The European Data Protection Board (EDPB) noted that the use of facial recognition at airports may meet the requirements of the GDPR, but that airports should use other methods that are less privacy-sensitive.
Biometric data
Biometric data constitute sensitive personal data within the meaning of Article 9 of the GDPR. The processing of these types of personal data may entail, among other things, major risks for data subjects. Therefore, such data should not be processed, unless absolutely necessary. The more sensitive the personal data, the higher the level of security required. Companies that process personal data must take sufficient organizational and technical security measures to, among other things, protect them.
Companies should analyse whether the use of facial recognition, which is the processing of biometric data, is really necessary. In Sweden, the High School Board in Skellefteå had to pay a fine, because they used facial recognition to register attendance from their students in violation of GDPR.
Use of facial recognition at airports in accordance with GDPR
The French data protection authority requested an opinion from the European Data Protection Board (EDPB) on the use of facial recognition at airports. The main points of the opinion are summarised below:
· Storage location: Sensitive personal data requires safer storage than ordinary personal data. The EDPB noted that airports may have a central database with an encryption key, but to which only the data subject has access. Alternatively, it is the data subject who should store the personal data themselves.
· Storage duration: When companies, organisations or public bodies process personal data, they shall determine a retention period. As biometric data constitute sensitive personal data, airports need to have sufficient grounds to process the personal data during the planned retention period.
· No uniform requirement in the EU to identify passengers at airports
In the EU, there is no uniform requirement to identify passengers at airports. Therefore, an airport that does not identify a passenger through an identity document (such as a Passport or EU ID) should not use facial recognition.
Role of data protection authorities in supervising artificial intelligence
Each Member State must designate a market surveillance authority in accordance with the AI Act by 2 August 2025. According to the recommendation of the European Data Protection Board, it should be the data protection authority of the country as AI systems and personal data processing go hand in hand. The authority that each country must designate should be a point of contact between citizens and stakeholders and, among other things, have the power to monitor and supervise companies that operate AI systems.