EU civil society group calls for ban on public surveillance biometrics as privacy authorities issue warnings

European Digital Rights (EDRi) has published a paper demanding the European Commission and EU Member States institute a ban on biometric mass surveillance.

Couching their argument in the thresholds set by Europe’s Charter of Fundamental Rights, GDPR, and the Law Enforcement Directive, the report authors examine “the use of technology for untargeted mass processing of special categories of personal data in public spaces.”

The position of the paper is set out in the first line, which declares that “highly intrusive and rights-violating facial recognition and other biometric processing technologies are quietly becoming ubiquitous in our public spaces” across the region. In order to combat this development, the group recommends a permanent halt to all biometric processing in public and publicly accessible spaces in which it has the potential for mass surveillance.

The 40-page report analyzes the legal landscape and the technology, considers several case studies, and makes six recommendations for governing bodies in Europe. The paper was mostly produced before the COVID-19 pandemic, but the group says its recommendations are just as relevant, if not more so, in the new context.

EDRi is a network made up of 44 civil society organizations, and the paper was composed with participation from a coalition of 28 organizations, including Access Now, the Electronic Frontier Foundation (EFF), and Privacy International.

European data protection authorities, meanwhile, have issued a series of statements on the use of biometrics and temperature screening technology as people return to work.

EU data protection authorities warn businesses on biometrics and temperature checks

The use of facial recognition as part of COVID-19 screening systems is only compliant with GDPR regulations if consent is free and valid, and therefore given in preference to an equivalent alternative, the Spanish Data Protection Agency (AEPD) has ruled. If biometrics are mandated for students as an “essential public interest,” which is allowable under GDPR, legislation detailing the extent and circumstances of that special status would have to be passed.

Universities themselves have proposed online assessment alternatives that the AEPD considers less intrusive, and the various risk assessments, consultations, and other considerations are detailed in a 42-page report.

The AEPD also expressed concern about temperature screening, noting that it involves processing protected personal data, which is prohibited by GDPR, and that it tends to take place in a public place, therefore exposing individuals’ protected health information to anyone who observes their temperature being checked. The Ministry of Health would have to formulate set up a mandate and criteria for temperature checks for them to be legal under GDPR.

The risk of regulatory violations is particularly high with devices that also capture biometrics to identify the individual being screened for fever, the AEPD cautions.

The Dutch Data Protection Authority (AP) has likewise warned organizations measuring worker’s temperatures with thermometers or thermal cameras for safe access control are risking a fine by violating GDPR. The AEPD and AP both observe that such practices appear to have become common.

Fever checks involve the processing of personal health data, which is forbidden by GDPR, due to the power imbalance between employers and employees which nullifies the possibility of consent.

AP Chairman Aleid Wolfsen warns that moves towards constant employee surveillance risk shifting society towards a Chinese model, echoing recent comments by UK Biometrics Commissioner Paul Wiles.

Meanwhile Poland’s Office for Personal Data Protection has declared that biometrics cannot be used for time and attendance systems, based on GDPR and the country’s labor law.

Polish Labor Law states that special categories of data, as established by GDPR, limits the processing of biometric data be employers to two specific situations; if an applicant consents or an employee initiates the process, or to secure access to particularly sensitive information or areas. As noted by Dutch authorities, the imbalance of power between employers and employees also significantly restricts the situations in which consent is legally considered possible.

Apple faces probe

The data protection office of the German State of Hesse has launched an investigation into whether Apple has violated privacy rules by taking the temperature of people entering its stores, Bloomberg Law reports.

The office plans to coordinate with other data protection authorities in the country, where Apple reopened stores on May 11 with new public safety measures including fever screening.

Article Topics

access control  |  AEPD  |  biometric data  |  biometrics  |  data protection  |  Europe  |  European Digital Rights (EDRi)  |  facial recognition  |  fever detection  |  privacy  |  schools  |  thermal  |  video surveillance