Is Biometric Data Covered by GDPR?
Biometrics and privacy have long been a discussion point, even before the GDPR went into effect. In 1997, a US law professor named John D. Woodward wrote a seminal paper published in IEEE Proceedings called Biometrics, privacy’s friend or privacy’s foe? Woodward argued that biometrics could be a friend to privacy, because it provided a means to establish identity that depended on the unique characteristics of an individual vice an externalized comparator such as a password.
The user cannot forget and leave their face, fingerprint or retinas at home, but he/she can forget a password or leave an access badge on the dresser. A password can be guessed or obtained through spoofing, a badge can be stolen, but duplicating a fingerprint or a retina is a challenge. The argument is valid today to an extent, although Woodward did not have to confront the security issues that exist today in protecting biometric data, and he did not have to deal with Artificial Intelligence that can in some circumstances make accurate identifications based on incomplete or circumstantial data. In addition, the use cases he referenced in his argument were all authentication, not identification, use cases. We will explore the differences. Finally, GDPR did not exist, so biometrics GDPR related issues did not influence his thinking.
Identification vs. Authentication with Biometrics
Woodward defined two use cases for biometric data; identification and authentication. For identification, the identity of a subject has not been established. The system captures image data and extracts features relevant to the individual being assessed. The system then compares the feature data to known information and tries to make a connection with some level of statistical certainty. This entire activity might occur surreptitiously, and without the user’s consent. Because the human face is usually exposed, and in its entirety it is unique, facial recognition is the most commonly used identification approach. With authentication, the user provides consent and willingly gives up a sample of biometric data, such as a fingerprint image, a retinal scan, or similar, then the system uses that information to verify a user’s identity before allowing the user access to a facility or perhaps highly secured information. In essence, authentication answers the question “are you who you say you are”? Identification answers the question “who are you”?
Biometric Data Applications
Biometric data applications for authentication are in widespread use, most notably in cell phones. In these cases, the user considers that the data are stored on the cell phone and not duplicated anywhere else without the user’s consent. Under those circumstances the user controls the data. In cases where a user gains access to an online bank account with biometric data, those data are stored in the bank’s servers, and the bank controls the data. A cell phone user might share stored biometric data with a cell phone service provider for purposes of unlocking online services, in which case both control the data.
Identification use cases are the purview of governments in pursuit of better security. Image acquisition/facial recognition is in use at international airports all over the world to aid in recognizing known criminals, or foreign operatives. The premise is that the facial features of ordinary citizens are scanned, compared to known data, then dropped when there is no match. Issues can arise when the data for citizens is not dropped, often for the best of intentions, such as this person could be identified as a criminal at a later date, knowing where that person had been would be very valuable. This is a slippery slope, data storage is cheap, modestly-priced digital video cameras give excellent performance, and can be installed wirelessly almost anywhere. The temptation for security professionals to record everything from as many cameras as they can afford and keep all of it is very high.
Is Biometric Data Covered by GDPR?
GDPR and biometric data are addressed by the regulation and with rules established at each Data Protection Authority (DPA). GDPR explicitly prevents using biometric data for either authentication or identification, but there are multiple exemptions called out in Article 9(2). For authentication, the application must require high reliability which cannot be obtained by other technologies. Biometric data for individuals is considered sensitive personally identifiable information, and as such it requires a higher level of protection. Various Country DPA’s have taken specific stances on biometric identification, for example, the French CNIL recently posted a position paper where they recognized a government’s need to secure the borders, but declined to set any hard rules, preferring review on a case by case basis
The CNIL also warned entities against promoting experimental or trial applications with the sole aim of socializing the public to these technologies and gaining their implied consent, these will not be allowed by the CNIL.
The Italian DPA (The Garante) took a different approach in their 2014 guidelines by focusing on the method of collection, not the usage, choosing to define passive vs. interactive biometric collection systems:
This remains essentially unchanged since 2014, although a legislative decree (Italian only) called for the introduction of new provisions every two years (from 2018) that would revise guidelines in accordance with the employment of new technology.
Germany does not have a central data protection authority. Responsibility vests with state-level organizations, of which there are 16.
Resolving the Biometrics Debate
The debate concerning using biometrics for identification or authentication in a privacy-centric world is ongoing, and has been at some level for over 20 years. Establishing that the debate has in fact two distinct usage cases will probably aid greatly in obtaining some agreement and understanding. The case for identification almost guarantees that the information will be gathered without the Individual’s express consent. On the other hand, there are many use cases for authentication that solicit the Individual’s consent and active participation, and the Individual often derives benefit from more reliable access and better security. While it is understood that law enforcement at the nation-state level have a pressing need for biometric identification, use by others may be unnecessary where other less invasive approaches may be acceptable.
- Biometrics, privacy’s friend or privacy’s foe: semanticscholar.org/paper/Biometrics%3A-privacy’s-foe-or-privacy’s-friend-Woodward/45db09c52035fcee984525397b56d8b5c9b80b57
- Position paper: cnil.fr/en/facial-recognition-debate-living-challenges
- 2014 Guidelines: garanteprivacy.it/documents/10160/0/GUIDELINES+ON+BIOMETRIC+ RECOGNITION.pdf/3ac0d4ff-7575-4f5e-a3fa-b894ab7cf517?version=1.1
Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?Opt In vs. Opt Out
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.How Does a Consent Management Platform Help With Data Privacy?
A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.