AVPA Warns that Spanish Regulator’s Biometrics Decision Could Tank EU Wallet Scheme

The Spanish Data Protection Authority (AEPD) has taken a hard line on facial biometric data, interpreting retained facial templates as special‑category information under GDPR Article 9. This interpretation demands explicit, freely given consent for any biometric processing, effectively barring providers from making biometric verification a condition of service. AVPA argues that such a requirement creates a Catch‑22: either strip away the non‑transferable security that facial templates provide or abandon digital identity services in jurisdictions that adopt this view.

The ripple effect reaches the EU Digital Identity Wallet (EUDI), which must be available to citizens in every member state by the end of 2026. The EUDI framework already envisions both biometrics and PINs as authentication options, but the Spanish ruling tilts the balance toward the less secure PIN alternative. For fintech firms, age‑verification platforms, and identity‑as‑a‑service providers, this could mean redesigning core authentication flows, incurring costly compliance upgrades, and facing a market where fraud‑prone PINs become the default for high‑value transactions.

Across Europe, the uncertainty may prompt the European Data Protection Board to issue harmonised guidance on biometric processing. Clear rules could preserve the security benefits of biometrics while satisfying privacy concerns, preventing a fragmented regulatory landscape that would hamper the rollout of the EUDI wallet. Until such guidance arrives, providers must weigh the risk of delayed market entry against the operational burden of offering parallel non‑biometric options, a dilemma that could reshape the continent’s digital identity ecosystem.