AVPA warns that Spanish regulator’s biometrics decision could tank EU Wallet scheme

The Age Verification Providers Association (AVPA) has issued a statement regarding a decision by the Spanish Data Protection Authority, the AEPD, regarding biometrics. It says the outcome of the case could have “profound consequences for the security of digital identity technology across Europe and for the EU Digital Identity Wallet that every member state is required to offer its citizens by the end of 2026.”

That is wide-reaching, indeed, but AVPA goes further, saying the decision “affects every provider of digital identity technology operating under GDPR and, ultimately, every European citizen who uses or will use a digital identity application.”

AVPA believes that the AEPD’s decision, which hinges on the GDPR’s definition of in biometrics as special category data, “in effect, requires that consumers must never be obliged to accept a biometric as the only mechanism to confirm that identity data stored in a digital app belongs to them.”

Since “processing special category data requires either a valid legal basis under Article 9.2 if relying on consent, or an alternative non-biometric option that makes consent to biometric processing genuinely voluntary,” providers, the logic goes, can not solely offer biometric age checks in Spain – and, by extension, Europe as a whole.

For AVPA, “this matters enormously.”

No sharing biometrics, unlike PIN

“We are all familiar with younger people borrowing the driving licence or passport of someone older – ideally someone who vaguely resembles them – to gain access to age-restricted venues or services,” says the post. “A digital identity secured with a biometric simply cannot be used this way. Your younger sibling cannot activate it.” For online age checks, face biometrics – whether it is through facial age estimation or selfie-to-document matching –  are a way to guarantee that the person doing the check is present and alive, and the same person who will get access to restricted services.

“Any digital identity app that provides meaningful personal ‘binding’ – the assurance that the person using the app is the person whose identity was verified – requires a biometric to function securely,” AVPA argues. “The AEPD found that because a retained facial template is special category data under Article 9, valid consent to its processing must explicitly acknowledge that fact and must be ‘freely given’. But it also found, under Article 7.4, that consent cannot be freely given if it is a condition of using the service at all.”

This creates a Catch-22 scenario, in which providers are hamstrung by a “stark choice: offer a non-biometric alternative that makes biometric consent genuinely optional but in doing so remove the critical security property the biometric delivers, or stop offering digital identity apps altogether in jurisdictions wherever this interpretation is applied.”

AVPA asserts that “there is currently no non-biometric authentication mechanism that replicates the non-transferable personal binding that a facial template provides. Every practical alternative binds to a device or a secret that can be shared.” Even a solution like passkeys, which have been touted as the ultimate alternative to passwords, “no longer provide the non-transferability that might once have been claimed for them,” given that both Apple and Google now offer group passkey sharing functionality.

Ultimately, biometric facial templates are what make accurate age assurance doable at scale. “Remove that feature, or make it optional in favour of a PIN or shared passkey, and the result is an age verification mechanism that a minor can use simply by borrowing an adult’s phone or credentials.”

European domino effect could push EUDI Wallet towards PINs

The worry is that the case could spur the European Data Protection Board to issue guidance on this issue, meaning the rest of Europe would likely apply the same conditions for biometric age assurance vendors.

That, says AVPA, could be a massive problem for the EU Digital Identity Wallet scheme, which makes it mandatory for every member state to offer a digital wallet to its citizens by the end of 2026. The organization says “the EU’s Architecture and Reference Framework for the EUDI Wallet explicitly contemplates both biometrics and PIN as alternative authentication mechanisms for transaction confirmation and wallet unlock.” That’s in keeping with the AEPD’s decision.

But “by treating the biometric facial template within a consumer identity app as special category data that cannot be made a condition of service,” AVPA says, the Spanish decision “points toward a future in which the most secure authentication option is legally the most difficult to deploy. The least secure option is the path of least regulatory resistance.”

Which is to say, if regulations make biometric privacy preserving age assurance more difficult to deploy, and PINs are an approved option, even for high-value transactions, the industry may end up back in the world of four-number strings – easy to steal, copy or exploit. “A PIN shared willingly or obtained under duress gives whoever holds it full access to everything a wallet can do – confirming transactions, proving identity, accessing age-restricted services – with no way to distinguish the legitimate owner from anyone else.”

Notably, the decision would appear to implicate the EU’s own white label age verification app, which the European Commission has urged member states to adopt.

AVPA calls on EDPB to issue clear guidance

The case is currently with the Spanish courts. AVPA says that, while it understands the sensitivity around children’s biometrics, the AEPD’s decision “eliminates the security property that makes high-assurance digital identity meaningful.”

As such, it is calling on the European Data Protection Board to issue guidance on the application of Article 9 to biometric authentication in digital identity and age verification applications.

“The courts may yet resolve this question more sensibly,” AVPA says. “But the EDPB has an opportunity to provide clear guidance before the uncertainty causes lasting damage to the development of secure digital identity technology in Europe.”

Article Topics

AEPD  |  age verification  |  AVPA  |  biometric binding  |  biometric data  |  data protection  |  EU Digital Identity Wallet  |  European Data Protection Board (EDPB)  |  GDPR  |  Spain