The Dutch Data Protection Authority publishes guidance on facial recognition

The position of the Dutch DPA is that processing personal data via facial recognition is prohibited in most cases. However, there are exceptions and the Dutch DPA highlights that the use of facial recognition in the Netherlands is on the rise and consequently the number of questions it receives on the subject is increasing. The guidance includes answers to frequently asked questions in order to provide assistance and clarity to professionals working with facial recognition technologies.

The Dutch DPA explains its view on the significant risks posed to individuals when their biometric data is processed, which is generally central to a facial recognition system. It expects that a data protection impact assessment (DPIA) will be required in many cases before starting large-scale processing using facial recognition. The guidance points out that if the DPIA concludes that there is a high residual risk, which might often be the case, the organisation looking to deploy the system will be required to engage in prior consultation with the Dutch DPA.

The guidance addresses four frequently asked questions regarding the use of facial recognition, which are summarised below.

When is the use of facial recognition a purely personal or household activity?

The Dutch DPA confirms that the GDPR does not apply to the use of facial recognition by individuals for activities with a purely personal or household purpose and sets out the conditions required to meet this exception. Similarly to the French and Belgian supervisory authorities, the Dutch DPA suggests that deploying biometric authentication mechanisms using facial recognition, where no third parties have access to the data, may fall under the household exception only if it complies with the following five criteria: 

• The use of mobile electronics of the device (or service) to gain access to applications on the device can be regarded as private use.
• The use of biometric data is not imposed on the user by an employer or any other third party. The user has a free choice on whether to use facial recognition or to unlock a device through an alternative way, e.g., through a password. 
• The user's biometric data is stored in a secure way and cannot be accessed by third parties (for instance, they are not stored in an external database). 
• The biometric data is stored on the device itself using state of the art encryption.
• In the case of access control, the technology only indicates whether the detection has been successful or not.   

When facial recognition results in processing “biometric data” within the meaning of the GDPR?

The Dutch DPA sets out criteria for determining when facial recognition results in processing biometric data as defined in the GDPR, including:

• The nature of the data: the use of facial recognition involves physical and physiological characteristics that can be directly attributed to (and usually permanently linked to) a natural person, such as the distance between eyes. 
• The means and method of processing: it must be personal data ”resulting from specific technical processing”, i.e., the data is analysed by certain technical means and then compared with reference parameters. The guidance provides an example: the features of the face are converted into a unique template from the captured image of the face, and that template is compared with previously saved templates. In this example, both the template saving phase and the final comparison involve specific technical processing.
• The purpose of processing: the personal data must enable or confirm an unambiguous identification' of a natural person. For instance, shopping mall using facial recognition to match the visitors against a database with templates of Dutch celebrities would result in processing biometric data. The same shopping mall would not be processing biometric data within the meaning of the GDPR when it uses facial recognition to distinguish the categories of persons from one another (e.g., male and female visitors), it the equipment used does not allow to unambiguously identify a natural person or use the data for authentication.

The guidance provides practical examples of how facial recognition systems may be used to clearly identify and confirm the identity of an individual, which then falls within the GDPR definition of biometric data and triggers stricter requirements. However, the Dutch DPA emphasises that organisations must always comply with data protection law when processing personal data (even if data involved in a facial recognition system is not biometric data) which, among other things, requires a valid lawful basis for the processing.

Does the processing of biometric data fall under the general prohibition on processing special categories of personal data if the purpose is to confirm someone’s identity?

The Dutch DPA clarifies its position on the interpretation of the GDPR provisions on biometric data and the general prohibition to process special categories of data under Article 9 GDPR. Whereas Article 9(1) GDPR only speaks about prohibition of processing “biometric data for the purpose of uniquely identifying a natural person”, the guidance confirms that the processing of biometric data for confirming someone’s identity equally falls under this prohibition. This removes some ambiguity that had arisen on the topic and comments to the contrary that were submitted during the consultation on the draft guidance. 

When can you rely on exceptions to the general prohibition on using facial recognition?

The Dutch DPA refers to the exceptions to the general prohibition on processing special categories of personal data (i.e., biometric data in this case), as set out in Article 9(2) GDPR.  In particular, the guidance considers the exceptions of: (i) explicit consent of data subjects; and (ii) substantial public interest. 

In terms of consent, the guidance breaks down the standard of consent required, i.e., that express consent must be freely given, unequivocal, informed, specific, and expressly given by a statement or an unambiguous affirmative action. The Dutch DPA also reiterates its position that relying on a free consent for the processing of biometric data is unlikely in an employment relationship.

In terms of substantial public interest, the guidance gives examples of where this exception could apply (e.g., where facial recognition is necessary for certain authentication or security purposes as per Article 29 of the Dutch GDPR Implementing Law) and where it could not apply (e.g., a supermarket seeking to use facial recognition to prevent theft and protect property and employees).

In the press release about the guidance, the Dutch DPA provides a new example of when an exception to the prohibition of the use of facial recognition for security purposes can be invoked. The Dutch DPA has traditionally set a threshold for using this exception very high and had only been referring to an example that stems from the legislative history of the Dutch GDPR Implementing Law: using biometric recognition for security of a nuclear power plant. The new example named is the protection of hazardous substances that could be used, for example, to produce bombs. The Dutch DPA also refers to a code of conduct for the port companies handling international traffic, approved in 2023, where the use of biometric data recognition for the protection of hazardous substances is regulated under strict conditions.

The guidance further includes a helpful brief introduction to the technology behind facial recognition, explaining commonly used methods and steps to recognise individual faces.

Please note that the guidance supplements existing guidance issued by the Dutch DPA on facial recognition, such as on biometric data is available here, and on the use of facial recognition cameras is available here. 

The Dutch DPA’s press release is available here and the guidance here, both only available in Dutch. The Dutch DPA also issued a guidance on this topic aimed at individuals, clarifying the data subject’s rights in typical facial recognition uses, e.g., in an employment context or by shops for security or theft prevention. The guidance note can be accessed here.

This article was written in collaboration with aosphere.

Please note that aosphere ceased to be affiliated with Allen & Overy on 8 February 2024 and is not part of the A&O Shearman group. aosphere is a separate business that is not regulated by the Solicitors Regulation Authority. A&O Shearman does not receive any referral fees from aosphere.