The European Data Protection Board issued an opinion on facial recognition technologies at airports, highlighting that individuals have control over their biometric data. The opinion analyzes the use of biometric verification systems for the specific purpose of streamlining the passenger flow at airport security checkpoints, baggage drop-off, boarding, and access to passenger lounges.

The opinion considers four types of biometric solutions. The first is the storage of the biometric information in an object or device that the passenger owns and is within their sole control. The second type of solution involves the storage of the biometric data in a centralized server at the airport, while the access key is solely in the hands of the data subject. These two types of measures may satisfy the GDPR’s necessity principle if the controller can demonstrate that there are no less intrusive alternative solutions that could achieve the same objective as effectively.

The third scenario involves storage of the biometric data in a centralized server at the airport, access to which is in the hands of airport staff. The fourth scenario The fourth scenario involves the cloud-based storage of the biometric data in an encrypted form, under the control of the airline company or its cloud service provider. In these two scenarios, given the risks of unauthorized or unlawful identification of passengers, and the loss of control of the data for the data subject, the opinion finds this scenario not compatible with the GDPR’s data protection by design principle, particularly because less invasive measures are available.

Click here to read the EDPB’s opinion on the use of facial recognition to streamline airport passengers’ flow.