The Spanish Data Protection Authority, the AEPD, has recently issued a decision that, if upheld on appeal and followed by other EU data protection authorities, would have profound consequences for the security of digital identity technology across Europe and for the EU Digital Identity Wallet that every member state is required to offer its citizens by the end of 2026.
The case is now before the Spanish courts so we will not address this specific situation. What we can and must consider is the broader principle at stake, because it affects every provider of digital identity technology operating under GDPR and, ultimately, every European citizen who uses or will use a digital identity application.
What the AEPD is requiring
The AEPD’s decision, as the AVPA interprets it, in effect, requires that consumers must never be obliged to accept a biometric as the only mechanism to confirm that identity data stored in a digital app belongs to them. Its reasoning is that a retained biometric facial template – the digital map of a user’s face that an app creates at registration and uses to confirm identity at each subsequent transaction – constitutes special category data under Article 9 GDPR. Processing special category data requires either a valid legal basis under Article 9.2 and, if relying on consent, or an alternative non-biometric option that makes consent to biometric processing genuinely voluntary.
Why biometrics are used for this purpose
Identity providers use biometrics for this authentication function for one fundamental reason: they cannot be shared between users. Your face is your face. Without you being physically present, your digital identity cannot be activated by anyone else.
In the world of age verification this matters enormously. We are all familiar with younger people borrowing the driving licence or passport of someone older – ideally someone who vaguely resembles them – to gain access to age-restricted venues or services. A digital identity secured with a biometric simply cannot be used this way. Your younger sibling cannot activate it. For online age checks, using a digital app that confirms a user is over or under a required legal age through per-transaction facial matching ensures it is genuinely the verified person using that proof ever time it is shared. A PIN or password provides no such guarantee: it can be shared, disclosed under social pressure, or covertly observed and stolen.
The circular problem the decision creates
The AEPD’s reasoning creates a dilemma that is very difficult to resolve in practice. Any digital identity app that provides meaningful personal ‘binding’ – the assurance that the person using the app is the person whose identity was verified – requires a biometric to function securely. The AEPD found that because a retained facial template is special category data under Article 9, valid consent to its processing must explicitly acknowledge that fact and must be ‘freely given’. But it also found, under Article 7.4, that consent cannot be freely given if it is a condition of using the service at all. Catch 22.
The result is that identity providers face a stark choice: offer a non-biometric alternative that makes biometric consent genuinely optional but in doing so remove the critical security property the biometric delivers, or stop offering digital identity apps altogether in jurisdictions wherever this interpretation is applied.
Why non-biometric alternatives do not solve the problem
The obvious non-biometric alternative is a PIN or password. But as we have noted, these can be shared, disclosed or stolen. They bind an account to a secret, not to a person – to something you know not something you are.
A more sophisticated alternative might appear to be passkeys — cryptographic keys stored on a device, based on the FIDO2 standard and increasingly available on smartphones. But passkeys no longer provide the non-transferability that might once have been claimed for them. Both Apple and Google now offer group passkey sharing functionality, allowing a passkey to be shared between users across devices. A passkey cannot provide equivalent assurance to a biometric password that the person authenticating is the verified account holder.
The honest conclusion is that there is currently no non-biometric authentication mechanism that replicates the non-transferable personal binding that a facial template provides. Every practical alternative binds to a device or a secret that can be shared. Requiring identity providers to offer such an alternative does not preserve security at lower privacy cost – it eliminates the security property that makes high-assurance digital identity meaningful.
The child protection paradox
We understand that children’s data deserves particular protection. But there is a direct tension between that concern and the practical effect of the corrective measures the decision imposes.
The biometric facial template is precisely the feature that prevents a verified adult from lending their digital identity credentials to a child to use for an age-restricted transaction. Remove that feature, or make it optional in favour of a PIN or shared passkey, and the result is an age verification mechanism that a minor can use simply by borrowing an adult’s phone or credentials. The AEPD’s remedy, taken to its logical conclusion, makes it easier for children and adults who wish to impersonate children to exploit them, to circumvent the age restrictions that digital identity technology exists to enforce.
The wider implications
While this decision currently applies only in Spain, its potential reach is significant. If upheld by the Spanish courts and followed by other national supervisory authorities, it could prompt the European Data Protection Board to issue guidance on this issue, which would be highly persuasive across all EU data protection authorities.
The timing of that risk could hardly be more problematic, for reasons that the EU’s own digital identity framework makes clear. The EU’s Architecture and Reference Framework for the EUDI Wallet explicitly contemplates both biometrics and PIN as alternative authentication mechanisms for transaction confirmation and wallet unlock. In that sense, the AEPD’s position is not in conflict with the EUDI framework as the EU’s own architects have made the same design choice the AEPD is now requiring of private sector identity providers. But that is precisely the problem.
The EUDI Wallet framework has, in the name of accessibility and user choice, accepted that a PIN is a legitimate alternative to biometric authentication for confirming high-value transactions including, under the Strong Customer Authentication provisions being developed for financial services, transactions involving payments, property and pension access. The AEPD decision throws that choice into sharp relief.
A PIN can be observed in a crowded bar. Shoulder-surfing attacks, where an assailant watches the device owner enter their code and then steals the phone, are now a routine and well-documented form of theft leading to losses far exceeding the value of the device itself. A PIN shared willingly or obtained under duress gives whoever holds it full access to everything a wallet can do – confirming transactions, proving identity, accessing age-restricted services – with no way to distinguish the legitimate owner from anyone else.
A biometric cannot be shared in any of these ways. Your face is your face. The person in front of the camera is either the account holder or they are not. No amount of social engineering, observation or coercion can transfer that property to another person in the way that a PIN or passkey can be transferred. The EUDI framework’s acceptance of PIN as an alternative to biometrics is understandable as a policy choice because not everyone can or wants to use biometric authentication, and accessibility matters. But it is a choice with real security consequences that deserve honest acknowledgment. The AEPD’s decision, by treating the biometric facial template within a consumer identity app as special category data that cannot be made a condition of service, points toward a future in which the most secure authentication option is legally the most difficult to deploy. The least secure option is the path of least regulatory resistance.
That is not a future that serves European citizens well.
Critical next steps
The AVPA is calling on the European Data Protection Board to issue guidance on the application of Article 9 to biometric authentication in digital identity and age verification applications. Such guidance would provide welcome clarity for the sector and inform consistency of enforcement across member states, both of which are urgently needed.
The courts may yet resolve this question more sensibly. But the EDPB has an opportunity to provide clear guidance before the uncertainty causes lasting damage to the development of secure digital identity technology in Europe. The choice between privacy protection and personal security should not be a forced one, but resolving it requires honest engagement with the technical realities, not a regulatory framework that was not designed with this technology in mind and whose application is producing consequences that no legislator intended and that no regulator should be comfortable defending — to favour the shareable PIN over the immutable face