In the first place this refers to businesses where photography and videography is used for security checks in online services. In addition to this, this judgment may be relevant for services that use voice interfaces in their operations (for example, voice-activated transactions and orders, automated support services, etc.) and for those that use photography and videography for other business processes (such as access control, CCTV in workplaces, CCTV in customer areas and sales areas, recording interviews with job applicants and customers, age verification using photos and videos, etc.).
A historical overview of the classification of photographs and video images as biometric personal data
Since the adoption of the Federal Law on Personal Data (“Personal Data Law”) businesses have often had questions regarding the classification of photographs and videos as biometric personal data. In 2013, Roskomnadzor issued a letter concerning the classification of photographs and video images as biometric personal data“Roskomnadzor’s Clarifications on issues relating to the classification of photo and video images, dactyloscopic data and other information as biometric personal data, and the specific features of their processing,” dated 2 September 2013.. Even though those clarifications were revoked in 2021Letter of Roskomnadzor No. 09-78548 dated 19 November 2021 “On the obsolescence of Roskomnadzor’s clarifications.”, they emphasised a very important feature for treating certain personal data as biometric data: the data controller must have a purpose for verifying the data subject’s identity.More specifically, these clarifications emphasised that when data is processed which describes physiological and biological characteristics, but is not used for the purpose of identifying an individual (for example, scanning a passport for the purpose of concluding a contract, a photograph in an employee’s personal file, CCTV surveillance in the workplace, etc.), such data does not constitute biometric data.
In 2020, Roskomnadzor issued another letter which also indicated that one of the mandatory features for classifying photographs and videos as biometric personal data is their use for verifying a person’s identityLetter of Roskomnadzor No. 08АП-6782 dated 10 February 2020 “On the circulation of information on meeting minutes.”.
However, the question of what constitutes identity verification has been either not analysed or ignored. In one letter, having recognised a photograph on a pass as biometric personal data (for the purpose of organising access to premises within an access control system), Roskomnadzor failed to analyse what constitutes identity verification and has simply recognised such data as biometric dataLetter of Roskomnadzor No. 08АП-6782 dated 10 February 2020 “On the circulation of information on meeting minutes.”. Similar conclusions can be found in court decisionsResolution of the Arbitrazh Court of the North-Western District of 21 November 2017 in case No. A42-342/2017, upheld by the Ruling of the Supreme Court of the Russian Federation of 5 March 2018 in case No. A42-342/2017..
However, for example, in a reply to a private person (regarding a pass to the Erarta museum), Roskomnadzor noted that the photograph does not contain information that is biometric by nature since it does not reflect the individual characteristics of the data subject, such as a facial thermal image, iris pattern or fingerprints, which can be used to identify a personRoskomnadzor’s response No. 9627-12/78 dated 9 March 2022..
Using video footage for security checks
On 11 March 2026, the Ryazan Region Court issued a judgment on the circumstances in which video footage may be classified as biometric personal dataAppellate ruling of the Ryazan Region Court No. 33-342/2026 (2-2087/2025) in case No. 33-342/2026. (“Judgment”).According to the facts of the case, the claimant was registered on a classified website. His access was blocked due to suspicious activity while using the service. To regain access to the account, the claimant was asked to verify that the account was being used by a real person. For this purpose, the claimant had to send the service provider a video of himself turning his head. The claimant refused to do so stating, in particular, that this constituted the processing of his biometric personal data.
However, the court declared that the mere suggestion to undergo a video verification process to confirm that the account is managed by a real person does not constitute the processing of the claimant’s biometric personal data, as in this case such data was not used directly to check his identity. On the contrary, the purpose of this check was specifically to ensure the security of the website’s users.
In addition, the court noted that there was no evidence to suggest that the image in question would contain information that would enable the claimant to be identified. On the contrary, by overturning the lower court’s decision, it was noted that the court had previously disregarded the arguments and evidence that the service does not use and lacks the technical capability to use video footage to identify users.
Significance of the case for business
According to the court’s reasoning, the conclusion that the use of photographs and videos for the purpose of security checks (without the aim of identifying a person) does not constitute the processing of biometric personal data can also be applied to other similar situations as a further argument as to why photos, videos or voice recordings do not constitute biometric personal data in a certain context.Stream video
For example, this conclusion also supports the argument that stream videos recorded for the purpose of monitoring service quality, checking compliance with working conditions, etc., do not constitute biometric personal data. As a rule, such videos are not intended to identify individuals, but are used for other purposes (for example, to assess the organisation’s general compliance with working conditions, to count the number of visitors per day, etc.).
Voice interfaces
Similarly, the use of voice interfaces should not be considered as biometric personal data, as their use does not typically involve the identification of an individual (they are usually processed for the purpose of providing a service, taking an order, offering support, etc.). Voice recordings are also frequently used to analyse the quality of customer service. In this case, voice bots or various AI-based systems for voice recognition may be used; however, this does not constitute the processing of biometric personal data, as identification does not take place in such scenarios and the data controller does not pursue such an objective.
Product research and interviews
This issue is also relevant for video recordings of product interviews (sometimes referred to as “customer development” or “user research”) with customers or potential customers, as well as for recordings of job interviews with job applicants. In the first case, just the video or voice or also the user’s actions (screen movements, the sequence of opening pages and the sequence of actions when using the product, etc.) are recorded. Since user identification is not required in these cases (only the information itself is needed for further analysis), no processing of biometric personal data takes place in this instance either.
Age verification
Businesses often need to restrict access to a service to specific user groups (for example, adults only). In this case, various methods can be used: from a simple declaration by the user of their age (for example, by entering their date of birth) to biometric verification using IDs. There are also alternate methods, such as determining an estimated age range (for example, over 18 or between 13 and 16) based on the image analysis. The Judgment may also reinforce the position that, in the given case, the purpose is not to identify an individual, and therefore there is no question of the processing of biometric personal data.
Practical recommendations
From a practical perspective, it is advisable to clearly state in internal documents the purpose of data processing (as distinct from the identification of individuals), to specify that no biometric identification methods or information capable of identifying a specific individual are used, and to clarify with product teams whether identification is carried out, and what technical means are used to process the relevant data. Such data collection processes must be documented, and notifications to data subjects must be clear (visible signs for outdoor CCTV, warnings that video and audio calls are being recorded, internal policies, etc.).With regard to age verification and security checks, a number of practical risk mitigation tools have been developed in international practice, which can be adapted to the requirements of Russian regulations. These, for example, include the immediate deletion of data once a check has been completed, which can eliminate the need for data storage and thereby reduce the volume of data processed. Further, as an example, processing carried out exclusively on the user’s device precludes the transfer of data to the organisation and, consequently, its role as a data controller. Finally, it is important to actively implement data minimisation, for example by opting not to collect the exact age, but instead using an age range or simply receiving an answer as to whether the user has passed the verification process; this significantly reduces the risks for organisations that need to verify the user’s age.
Finally, the Judgment may be of importance for the AI environment. If any photographs, videos or voice recordings need to be used to train or retrain your neural networks or foundational models and such data does not constitute biometric personal data, then a simpler regime applies to them (no need for written consent, less stringent rules regarding data protection, threat modelling and the use of appropriate safeguards, etc.).
It is worth bearing in mind, however, that the law provides for a special regime for biometric personal data processed using the Unified Biometric System (UBS). In a number of cases, the use of UBS is mandatory for identification and authentication. For example, this applies to the Federal Law “On Certain Aspects of Regulating the Platform Economy in the Russian Federation” (“Platforms Law”), which takes effect on 1 October 2026 and sets out specific requirements for the identification and authentication of users of digital platforms when selling via digital platforms goods that are restricted by law from being freely sold.
Therefore, when it comes to the sale of such goods, processes for ensuring trustworthiness or age verification and buyer verification at the point of purchase must be clearly separated, both legally and technically. For example, an organisation may deploy an architecture based on the principle of “multi-factor authentication”: anti-fraud procedures or age verification without the use of biometrics for standard access, and checks using UBS where this is expressly required by law.
International expertise
While the court’s position in the Judgment is to be welcomed, it is nevertheless worth noting that in general many of the issues surrounding the interpretation of article 11 of the Personal Data Law could have been resolved had the European approach, as reflected in the GDPR and the relevant guidance from the European Data Protection Board (EDPB), been adopted. According to the GDPR, biometric data includes personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural personArticle 4(14) of the GDPR, recital 51 of the GDPR.. In other words, special technical means must be used during processing in order for the data to be recognised as biometric. For this reason, photographs and videos do not generally constitute biometric personal data.It is worth noting that the commentary on the Personal Data Law, as drafted by Roskomnadzor officials, also highlighted the mandatory use of specific technical meansFederal Law “On Personal Data”: an academic and practical commentary / ed. by A. A. Priezzheva; p. 67..
Given that, strictly speaking, article 11 of the Personal Data Law contains no reference to biometric means of identification, nor does it specify that identification based on biometric personal data must be unambiguous, this still gives rise to uncertainty among businesses and law enforcement agencies regarding the use of photographs, videos or voice recordings in practice.
* * *
Denuo’s data protection practice is the largest on the market and has been ranked in many ratings (Pravo-300, Kommersant, Expert RA). Our practice offers the full range of data protection services, from compliance audits and advice on complex issues relating to the application of the Personal Data Law to assistance with Roskomnadzor’s audits and court disputes.
