Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
personal data”. Processing of such data is prohibited unless any of ten
prescribed conditions is met. One of the special categories is “biometric data
[processed] for the purpose of uniquely identifying a natural person”. Article
10 of the Law Enforcement Directive contains a similar form of words. From
submissions made to us by the Information Commissioner, it appears that the
phrase “for the purposes of uniquely identifying a natural person” was inserted
during the drafting process to limit the circumstances in which processing
biometric data would fall into the special category provisions of Article 9 of
the GDPR and Article 10 of the Law Enforcement Directive. It is a form of
words drawn from the Council of Europe Convention for the Protection of
Individuals with regard to the Automatic Processing of Personal Data, as
amended by a Protocol opened for signature in 2018. The Explanatory Report
accompanying the Protocol included the following:
“18.
The notion of “identifiable” refers not only to the
individual’s civil or legal identity as such, but also to what may
allow to “individualise” or single out (and thus allow to treat
differently) one person from others. This “individualisation”
could be done, for instance, by referring to him or her
specifically, or to a device or a combination of devices
(computer, mobile phone, camera, gaming devices, etc.) on the
basis of an identification number, a pseudonym, biometric or
genetic data, location data, an IP address, or other identifier.
The use of a pseudonym or of any digital identifier/digital
identity does not lead to anonymisation of the data as the data
subject can still be identifiable or individualised.
Pseudonymous data is thus to be considered as personal data
and is covered by the provisions of the Convention. The
quality of the pseudonymisation techniques applied should be
duly taken into account when assessing the appropriateness of
safeguards implemented to mitigate the risks to data subjects
…
58.
Processing of biometric data, that is data resulting
from a specific technical processing of data concerning the
physical, biological or physiological characteristics of an
individual which allows the unique identification or
authentication of the individual, is also considered sensitive
when it is precisely used to uniquely identify the data subject.
59.
The context of the processing of images is relevant to
the determination of the sensitive nature of the data. The
processing of images will not generally involve processing of
sensitive data as the images will only be covered by the
definition of biometric data when being processed through a
specific technical means which permits the unique
identification or authentication of an individual. Furthermore,
where processing of images is intended to reveal racial, ethnic
or health information (see the following point), such
processing will be considered as processing of sensitive data.