The European Data Protection Board (EDPB) has issued a ruling on the use of facial recognition at airports, in response to concerns raised by the French Supervisory Authority regarding compliance with the European Union’s General Data Protection Regulation (GDPR).
The French Supervisory Authority observed that the models currently being tested in several EU airports vary from one member state to another, thus possibly creating a risk of divergence between interpretations among authorities.
In an opinion adopted on May 23, the EDPB addresses general application and produces effects in more than one member state. Specifically, the opinion analyzes the compatibility of the processing with GDPR’s storage limitation principle, the integrity and confidentiality principle, data protection by design and default and security of processing. Compliance with other GDPR provisions, including regarding the lawfulness of the processing, are not covered by the opinion.
“There is no uniform legal requirement in the EU for airport operators and airline companies to verify that the name on the passenger’s boarding pass matches the name on their identity document, and this may be subject to national laws,” the EDPB said in a statement. “Therefore, where no verification of the passengers’ identity with an official identity document is required, no such verification with the use of biometrics should be performed, as this would result in an excessive processing of data.”
In its opinion, the EDPB considered the compliance of processing of passengers’ biometric data with four types of storage solutions, ranging from ones that store the biometric data only in the hands of the individual to those that rely on a centralized storage architecture with different modalities. In all cases, only the biometric data of passengers who actively enroll and consent to participate should be processed.
The EDPB found that the only storage solutions that could be compatible with the integrity and confidentiality principle – data protection by design and default and security of processing – are the solutions whereby the biometric data is stored in the hands of the individual or in a central database but with the encryption key solely in the individual’s hands. These storage solutions, if implemented with a list of recommended minimum safeguards, are the only modalities that the EDPB believes adequately counterbalance the intrusiveness of the processing by offering individuals the greatest control.
The EDPB said that the solutions based on the storage in a centralized database either within the airport or in the cloud, without the encryption keys in the hands of the individual, cannot be compatible with the requirements of data protection by design and default and, if the controller limits itself to the measures described in the scenarios described in its opinion document, would not comply with the requirements of security of processing.
“Controllers need to ensure they have a sufficient justification for the envisaged retention period and limit it to what is necessary for the proposed purpose,” the EDPB concluded.
For more of the top insights into biometric technology, read Passenger Terminal World‘s exclusive feature, ‘What are early investors learning about biometrics and digital travel identities?’, here.
Click the image below to read our feature on biometric technology, published in Passenger Terminal World, January 2024.