How to Handle Biometric Data Under GDPR & EU?

Is Biometric Data Covered by GDPR?

Biometrics and privacy have long been a discussion point, even before the GDPR went into effect. In 1997, a US law professor named John D. Woodward wrote a seminal paper published in IEEE Proceedings called Biometrics, privacy’s friend or privacy’s foe? Woodward argued that biometrics could be a friend to privacy, because it provided a means to establish identity that depended on the unique characteristics of an individual vice an externalized comparator such as a password.

The user cannot forget and leave their face, fingerprint or retinas at home, but he/she can forget a password or leave an access badge on the dresser. A password can be guessed or obtained through spoofing, a badge can be stolen, but duplicating a fingerprint or a retina is a challenge. The argument is valid today to an extent, although Woodward did not have to confront the security issues that exist today in protecting biometric data, and he did not have to deal with Artificial Intelligence that can in some circumstances make accurate identifications based on incomplete or circumstantial data. In addition, the use cases he referenced in his argument were all authentication, not identification, use cases. We will explore the differences. Finally, GDPR did not exist, so biometrics GDPR related issues did not influence his thinking.

Identification vs. Authentication with Biometrics

Woodward defined two use cases for biometric data; identification and authentication. For identification, the identity of a subject has not been established. The system captures image data and extracts features relevant to the individual being assessed. The system then compares the feature data to known information and tries to make a connection with some level of statistical certainty. This entire activity might occur surreptitiously, and without the user’s consent. Because the human face is usually exposed, and in its entirety it is unique, facial recognition is the most commonly used identification approach. With authentication, the user provides consent and willingly gives up a sample of biometric data, such as a fingerprint image, a retinal scan, or similar, then the system uses that information to verify a user’s identity before allowing the user access to a facility or perhaps highly secured information. In essence, authentication answers the question “are you who you say you are”? Identification answers the question “who are you”?

Biometric Data Applications

Biometric data applications for authentication are in widespread use, most notably in cell phones. In these cases, the user considers that the data are stored on the cell phone and not duplicated anywhere else without the user’s consent. Under those circumstances the user controls the data. In cases where a user gains access to an online bank account with biometric data, those data are stored in the bank’s servers, and the bank controls the data. A cell phone user might share stored biometric data with a cell phone service provider for purposes of unlocking online services, in which case both control the data.

Identification use cases are the purview of governments in pursuit of better security. Image acquisition/facial recognition is in use at international airports all over the world to aid in recognizing known criminals, or foreign operatives. The premise is that the facial features of ordinary citizens are scanned, compared to known data, then dropped when there is no match. Issues can arise when the data for citizens is not dropped, often for the best of intentions, such as this person could be identified as a criminal at a later date, knowing where that person had been would be very valuable. This is a slippery slope, data storage is cheap, modestly-priced digital video cameras give excellent performance, and can be installed wirelessly almost anywhere. The temptation for security professionals to record everything from as many cameras as they can afford and keep all of it is very high.

Is Biometric Data Covered by GDPR?

GDPR and biometric data are addressed by the regulation and with rules established at each Data Protection Authority (DPA). GDPR explicitly prevents using biometric data for either authentication or identification, but there are multiple exemptions called out in Article 9(2). For authentication, the application must require high reliability which cannot be obtained by other technologies. Biometric data for individuals is considered sensitive personally identifiable information, and as such it requires a higher level of protection. Various Country DPA’s have taken specific stances on biometric identification, for example, the French CNIL recently posted a position paper where they recognized a government’s need to secure the borders, but declined to set any hard rules, preferring review on a case by case basis

In accordance with these rules, the need for such devices must be established on a case-by-case basis: facial recognition cannot be used without a specific requirement to ensure high reliability in verifying the identity of individuals. These texts also require that the proportionality of the means deployed and the special protection afforded to children be both guaranteed. They call for respect for people to be at the heart of the systems, for example by obtaining their consent or by ensuring they have control over their data. It is by applying these principles, recently reaffirmed at European level, that the CNIL has already had the opportunity to allow certain uses in principle, while regulating them in practical terms (border control at airports), and to refuse others (controlling student access in schools).

The CNIL also warned entities against promoting experimental or trial applications with the sole aim of socializing the public to these technologies and gaining their implied consent, these will not be allowed by the CNIL.

The Italian DPA (The Garante) took a different approach in their 2014 guidelines by focusing on the method of collection, not the usage, choosing to define passive vs. interactive biometric collection systems:

Biometric systems are termed interactive or participative if they envisage the data subject’s participation and require him or her to cooperate in the biometric data acquisition phase – e.g. as regards retinal scanning or placing one’s handwritten signature. Conversely, passive systems collect biometric data without the data subject’s perceiving or being aware of it – e.g. as regards facial image acquisition or voice recordings obtained without this being noticed by the data subject.

This remains essentially unchanged since 2014, although a legislative decree (Italian only) called for the introduction of new provisions every two years (from 2018) that would revise guidelines in accordance with the employment of new technology.

Germany does not have a central data protection authority. Responsibility vests with state-level organizations, of which there are 16.

Resolving the Biometrics Debate

The debate concerning using biometrics for identification or authentication in a privacy-centric world is ongoing, and has been at some level for over 20 years. Establishing that the debate has in fact two distinct usage cases will probably aid greatly in obtaining some agreement and understanding. The case for identification almost guarantees that the information will be gathered without the Individual’s express consent. On the other hand, there are many use cases for authentication that solicit the Individual’s consent and active participation, and the Individual often derives benefit from more reliable access and better security. While it is understood that law enforcement at the nation-state level have a pressing need for biometric identification, use by others may be unnecessary where other less invasive approaches may be acceptable.

RESOURCES

Biometrics, privacy’s friend or privacy’s foe: semanticscholar.org/paper/Biometrics%3A-privacy’s-foe-or-privacy’s-friend-Woodward/45db09c52035fcee984525397b56d8b5c9b80b57
Position paper: cnil.fr/en/facial-recognition-debate-living-challenges
2014 Guidelines: garanteprivacy.it/documents/10160/0/GUIDELINES+ON+BIOMETRIC+ RECOGNITION.pdf/3ac0d4ff-7575-4f5e-a3fa-b894ab7cf517?version=1.1