Spanish courts call facial recognition for employee management overkill
A Spanish legal ruling on facial recognition could have ramifications for businesses using biometrics to monitor workers.
According to an article in Gearrice, the Social Court No. 2 of Alicante found that Albero Forte Composite SL, a plastics manufacturer also known as Plastic Forte, had violated its workers’ right to privacy in using facial recognition to create a database that could be used to control entry and exit. Employees signed a consent form allowing their images to be used for various purposes, but the document did not cover face biometrics.
Although the fine imposed as a penalty was a relatively meager 6,251 euros (roughly US$6,540), the case sets a significant precedent in recognizing a worker’s right to be compensated by their former employer over the unauthorized use of biometric systems. Prior to this, there has only been one major court proceeding around the use of facial recognition, in which a supermarket chain was fined €2.5 million for using facial recognition as an anti-theft measure.
As in that case, the Alicante ruling on Plastic Forte finds the application of facial recognition systems, with their attendant privacy risks, to be disproportionate to the issues they purport to resolve. It states that, “when analyzing the proportionality of a proposed biometric system, it is necessary to first consider whether the system is necessary to respond to the identified need, that is, whether it is essential to satisfy that need, and not just the most appropriate or cost-effective.”
“If the benefit is relatively minor, such as greater comfort or slight savings, then the loss of privacy is not appropriate.”
The €6,251 fine is also the lowest allowed by law for violations classified as “very serious.”
The fine marks Plastic Forte’s second censure for its facial recognition scheme. In February, the Spanish Agency for Data Protection (AEPD) fined the company €12,000 for what it found to be violations of privacy related to biometric data collection, a reduction of what was initially to be a €20,000 penalty.
In May, the agency imposed a fine ten times that size on the Mobile World Congress technology fair for using facial scans to allow visitors to access the venue in which it was held.
The European Data Protection Board (EDPB) updated its guidelines for fines under GDPR last year.