Author: András Jóri
(14) ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
I. Preliminary remarks
Biometric data is a definition used by the GDPR when setting out the ban on the processing of special categories of personal data (see the commentary on Art. 9, mn. 11). The set of biometric data might in practice overlap with the categories of genetic data and health data,[1] two other categories relevant when applying Art. 9. Apart from the definition and the recitals, the term “biometric data” appears only in Art. 9.
II. Legislative history
The term biometric data was not defined or used by the DPD. The Comm-P defined the term as any “data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data”. In the lawmaking process, reference to “specific technical processing” and the confirmation of the unique identification was added to the definition. The Comm-P used the term also in the context of data protection impact assessments; in the final text, the respective provision of the GDPR refers to special categories of personal data in general (→ Art. 35 mn. 18)
III. Analysis
-
“Personal data resulting from specific technical processing”
The term only captures personal data; in other words, the definition can and should be applied to data that has already qualified as personal data according to the respective definition of the GDPR (see the commentary on Art. 4 no. 1 (→ mn. 8 et seq.). The question of whether all biometric information qualifies as personal data or not is discussed by the literature.[2]
As to “specific technical processing”, on the one hand this term is closely linked to the wording “which allow or confirm the unique identification of that natural person”. This conclusion can be drawn from recital 51, which states that “[t]he processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” Specific technical processing, therefore, means that in order to qualify as biometric data, data shall be processed by a technology that makes indentification or authentication of a natural person possible. For the term identification and authentication (→ mn. 10).
On the other hand, “specific technical processing” refers to the method that turns measured biometric characteristics into biometric samples or templates. In a biometric system, first a characteristic (trait) is measured, and stored as a sample.[3] A template is generated from the sample by extracting the distinct biometric features and “may be, e.g., a table or a (fixed-length) numerical (binary) string (e.g., 101010 representing a feature vector”.[4] According to the Art. 29 WP, a template “is a structured reduction of a biometric image”.[5] For example, in the case of fingerprints, the sample is the recorded print, while the template may be “an unordered set of tuples consisting of the minutiae’s coordinates and local orientation” representing the minutiae features.[6]
[…]
[1]See Bygrave/Tosoni, ‘Art. 4(14)’, in Kuner/Bygrave/Docksey, p. 213.
[2]Kindt, Privacy and Data Protection Issues of Biometric Applications – A Comparative Legal Analysis, p. 90 and pp. 94 et seq.
[3]Ibid, p. 43.
[4]Ibid.
[5]Art. 29 WP Working Document on Biometrics (12168/02/EN WP 80, adopted on 1 August 2003), p. 4.
[6]Kindt, Privacy and Data Protection Issues of Biometric Applications – A Comparative Legal Analysis, p. 44.