Spanish data protection authority, AEPD, imposes 10 Million EUR fine on a company, AENA for deploying a facial recognition system without an adequate DPIA. What does this mean for companies subject to US laws?

The decision clarified that the data protection impact assessment (DPIA) lacked key required components like the risks to the individuals and less invasive alternatives, including regular ID checks.  

The AEPD noted that the biometric system posed a high risk due to the use of sensitive data, biometric identifiers, and new technologies. It also involved storing more personal data than the previous manual identity verification system, including biometric facial patterns and other information from passengers’ identification documents and boarding passes, which increased risks substantially. 

The DPA also imposed a temporary suspension of all biometric data processing, including the facial recognition system, until the controller completes a compliant DPIA under Article 35 GDPR.

This is equally applicable in the US where: 

• State privacy laws require a DPIA for the processing of sensitive data. 

• Colorado and California have detailed regulations on the requirements for the DPIA with California now requiring companies to certify, under penalty of perjury, that their DPIAs are accurate and compliant.

• The FTC has enforced against Rite Aid for use of facial recognition without a sufficient risk assessment (including weighing alternatives) as “unfair or deceptive practice” (UDAP)

• All US states have similar UDAP laws that can be applied to this.   

• Biometric state laws like Illinois BIPA  and Texas CUBI (as well as Washington State and Colorado) require a written authorization, public policy, public data retention plan and limited retention for biometric information. 

Decision and summary from GDPRHub: https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202304532&mtc=today