Opinion 11/2024 of the European Data Protection Board on the use of facial recognition to streamline airport passengers’ flow
On 23 May 2024, the European Data Protection Board (the EDPB) issued an opinion regarding the use of facial recognition technology in airports to streamline passenger flow, assessing its compatibility with the principles stated under the General Data Protection Regulation (the GDPR) such as data minimization, purpose limitation, and storage limitation.
The review emphasizes several preliminary conditions that must be taken into consideration by airport operators and airline companies when implementing facial recognition in airports:
1.Necessity: If verifying passengers’ identities with an official document is not required for a certain procedure (for example, baggage claim), the verification with the use of biometric tools should not be performed either, as this would result in an excessive processing of data. Moreover, the processing should be limited exclusively to the purpose for which it was collected and shall not be used for any other purpose, unless the passenger has expressed her / his consent.
2.Consent: Individuals must freely and explicitly give their consent, without being forced to do so by methods such as longer delays, additional costs, or special advantages. Moreover, individuals should be able to withdraw their consent at any given moment, which means that a transparent procedure to that end should be implemented.
3.Avoidance of Inadvertent Scanning: Airports must ensure that individuals who do not explicitly consent to facial recognition are not inadvertently scanned. This can be achieved by avoiding mixed verification lines where non-consenting passengers might still have their faces scanned by passing cameras.
4.Security of Processing: The opinion outlines the need for robust security measures to protect the biometric data collected. This includes implementing technical and organizational measures to prevent unauthorized access and ensure data integrity and confidentiality.
In light of these considerations, the EDPB presented four scenarios on how biometric data processing could be implemented in airports to optimize passenger flow. The EDPB concludes that only the first two scenarios below are in principle compatible with the GDPR, subject to appropriate safeguards. The scenarios are:
1.Biometric templates stored on the user’s device, controlled by the user – this gives the passenger full control over their data since the data never leaves the user’s device (authentication at the boarding gates).
2.Centralized storage with encryption, with the key held by the user – the airport uses a centralised storage where the passenger’s facial recognition templates are stored on a server, but the data is encrypted and the key is on the passenger’s phone.
3.Centralized storage with encryption, with the key held by the airport operator – the airport uses a centralized server where they store all passengers’ facial recognition data and it can be accessed using a key that is operated by the airport management.
4.Centralized storage in the cloud under the control of the airline company or its cloud service provider, with encryption – this scenario is similar to the third one, only that the data is stored in a cloud.
Conclusion
Although it may initially seem challenging to comply with the GDPR when using facial recognition technology in airports, given the difficulty in controlling and supervising the procedure and the heightened associated risks to processing special categories of personal data, the EDPB outlines that it is possible to implement this method of identification to streamline airport queues, provided the necessary safeguards are enforced.