The Italian case, of the eCampus online university, highlights legal risks in the use of biometrics in online courses. Analytics for Maltese providers on GDPR, compliance and facial recognition governance.

The Italian Data Protection Authority has recently sanctioned eCampus online universities for the use of facial recognition systems in the context of online training. The processing concerned biometric data used to verify the identity and presence of trainees during distance learning activities.

The decision is based on an essential principle of the GDPR: biometric data are special categories of personal data and require a solid legal basis, a prior impact assessment and appropriate technical and organisational measures. In the absence of these conditions, the processing is considered unlawful.

For entities operating or intending to operate in the Maltese scenario, the case represents a relevant precedent. The Italian legislation applied by the Authority is based on the common European framework, to which Malta fully adheres. Therefore, a Maltese provider adopting similar facial recognition systems would be subject to the same substantive data protection standards.

In the context of Malta, the supervision of the tertiary education sector is entrusted to the Malta Further and Higher Education Authority, which operates in implementation of the Further and Higher Education Act and secondary legislation on licensing, accreditation and quality assurance. Although MFHEA is not a privacy authority, its accreditation standards require providers to demonstrate full regulatory compliance, including data protection compliance.

The use of biometrics, especially in online training contexts, cannot be considered a mere technological choice. It affects fundamental rights and involves stringent compliance, governance and accountability obligations.

Biometrics, governance and quality assurance in the Maltese framework

In the Maltese system, compliance does not end with formal compliance with GDPR obligations. It must be integrated into internal quality assurance processes, risk management and institutional governance.

The MFHEA requires providers to demonstrate that their internal policies are consistent with the National Quality Assurance Framework and licensing conditions. This implies that any technological innovation, including biometrics, must be assessed ex ante in terms of proportionality, necessity and impact on students’ rights.

The introduction of biometric systems in online training should be preceded by:

• a data protection impact assessment;
• an analysis of reputational and regulatory risks;
• the review of quality policies and student-centred learning procedures;
• documented involvement of governance bodies.

Biometrics, when used for unique identification, involves high-risk treatment. In the MFHEA context, this is indirectly reflected in the integrity, accountability and information management requirements set out in the accreditation manuals. A provider that implements biometrics without adequate documentation risks not only privacy penalties, but also findings during external audits.

Strategic opportunities for providers and the role of specialized consulting

The Italian case should not be interpreted exclusively as a warning of sanctions. It also represents an opportunity for Maltese providers to strengthen their positioning through structured and transparent compliance.

An institution that demonstrates that it has addressed the biometrics issue with methodological rigor, integrating it into its quality assurance systems, sends a clear signal to students, partners and authorities. Compliance becomes a distinctive element of reliability.

In this scenario, consulting support takes on a strategic function. The implementation of advanced technologies, including biometrics, requires:

• mapping of processes and data flows;
• alignment between privacy policies and quality manuals;
• revision of academic regulations;
• management and staff training.

A specialized consultancy in the Maltese regulatory framework is able to combine knowledge of Chapter 607, MFHEA standards and market dynamics. Biometrics, if evaluated correctly, can be integrated into innovative teaching models; if managed superficially, it can compromise institutional sustainability.

Malta Quality Education operates in this critical space, supporting providers in building consistent, audit-ready governance systems aligned with European standards. The goal is not only to avoid sanctions, but to strengthen the institutional standing.

Biometrics will continue to be the subject of regulatory attention. Providers looking to operate or expand in Malta must anticipate these developments, integrating compliance, quality and strategy. In an increasingly competitive market, regulatory credibility is a real advantage.

Conscious management of biometrics, supported by an appropriate compliance architecture, allows institutions to transform a risk into an element of institutional maturity. And it is in this area that qualified advice can make the difference.