on the means to the end, Unique verification is the end. On this analysis, it is difficult to perceive ordinary photos as biometric data. A photo is a facial image. On its own, and in isolation, a facial image is not biometric data. A facial image must result from, “specific, technical processing” (Art.4 (14)).
GDPR Recital 51 states, “…The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when ( our emphasis) processed through a specific technical means allowing the unique identification or authentication of a natural person”.
Finally, the Department (Employment Affairs and Social Protection) in its guide to SAFE Registration and in answer to the question, “Does the Public Services card store biometrics”, states, “ No. While the card does store a person’s photograph it does not store the biometric or arithmetic template of that photograph”. https://www.welfare.ie/en/downloads/DEASP_Comprehensive_Guide_to_SAFE_Registration_and_the_PSC.pdf
It does not use advanced facial mapping cameras when taking the photos as part of the SAFE registration process.