The deployment of biometric technologies—particularly facial recognition—has accelerated across public and private sectors worldwide. Airports have been among the most prominent adopters of these systems, driven by promises of improved security, streamlined passenger processing, and operational efficiencies. However, the rapid integration of such technologies has raised significant legal, ethical, and technical concerns surrounding privacy, data protection, algorithmic fairness, and transparency.
One notable recent development is the decision by the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, abbreviated GPDP) to suspend the operation of FaceBoarding’s facial recognition service at the automated border control gates of Milan Linate Airport. This essay examines the background, the technology involved, the GPDP’s rationale and legal basis, the implications for stakeholders (including passengers, airport operators, airlines, and technology providers), and the broader context of biometric governance in Europe.
Background: FaceBoarding and Automated Border Control
FaceBoarding is a provider of biometric identity-verification solutions that uses facial recognition to authenticate travelers at automated border control (ABC) gates. The technology matches a live image or video of a passenger’s face captured at the gate against a stored reference image—typically from a passport or a governmental identity database—to verify identity and allow passage without human border officer intervention. Proponents argue that such systems can speed up processing, reduce queues, and maintain or enhance security by cross-checking identities against watchlists or risk indicators.
Milan Linate Airport, one of Italy’s principal domestic and regional airports, implemented FaceBoarding’s solution to streamline passenger throughput at automated border gates. The system was intended to allow authorized travelers to be verified biometrically as they moved through passport control, ostensibly improving the passenger experience and operational performance.
The GPDP’s Decision: Suspension and Its Basis
The Italian Data Protection Authority issued an order to suspend the FaceBoarding facial recognition service at Milan Linate Airport. The GPDP’s decision reflects concerns about compliance with Italy’s data protection framework and the EU General Data Protection Regulation (GDPR). While the specific case details and official reasoning are multi-faceted, the GPDP’s intervention typically rests on several central legal and factual points that are commonly invoked when authorities scrutinize biometric systems:
Lawfulness of processing: Under the GDPR, biometric data uniquely identifying a person is a category of “special categories of personal data” (sensitive data). Processing such data requires a robust legal basis and, often, explicit legal authorization. The GPDP must be satisfied that the airport and FaceBoarding had a lawful basis to collect and process biometric data for identity verification.
Proportionality and necessity: Data processing must be necessary and proportionate to the stated objective. The Authority likely examined whether less intrusive means could achieve the same aims (e.g., manual checks, non-biometric identity verification) and whether the biometric approach was proportionate given the privacy risks.
Transparency and informed consent: Individuals must be appropriately informed about biometric data processing and their rights. The GPDP often scrutinizes whether passengers received clear, intelligible information and whether any consent obtained was freely given and specific—particularly significant if refusal would effectively prevent a passenger from traveling or impose undue inconvenience.
Data minimization and storage limitation: The GDPR requires that collected data be adequate, relevant, and limited to what is necessary, and stored only as long as necessary. The GPDP likely reviewed the types and quantity of images captured, how long data were retained, whether templates or raw images were stored, and whether retention policies were justified and implemented.
Security and data protection measures: The Authority examines whether appropriate technical and organizational measures were in place to protect biometric data from unauthorized access, breaches, or misuse. This includes encryption, access controls, secure transmission, and contractual safeguards between involved parties.
Data subject rights and redress: Effective mechanisms must exist for passengers to exercise their rights (access, rectification, erasure, objection) and to obtain meaningful redress. The GPDP may have found that the procedures for enabling such rights were insufficient or unclear.
Risk assessment and DPIA: The GDPR requires a Data Protection Impact Assessment (DPIA) for high-risk processing, such as large-scale biometric identification. The GPDP would assess whether a DPIA was properly conducted, whether risks were identified and mitigated, and whether supervisory authority consultation occurred when residual risks remained high.
Although the GPDP suspended the service rather than ordering a permanent ban, suspension indicates serious concerns and a need for corrective measures before processing can resume lawfully.
Legal and Regulatory Context
Understanding the GPDP’s action requires situating it within the broader Italian and European legal framework.
GDPR: The European Union’s GDPR provides the primary legal regime for personal data protection across member states. Biometric data used for uniquely identifying a person is treated as special category data under Article 9 and is subject to stricter conditions. Processing of such data is generally prohibited unless specific safeguards and legal bases are present (e.g., explicit consent, substantial public interest under Union or Member State law, or specific provisions for identification and security).
Italian Data Protection Code: Italy’s national legislation supplements GDPR requirements and contains provisions relevant to public security, border control, and the processing of identity and biometric data. Where national laws create legal bases for biometric processing in certain public interest contexts (e.g., border control under migration and security laws), the compatibility of such national rules with GDPR’s principles remains critical.
EEA jurisprudence and Guidelines: The European Data Protection Board (EDPB) and national courts issue guidance and rulings affecting biometric systems. Recent years have seen heightened scrutiny: some European supervisory authorities have launched investigations into airport facial recognition systems; others have required rigorous DPIAs or imposed limitations. Court decisions in the EU have also reinforced strict standards for processing biometric data and emphasized necessity, proportionality, and strong safeguards.
Biometric Surveillance Landscape: The EU has proposed a regulatory framework for Artificial Intelligence (AI Act) that differentiates between high-risk and prohibited AI applications, with facial recognition for remote biometric identification in public spaces receiving special attention. Though the AI Act is at a different legislative stage, it signals a broader shift toward stricter governance of biometric technologies.
Practical Concerns and Technical Considerations
Beyond legal bases, the suspension likely reflects practical and technical shortcomings or uncertainties. Key concerns raised in similar cases include:
Accuracy and bias: Facial recognition algorithms can exhibit variable accuracy across demographic groups, with documented higher false match or false non-match rates for women, older adults, and certain ethnicities. This can lead to wrongful denials, additional scrutiny, or unequal treatment.
Function creep and secondary uses: Without strict controls, biometric data collected for border control could be repurposed for other uses (e.g., law enforcement, marketing), raising significant privacy risks. Supervisory authorities require limiting purposes and contractual/technical controls to prevent misuse.
Data retention and storage architecture: Whether images are processed locally and immediately discarded, stored as templates, or transmitted to centralized databases affects risk profiles. The GPDP would scrutinize retention periods, whether raw images are stored, and who has access.
Third-party processing and sub-processors: FaceBoarding, airport operators, airlines, and governmental agencies might all play roles. Processing agreements, data controller/processor roles, liability allocation, and cross-border data transfers must comply with GDPR rules.
Consent vs. legitimate interest: In airports, obtaining freely given consent can be problematic because travelers may feel compelled to comply. Many operators rely on other legal bases—such as performance of a contract or public interest—but such bases must be carefully justified, especially for biometric data.
Operational transparency and signage: Visible notices, clear opt-out options, and accessible information help meet transparency obligations. The GPDP likely evaluated whether passengers were adequately informed at points of entry, booking, and gate areas.
Implications for Stakeholders
The GPDP’s suspension affects multiple stakeholders and has broader implications for biometric use in transportation and public spaces.
For passengers: The immediate effect is that biometric processing at the suspended gates cannot be used, protecting travelers’ biometric privacy until compliance is demonstrated. It may also mean a return to manual passport checks with potential impacts on wait times.
For airport operators and airlines: The suspension highlights operational and compliance risks inherent in deploying biometric systems. Operators may need to invest in stronger data protection practices, re-evaluate procurement and contractual terms, and consider alternative solutions while ensuring traveler experience and security are maintained.
For technology providers (e.g., FaceBoarding): Providers must demonstrate compliance through improved technical safeguards, transparent data flows, clearer documentation of lawful bases, and robust DPIAs. The incident may prompt redesigns, additional certifications, or changes to data handling architectures.
For regulators and policymakers: The decision underscores the need for clear, harmonized rules and guidance on biometric technologies. Regulators may increase scrutiny of similar deployments elsewhere and push for stronger industry standards.
For public trust: High-profile suspensions raise public awareness about privacy risks and can erode trust in biometric systems. Transparent remedial steps and accountable governance are necessary to restore confidence.
Possible Remedial Actions and Path to Compliance
To address the GPDP’s concerns and enable lawful resumption of operations, stakeholders could take several concrete steps:
Conduct or update a comprehensive DPIA that fully documents risks, identifies mitigations, and demonstrates that any residual risks are proportionate and justified. Where high residual risk remains, consult the supervisory authority as required by GDPR.
Clarify and document the lawful basis for processing biometric data. If relying on consent, ensure it is explicit, freely given, and granular; if relying on public interest or other bases, ensure adequate legal authorization and justification exists under national law.
Implement strict data minimization: process only what is necessary (e.g., ephemeral templates instead of raw images), limit retention to the minimum necessary, and delete data promptly after verification.
Enhance technical security measures: robust encryption, pseudonymization, access controls, audit logging, and secure transmission/storage architecture.
Strengthen governance and contracts: clear data processing agreements, limits on sub-processing, and roles and responsibilities defined among operators, technology providers, and public authorities.
Provide clear passenger information and opt-out mechanisms: visible signage, pre-travel communication, and easy alternatives to biometric processing without penalty.
Conduct independent testing and bias audits to demonstrate algorithmic fairness and accuracy across diverse populations, and publish results or summaries to enhance transparency.
Establish redress mechanisms and clear processes for passengers to exercise data subject rights.
Broader Significance and Lessons Learned
The GPDP’s suspension at Milan Linate is emblematic of a broader recalibration across Europe regarding biometric technologies—particularly in sensitive applications like border control. Several lessons can be drawn:
Regulatory authorities will enforce GDPR protections for biometric data and are prepared to intervene where legal requirements are not met.
Deployments in public, high-traffic contexts require anticipatory governance: robust DPIAs, stakeholder engagement, clear legal bases, and stringent technical safeguards.
Technology vendors and adopters must prioritize privacy by design and by default, emphasizing minimization, transparency, and accountability from the outset.
Public acceptance hinges on trust; transparency, demonstrable fairness, and effective safeguards are essential to secure social license for biometric systems.
Harmonized standards and clearer legal frameworks at the EU level—or explicit national legislation where permitted—could reduce uncertainty and improve compliance while ensuring fundamental rights are protected.
Conclusion
The suspension of FaceBoarding’s facial recognition service at Milan Linate Airport by the Italian Data Protection Authority underscores the tension between technological innovation and fundamental rights protections. While biometrics offers clear benefits for efficiency and security in border operations, it also raises acute privacy, fairness, and governance challenges. The GPDP’s action reflects the stringent requirements of the GDPR for processing special categories of data and highlights the necessity for rigorous legal justification, technical safeguards, transparency, and accountability.
Moving forward, successful and lawful deployment of facial recognition at airports will require collaborative efforts among technology providers, airport authorities, airlines, regulators, and civil society to ensure systems are necessary, proportionate, non-discriminatory, and respectful of travelers’ rights. The Milan Linate case serves as a cautionary example and an opportunity: to refine practices, reinforce protections, and develop governance frameworks that enable useful innovation while safeguarding individual liberties.
Biometric Injection Attacks
Biometrics has advanced as a field to the extent that matching selfies and detecting simplistic spoofs are largely considered solved.
MOSIP Pursues Democratization of Digital Identity
A democratic vision of digital identity is central to the non-profit, open-source mandate of MOSIP.
Congress deepens investment in DHS biometrics
At the Transportation Security Administration (TSA), Congress continues to back biometric identity verification as a core element of aviation security while layering in new oversight expectations.
English 
Español 
Français 
Deutsch 
Italiano