Table of Contents
Security measures that use a person’s facial image, fingerprint, iris, or other biometric data to gain identification are becoming more and more popular.
What should a company consider before implementing security solutions using biometric data?
Biometric data are data that allow unambiguous identification of a person – for example, the identification of a person’s face, fingerprints, or iris. Such data are considered to be of a different type, i.e. more sensitive than usual, as they can more significantly violate a person’s privacy rights when abused.
Further, a person’s biometric data is considered to be unique information received about a person without identifying his or her name and codes or hash obtained from the processing of biometrics. Although data protection is also important for less sensitive data, special care must be taken when collecting and processing biometric data.
Silence is not consent
By law, the processing of biometric data without the consent of the individual is only allowed for good reasons, such as public security or research. With the express consent of the person, the processing of biometric data for other purposes is also possible.
Consent to the processing of biometric data must be voluntary, specific, informed, and unambiguous. For example, in an employment relationship, the employee’s consent cannot generally be considered voluntary, as the employer-employee dynamic is unequal by nature and the employee may feel some pressure to agree to the processing of his or her personal data.
Thus, for example, in an office where a security lock with a fingerprint reader is to be installed, employees should be offered a realistic second alternative, the choice of which would not lead to negative consequences for the employee – for example, maintaining access to the office with a key card.
The situation is different, for example, in gyms, where there is no relationship of subordination between the gym and the client and the client has the opportunity to freely change the service provider. In such a situation, the gym may use biometric data for admission with the client’s explicit consent. By the same token, many online services, such as financial services, use biometric data for personal identification.
However, it must be borne in mind that the processing of sensitive personal data must be made known to the individual and subject to appropriate consent. The consent form should not be “hidden” in the general terms and conditions of the service nor should scrolling to the end of the notification page be considered as acceptance.
In order to ensure that the consent is identifiable, the person should make a separate action to do so, for example by ticking a consent box concerning the processing of specific data. The onus is always on the data controller to seek consent and to prove it at a later stage. They can be held liable for subsequent misuse of the data, especially in the case of sensitive data.
The use of biometrics, including facial recognition, carries increased risks. Before using biometric data, it should first be considered whether the same result cannot be achieved with less intrusive measures and how to ensure that data collection is kept to a minimum and the data retained for as short a time as possible.
It is important to note that for more sensitive data, the potential harm to data subjects in the event of a breach can be significant, so it is important to realistically weigh the risks and mitigate as much as possible before introducing new technologies to your company or launching a service.
Failure to comply with personal data protection requirements may, under European Union law, result in a fine of up to EUR 20 million or 4% of global turnover, whichever is higher. To date, the largest fine in 2019 is € 230 million imposed on British Airways for a 2018 data leak.
The use of biometrics can make identification processes significantly more convenient and faster and can, therefore, be a good solution for modernizing services or work processes. At the same time, it is important that companies are more careful the more sensitive data is collected and processed while ensuring that the individual remains in control of where and to whom his or her data is passed.