Spain's Data Protection Authority Fines Yoti €950,000 for GDPR Violations in Biometric Processing
Key Takeaways
- ▸Yoti faces a €950,000 fine for GDPR violations in biometric data processing, including unlawful processing, invalid consent, and excessive data retention
- ▸The AEPD rejected Yoti's distinction between authentication and identification, ruling that facial biometrics in account setup are 'special category data' requiring explicit lawful grounds
- ▸Major compliance issues include geolocation data retained for five years, indefinite storage of biometrics for account recovery, and default opt-in consent for research use
Summary
Spain's AEPD has imposed a €950,000 (approximately $1.1 million) fine on digital identity company Yoti for violations of the EU's General Data Protection Regulation (GDPR) related to how it handles biometric data in its digital identity app. The regulator found that Yoti breached three GDPR articles: Article 5.1(e) on excessive data retention, Article 7 on valid consent, and Article 9 on unlawful processing of special category data. Key violations include processing facial biometrics without proper lawful grounds, retaining geolocation data for five years (deemed excessive), storing biometric data indefinitely for account recovery, and obtaining user consent for research and development by default rather than explicit opt-in.
The ruling reflects broader tensions around how biometric data is classified and processed under GDPR. While Yoti claims it uses facial biometrics for authentication rather than unique identification, the AEPD determined this distinction is insufficient—biometrics used for account setup constitute "special category data" that require heightened protections. The regulator also identified issues with Yoti's consent flow, allowing users to bypass privacy policies without reading them, and insufficient protections for minors as young as 13. Yoti has announced it will appeal the decision to the Spanish High Court and claims it can reassure users about the security of their data.
- Yoti must demonstrate compliance within six months and has announced plans to appeal to the Spanish High Court
Editorial Opinion
This enforcement action highlights the persistent gap between how biometric authentication is deployed in practice and how European regulators interpret GDPR's strict protections for special category data. While Yoti's distinction between authentication and identification may seem technically reasonable, the AEPD's position—that any biometric match for user identification purposes falls under heightened protections—sets an important precedent that could reshape compliance expectations across the digital identity sector. The ruling also exposes common UX dark patterns (default consent, clickthrough privacy policies) that must be addressed across the industry.
