When is the processing of biometric data subject to Article 9?

The legal meaning of the term “uniquely identifying a natural person” has been the subject of considerable debate. Some argue that the term only covers biometric identification (1:n), while others argue that biometric verification (1:1) is also covered by this term. As Mobai’s intention is to process biometric data for verification purposes, the interpretation of this term is crucial to assess whether or not the envisaged processing is covered by Article 9 in the GDPR.

A literal reading of the wording in Article 9(1) does not seem to provide sufficient clarity to conclude on its scope of application with respect to biometric data. Some argue that “uniquely identifying” only covers biometric identification, while others point out that one has to uniquely identify someone in order to verify a claimed identity as part of a biometric verification process as well. The latter reading would find some support in the definition of biometric data in Article 4(14) GDPR, which covers personal data resulting from specific technical processing “which allow or confirm the unique identification of that natural person» (our emphasis).

A reference to biometric data was not present in the first version of Article 9 in the GDPR legislative proposal tabled by the European Commission. Such a reference was first added during the trialogue negotiations, at the request of the European Parliament. As it appears from the written debriefing of the trialogue negotiation on 24 November 2015, the legislators’ intention was to regulate the processing of biometric data in line with the modernised Convention 108 of the Council of Europe, which restrictively defines biometric data that ‘uniquely identify a person’ to qualify as sensitive data. Nonetheless, neither the preparatory works on the GDPR nor the preparatory work on the modernised Convention 108 are absolutely clear on whether biometric verification should be deemed to qualify as processing of sensitive data.

The use of one-to-many biometric identification schemes generally has a higher impact on fundamental rights than the use of a one-to-one biometric verification system. This difference in impact between biometric identification and biometric verification is clearly evident in the proposal of the AI Act, which imposes strict requirements on the use of AI-based biometric identification schemes. This fact could support a reading of Article 9(1) GDPR according to which only biometric identification (1:n) could be seen as processing of sensitive data.

Case law from the Court of Justice of the European Union (CJEU), do however, support a wide interpretation of Article 9, cf. case C-184/20 (see paragraph 125).

A recent opinion from the European Data Protection Board (EDPB) also suggests that processing of biometric data for verification purposes is covered by Article 9(1). See Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (compatibility with Articles 5(1)(e) and(f), 25 and 32 GDPR. In the aforementioned document the EDPB state the following:

Previous Guidelines from the EDPB also suggests that processing of biometric data for verification purposes is covered by Article 9(1):

See Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, paragraph 12

See also: the EDPB Guidelines 3/2019 on processing of personal data through video devices, paragraph 78.

As outlined above, there is a significant degree of legal uncertainty regarding whether biometric verification is covered by Article 9(1). This is not an issue that can be solved in this sandbox project. However, based on our discussions, we do consider that it is likely that biometric verification is covered by Article 9(1). We would therefore recommend the SALT-project to treat the biometric data used for verification purposes as a special category of personal data.

The most obvious consequence of this is that Mobai or their customers, depending on who is the controller, need to identify and demonstrate the existence of a valid exception in Article 9(2) as well as a legal basis in Article 6(1) to be able to lawfully process personal data for this purpose.

However, whether or not the processing of biometric data falls under Article 9 does not necessarily change the level of security measures required according to the GDPR. Even though biometric data was not considered a special category of personal data according to Directive 95/46/EC, the predecessor of the GDPR, processing of biometric data was subject to strict security requirements. In our view, there is nothing that indicates that the introduction of the GDPR changes this. This has also been the view of the participants from the SALT-project.

Does Article 9 apply when processing for secondary purposes?

As mentioned above, biometric data in itself is not considered a special category of personal data. It is the purpose that decides whether or not Article 9 applies to the processing.

When looking into the different processing operations relevant to this project, we have recommended that the processing operations connected to implementing improvements to the prediction accuracy for capture modules, face comparison and fraud detection algorithms, in addition to fraud investigation after real-time sessions, are considered processing for secondary purposes.

In this case the secondary purposes relate to training and improvement of AI models and the system as such. As pointed out earlier, this processing is not carried out for the purpose of completing an identity verification. Thus, we do not consider this processing “for the purpose of uniquely identifying a natural person”. On this background we believe that Article 9 will not apply when processing personal data for these secondary purposes.

However, as mentioned above, this does not necessary change the level of security measures required for the processing according to the GDPR. The main consequence is therefore that Mobai for this processing solely can rely on a legal basis in Article 6(1). This is unless they are processing data falling under one or more of the other special categories of data mentioned in Article 9(1). Please note that the discussions in the sandbox project regarding Article 9 have been limited to biometric data as a special category of personal data. Other special categories of data will therefore not be addressed in this report. However, Mobai has to consider this before processing personal data for secondary purposes.

According to Article 9(4) GDPR “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of (…) biometric data (…)”. The Norwegian Personal Data Act section 12 sets out such additional conditions for the processing of “unique identifiers” such as biometric data:

The impact of this national regulation on processing of biometric data for purposes related to training and improvement of AI models and the system as such, has not been further discussed in this sandbox project.