On May 23, 2024, the European Data Protection Board (the “EDPB”) adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports (the “Opinion”). The Opinion, which was requested by the French Supervisory Authority, is limited in scope. It assesses the use of facial recognition for the specific purpose of streamlining the passenger flow at airports with respect to the following Articles of the EU General Data Protection Regulation (“GDPR”): (1) the principle of storage limitation (Article 5(1)(e)); (2) the principle of integrity and confidentiality (Article 5(1)(f)); (3) data protection by design and default (Article 25); and (4) security of processing (Article 32).
In the Opinion, the EDPB considered the compliance of processing of passengers’ biometric data using four different types of storage solutions, including a solution that involves the storage of an enrolled biometric template in the hands of the individual, for example, on their individual device, and solution that involves the centralized storage, within the airport, of an enrolled biometric template in an encrypted form with a key solely in the passenger’s hands. For each solution, the EDPB opines on whether or not it would comply with the GDPR Articles listed above, and whether any additional measures should be implemented.
The EDPB also provides more general observations regarding the use of biometric data and in particular facial recognition technology. It recalls that such processing “entails heightened risks to data subjects’ rights and freedoms” and states that even if the processing would be deemed effective for a business, such business should always assess the impact on the fundamental rights and freedoms of the relevant individuals and consider whether less intrusive means of processing may achieve the same purpose.