EU Data Protection Legislation and Case-Law with Regard to Biometric Applications

Abstract

Biometric applications are increasingly used to provide enhanced security in verification and identification procedures. However, privacy concerns are raised from the processing of biometric features, which are deemed as personal data and in certain circumstances, as sensitive personal data. Their processing may infringe the privacy of the individual, as it provides more potential for control of the individual. Data Protection Authorities in the EU Member States have issued various decisions, prohibiting biometric applications in some occasions. Their decisions, however, lack consistency and are contradictory. Therefore, it should be examined if the legal review of biometric applications should be based on the application of existing legislation on data protection and particularly of the proportionality principle, or whether specific legal provisions should be introduced. It is stressed out that discrimination exists as regards biometric applications in the private sector and those in the public sector, since biometry has been introduced in passports and plans exist to introduce them also in identity cards. The processing of biometric data is regulated in some EU Member States data protection acts, which provide for the principles of proportionality and/or prior notification to the supervisory authority, while other laws define biometric data as sensitive data and thus, grant enhanced protection to data subjects.