Earlier this year I was lucky enough to pass a computer related exam. What you probably
don´t know, is that passing the exam involved a crime. A crime of which I was the victim.
A requirement for entering the exam room was to submit a fingerprint scan or submit to biometric authentication. Depending on the implementation, this can provide very accurate access controls, but history has shown countless examples of how easily this can lead privacy breach. The normal post-breach advice to change your password does not apply to biology – you cannot change who you are just because your data fell into the wrong hands. And a «sorry» won´t do much good to repair the harm.
This is why the GDPR goes an extra mile to protect biometric data. Article 9 prohibits processing of biometric data unless selected conditions are met, one of which is consent.
Article 7 discusses when a consent is considered valid. Specifically, it reads:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
In my example, this means that the consent is not freely given if giving up your biometric data is required to enter the exam room.
This means that the practice of requiring submission of biometric data to receive a service is in violation of GDPR Article 7, and thus illegal in the entire EU/EEC region. However, if biometric authentication was optional and merely one of several ways to authenticate oneself, then it would probably pass as legal.
I challenged the exam agent and the certification body, which happened to be based in the US, to delete my biometric data.
A long exchange of emails ensued over the course of several months. Naturally, the basis for and the scope of the request to delete biometric data was not obvious to my American counterparts. In late June of 2021 I finally got the confirmation that biometric data collected from me scan was deleted. Regretfully, the practice of illegally collecting biometric data of EU/EEC citizens continues, and only continued pressure from citizens can alter this bad, and illegal, practice.
And this is how I learned to love the GDPR.