When are photos biometric data under data protection law? This is a hot question at the moment because data protection laws attach stricter principles to the processing of biometric data which falls under sensitive data.
Biometric photos are processed on an enormous scale every day, whether that is on social media platforms or employers’ websites. To lawfully use these types of photos you will in most cases need to obtain express consent. A photo is labelled as biometric data if identification can be achieved by automated means (eg. facial recognition). Practically, this means checking whether the photo in question satisfies the specs of your passport mugshot.
We believe that the line is going to get blurred between biometric and non-biometric photos. Technology is evolving rapidly and we are going to reach the point where almost every photo is a biometric photo. This has legal implications and we hope that the law keeps abreast of these changes.
What is biometric data?
Data protection law is not very clear on what biometric data is. Broadly stated, it is personal data that is derived from technical processing.
“A technique of personal identification based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.”
So, what is a biometric photo then?
Photos are not automatically biometric data. Although a photo may allow for identification using physical characteristics, it only becomes biometric data if you carry out “technical processing”. Usually, this involves using the image data to create an individual digital template or profile, which in turn you use for automated image matching and identification.
ISO/IEC 19794-5
There’s an old international standard for biometric photos, which provides us with some guidance as to when a photo constitutes biometric data. It’s made for documents like passports, residence permits, and applications. According to this standard, you should be asking some questions when assessing a photo.
- Is the person in the photo looking towards the camera?
- Are their eyes looking into the camera?
- Is it a neutral facial expression (no smiling)?
- Does it have a monochrome background (light grey or grey are best)?
- Is the photo free from shadows on the face or in the background?
If you answer in the affirmative to all of the above, there is a strong likelihood the photo in question is biometric data. In the light of this enquiry, it is evident that the standard is pretty strict and only wants photos like those found in passports to be classified as biometric data. It is important to note that these standards were developed in 2006 when the technical processing abilities were not nearly where they are today. Back then, AI and facial recognition could not scan your selfy, casual poses, or photos of you cut out from a group shot and then identify you in the photo. We believe this is not an accurate reflection of what photo identifying technology is present in 2021.
The status quo of AI-based facial recognition technology
“Facial recognition technology is a set of algorithms that work together to identify people in a video or a static image.”
Facial recognition is getting good, really good. IBM for example has explained that the minimum requirements for their facial recognition technology is that the “image contains a frontal view of the face, good lighting, and at least 80 pixels between the eyes.” This is clearly a drastic departure from the far more stringent requirements set out above. The question thus arises, have the ‘goalposts’ shifted further apart due to the improvements in advanced algorithms? The upshot would be that photos not previously regarded as biometric photos should be. This will have a significant impact under the data protection law as there are further complexities that come with photos that have biometric data.
Data protection law and biometric photos
Biometric photos are classified as special categories of data. Data protection law prohibits the processing of biometric data for the purpose of uniquely identifying natural persons (and juristic persons in South Africa). There are exemptions where it is lawful but these are very limited and restrictive (see sections 28 to 33 of POPIA as an example).
Explicit consent
Explicit consent from the data subject in the biometric photo is a recognised exemption. It is worth noting that in Europe, this exemption cannot be relied upon in an employer-employee relationship as it is deemed that consent cannot be freely given. Whether a similar stance will be taken in other jurisdictions like South Africa is still to be determined (see section 27 of the POPIA).
‘Consent’ has a very specific definition in data protection law and you can read more about it here. But in essence, consent must satisfy the following:
- It must be voluntary.
- It must relate to a specific purpose
- You must notify the person who is in the biometric photo of various things (see section 18 of the POPIA).
- It must be an informed decision.
- There must be an expression of will.