Facial images as a unique biometric identifier in EU law

• Author: European Union Agency for Fundamental Rights (EU body or agency)
• Pages: 5-6

FRA Focus

5

2. Facial images as a unique biometric

identif‌ier in EU law

People’s facial images constitute biometric data:

they are more or less unique, cannot be changed,

and cannot easily be hidden. Facial images are also

easy to capture: in contrast to other biometric iden-

tif‌iers, such as f‌ingerprints or DNA, a person is typi-

cally unable to avoid having their facial image cap-

tured and monitored in public.

EU law regulates the processing of facial images under

the EU data protection acquis. Table 1 provides an over-

view of relevant EU data protection instruments, their

subject matter, and whether they govern the process-

ing of facial images as biometric data. In the f‌ield of

police and judicial cooperation in criminal matters, the

Law Enforcement Directive (Directive(EU)2016/680)21

is the most relevant instrument. It establishes a com-

prehensive system of personal data protection in the

context of law enforcement.22 The Law Enforcement

Directive specif‌ically refers to facial images as ‘biom-

etric data’ when used for biometric matching for the

purposes of the unique identif‌ication or authentica-

tion of a natural person.23 The sectorial EU instruments

governing large-scale EU information systems in the

f‌ield of migration and security, listed in Table 2 in Sec-

tion 5.2, complement the EU data protection acquis.

Biometric data is def‌ined as “personal data result-

ing from specif‌ic technical processing relating to the

physical, physiological or behavioural characteristics

21

Directive (EU) 2016/680 of the European Parliament and of the

Council of 27 April 2016 on the protection of natural persons

with regard to the processing of personal data by competent

authorities for the purposes of the prevention, investigation,

detection or prosecution of criminal oences or the execution

of criminal penalties, and on the free movement of such data,

and repealing Council Framework Decision 2008/977/JHA, OJ

2016 L 119/89 (Law Enforcement Directive), OJ L 119, 4.5.2016,

pp. 89-131.

GDPR, recital (41).

22 For more, see FRA, Council of Europe and EDPS (2018),

Handbook on European data protection law. 2018 edition,

Luxembourg, Publications Oce, June 2018, pp. 31-33 and

Chapter 8.

23 Law Enforcement Directive, Art. 3 (13). See also Regulation

(EU) 2016/679 of the European Parliament and of the Council

of 27 April 2016 on the protection of natural persons with

regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC

(General Data Protection Regulation), OJ L 119, 4.5.2016, pp.

1-88 (GDPR), Art. 4 (14) as well as Regulation (EU) 2018/1725

of the European Parliament and of the Council of 23 October

2018 on the protection of natural persons with regard to the

processing of personal data by the Union institutions, bodies,

oces and agencies and on the free movement of such data,

and repealing Regulation (EC) No 45/2001 and Decision

No.1247/2002/EC (PE/31/2018/REV/1), OJ L 295, 21.11.2018,

pp. 39-98, Art. 3 (18).

of a natural person, which allow or conf‌irm the unique

identif‌ication of that natural person, such as facial

images or dactyloscopic [f‌ingerprint] data.”24 EU data

protection law recognises two categories of infor-

mation as biometric data: 1) ‘physical/physiological

characteristics’, which pertain to bodily characteris-

tics such as facial features, f‌ingerprints, retina and

iris characteristics; and 2) ‘behavioural characteris-

tics’, like deeply ingrained habits, actions, personal-

ity traits, addictions, etc.

25

This includes behavioural

characteristics that could permit the unique identif‌i-

cation of a person, such as a hand-written signature,

or a way of walking or moving. Digital facial images

belong to the f‌irst category.

Recital (51) of the GDPR makes a distinction between

the legal nature of simple ‘photographs’ and biom-

etric ‘facial images’. The def‌inition of biometric data

applies to photographs only when these are processed

through specif‌ic technical means allowing the unique

identif‌ication or authentication of a natural person.

26

‘Special categories’ of personal data

“[P]ersonal data revealing racial or ethnic ori-

gin, political opinions, religious or philosophical

beliefs, or trade union membership, and the pro-

cessing of genetic data, biometric data for the

purpose of uniquely identifying a natural per-

son, data concerning health or data concerning

a natural person’s sex life or sexual orientation.”

Source: Law Enforcement Directive, Article 10(1);

GDPR, Article 9 (1) and Regulation (EU) 2018/1725,

Article 10 (1)

Due to their sensitive nature, facial images fall into

the ‘special categories of personal data’ or sensi-

tive data. As such, EU data protection law provides

for enhanced protection, and additional safeguards,

compared to other personal data.27

24 Law Enforcement Directive, Art. 3 (13); GDPR, Art. 4 (14);

Regulation (EU) 2018/1725, Art. 3 (18).

25 Article 29 Data Protection Working Party (2012), Opinion

3/2012 on developments in biometric technologies, 00720/12/

EN, WP193, Brussels, 27 April 2012, p. 4; Misra, P. (2018),

‘Here’s how face recognition tech can be GDPR compliant’,

thenextweb.com, 29 October 2018.

26 GDPR, recital (51); See also Regulation (EU) 2018/1725, recital (29).

27 For more, see FRA, Council of Europe and EDPS (2018),

Handbook on European data protection law. 2018 edition,

Luxembourg, Publications Oce, June 2018.