The Supreme Administrative Court of Lithuania has ruled on the use of biometric data

In order to increase the accessibility of its services and to expand the possibilities of accessing its electronic services, the Administration was planning to introduce a personal identification service (to identify or confirm the identity of a natural person using biometric data obtained from the processing of a facial image of a person). However, the Inspectorate decided in the Prior Consultation to prohibit the Administration from using biometric data of data subjects for the purpose of identification. 

The Court of First Instance agreed with the Inspectorate's conclusions and dismissed the Administration's complaint, while the Court of Appeal upheld the decision of the Court of First Instance. 

The Supreme Administrative Court of Lithuania reasoned its decision on the following main grounds.

Such processing of personal data would not ensure the implementation of the principles of data minimisation and data lawfulness.

The Court of Appeal first of all pointed out that the Inspectorate had stated in the Preliminary Consultation that the processing of personal data to be carried out by the Administration could not be considered necessary and proportionate and in compliance with the principle of data minimisation enshrined in Article 5(1)(c) of the GDPR (the processing of personal data must be adequate, relevant and only necessary to achieve the purposes for which it is processed); it is also not in line with the principle of lawfulness of personal data as set out in Article 5(1)(a) of the GDPR (personal data must be processed in a lawful, fair and transparent manner with regard to the data subject (the principle of lawfulness, fairness and transparency)).

The Supreme Administrative Court of Lithuania noted that the Administration itself acknowledged that it seeks to complement the existing possibilities of using its services (the application to be implemented would help those who are not able to come to the Administration and who do not use the e-banking service) in order to make them more easily accessible. 

On that basis, the Court concluded that the processing of personal data to be carried out by the planned application (which would require the use of personal biometric data, often already containing more information than is necessary for identification or authentication) does not, in principle, meet the criterion of necessity of the processing of the data, and in this case cannot be considered as reasonably necessary to achieve the purposes envisaged by the Administration, which, in the circumstances of this case, are already fulfilled by other means (as indicated by the Administration itself, a person can verify his/her identity by other means, such as visiting Vilnius City Municipality, identifying himself through a bank, sending a copy certified by a notary public etc.). 

The Court disagreed that the mere convenience indicated by the applicant, in the presence of other (less restrictive of the privacy of the personal data subjects) ways of accessing the services provided by the Administration, could be considered to be in line with the principle of data minimization. In addition, the Court disagreed that the benefits allegedly to be gained by the subjects of the personal data as a result of the implementation of such a measure are, in this case, proportionate to the restrictions on their privacy (in particular, taking into account the nature of the data they wish to process).

The data subject's consent is not considered to be freely given where there is an imbalance between the parties providing and receiving the data.

In order to be lawful, the processing must also satisfy one of the grounds for lawfulness of processing listed in Article 6 of the GDPR. The Inspectorate has recognized in the Prior Consultation that the consent of the data subject is an inappropriate legal basis for the processing of personal data, inter alia because: 

The Supreme Administrative Court of Lithuania upheld the conclusions of both the Inspectorate and the first instance that neither national nor European Union legislation establishes the Administration's right to process biometric personal data for the purpose of establishing or confirming the identity of a natural person, when carrying out the functions of a public authority entrusted to it.

In assessing the situation, the Court also noted that the data subject's consent is any freely given, specific and unambiguous indication of his or her will, given by a duly informed data subject, by means of a statement or an unequivocal act, by which he or she consents to the processing of personal data concerning him or her (Article 4(11) of the GDPR) and the conditions for consent are governed by Article 7 of the GDPR, one of which is that, where the processing is based on consent, the controller must be able to prove that the data subject has given his or her consent to the processing of his or her personal data (Article 7(1) of the GDPR). According to points 42 to 43 of the GDPR preamble, consent should not be considered to be freely given if the data subject does not in fact have a free choice or is unable to refuse or withdraw consent without suffering damage.

In order to ensure that consent is freely given, consent should not be considered as a reasonable legal basis for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority, and it is therefore unlikely that the consent was freely given in the light of the totality of the circumstances of that specific case.

Consent is presumed not to have been freely given where separate consent is not allowed for individual processing operations, even if this is appropriate in individual cases, or where the performance of a contract, including the provision of a service, is conditional upon consent, notwithstanding the fact that such consent is not necessary for such performance.

Finally, the Court, having assessed the evidence in the case and the arguments put forward by the parties, agreed with the conclusion reached by the Inspectorate in the Preliminary Consultation that it may be difficult to prove in this case that the data subject's consent was freely given, whereas there is a certain imbalance between the staff of the Administration, representing the controller - a public authority - and the personal data subjects (in particular, if they are, as indicated by the Administration, generally vulnerable persons - the sick, the disabled - who are the target of the programme to be implemented), which, in the specific case, may distort the behaviour and the will of the personal data subjects. 

The latter are necessary for the classification of the data subject's consent as given freely. The Court emphasized that the consent given in such circumstances, where the access of the individual (and in particular of a vulnerable person) to the services provided by the administration depends on it, implies that it was not freely given within the meaning of the GDPR.