In 2024, the landscape of data protection in the EU and UK has been significantly shaped by the increasing use of employee surveillance and biometric technologies in the workplace. This trend has prompted regulatory bodies to scrutinise and enforce compliance with data protection laws, particularly focusing on the use of biometric data, which is considered a special category of personal data under the General Data Protection Regulation (GDPR). This document provides an in-depth analysis of the current regulatory trends, enforcement actions, and guidance issued by data protection authorities (DPAs) in the EU and UK, with a particular focus on employee surveillance and biometric technologies.
Regulatory focus on biometric technologies
Biometric data as special category data
Biometric data, which includes facial recognition and fingerprint scanning, is classified as special category data under Article 9 of the GDPR. This classification necessitates a higher level of protection due to the sensitive nature of biometric data, which can uniquely identify individuals. The use of such data in the workplace has been a focal point for DPAs, as it involves processing that can significantly impact employees' privacy rights. In 2024, the Information Commissioner's Office (ICO) in the UK and other European DPAs have emphasised the need for organisations to conduct comprehensive data protection impact assessments (DPIAs) and to demonstrate the necessity and proportionality of using biometric systems.
Enforcement actions and case studies
Several enforcement actions in 2024 highlight the regulatory stance on biometric data use. Notably, the ICO issued an enforcement notice against Serco Leisure for unlawfully processing employees' biometric data through facial recognition and fingerprint scanning. The ICO found that Serco had failed to establish a lawful basis for processing under the UK GDPR and had not provided employees with a clear opt-out mechanism. This case underscores the importance of adhering to data protection principles, such as transparency and fairness, and the need for organisations to explore less intrusive alternatives for monitoring employee attendance.
In the EU, similar enforcement actions have been observed. The Spanish DPA fined a controller €360,000 for processing employees' fingerprint data without adequate disclosure and security measures. The Italian DPA also imposed a fine of €120,000 on a company using facial recognition for employee attendance monitoring, citing the lack of national law authorising such processing under Article 9(2)(b) GDPR. These cases illustrate the high compliance bar set by GDPR for the use of biometric technologies in the workplace.
Guidance and best practices
ICO's guidance on biometric data
In response to the growing use of biometric technologies, the ICO has issued updated guidance to help organisations navigate the complexities of data protection compliance. The guidance emphasises the need for explicit consent when processing biometric data, given its sensitive nature. It also highlights the importance of offering employees alternatives to biometric systems, such as key fobs or ID cards, to mitigate the imbalance of power between employers and employees.
Conducting data protection impact assessments (DPIAs)
A key requirement for organisations using biometric technologies is the completion of a DPIA. This assessment helps identify and mitigate risks associated with processing biometric data. The ICO mandates that DPIAs be conducted before any high-risk processing activities, such as the use of biometric recognition systems, are initiated. The DPIA process should include consultation with employees to ensure transparency and address any concerns they may have about the monitoring practices.
