7 questions to avoid legal trouble when involving biometric data
Is the company able to comply with the legal requirements linked to the use of biometrics? As the implementation of biometrics gains speed, regulation on data protection worldwide is following suit. Companies and institutions adopting biometrics must be very careful to avoid lawsuits.
Identification and authentication of individuals are key for many industries, from digital banking to health services and education institutions, in their fight against identity fraud. Slowly but surely, biometrics is becoming the technology of choice when it comes to truly identifying individuals since it uses biological patterns unique to each person as the means to authenticating their identity.
However, as the implementation of biometric technology gains speed around the world, regulation on data protection is following suit, and companies and institutions adopting biometrics must be very careful to avoid lawsuits.
Among other things, they must ensure that the biometric data of their customers is secure, that it won’t be kept longer than needed and that the data will be used only for the means it has been asked for.
A law to protect 500 million people
In Europe the GDPR (General Data Protection Regulation), that came into force in 2016, provides a harmonized legal framework for all 27 EU members –some 500 million people, between citizens and long-term residents– and includes strict rules on the way biometric data can be collected and used.
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.”
Furthermore, defines biometric data as “special categories of personal data” and stablished that in can only be processed in the following scenarios:
- The data subject has given explicit consent.
- Processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the fields of employment and social security and social protection law.
- Processing is necessary to protect the vital interests of the data subject.
- Processing is necessary for the establishment and exercise of defense of legal claims.
- Processing is necessary for reasons of public interest.
US follows Illinois’ example
For the time being, there is no federal law addressing the use of biometric data that applies in all the States of the Union.
Nevertheless, Illinois’ Biometric Information Privacy Act (BIPA) is regarded as the strictest biometrics legislation in the world, and is serving as model for other privacy regulations, including proposed US federal legislation.
An interesting fact is that of the approximately 1,000 BIPA-related lawsuits, most deal with everyday workplace use cases like time tracking, employee verification, and even temperature scanning.
But, in a world that is quickly becoming more dependent of digital services and interactions, biometrics continues to be the best technology to truly identify individuals, avoid identity fraud, secure physical spaces, and enable frictionless customer experiences in retail, government services, banking, healthcare, and other markets.
Seven questions to avoid court
Although companies, either in Europe or the US, must be careful in their adoption of biometrics as their means to identify and secure their customers data, the road to compliance can be smooth. They just need to be sure to answer these questions truthfully.
1.- Why is the collection of biometric data necessary?
Since both European and US regulations are very strict about the collection and retention of biometric data, there must be an articulate specific reason for using biometrics
2.- How long will the biometric data be kept?
In addition to informing subjects of your purpose for using biometrics, both GDPR and BIPA require disclosure of how long any biometric data will be kept. To ensure a company follows the best data retention practices is stating said practices via notice, and then follow them strictly.
3.- Are we willing to ask permission to collect biometric data to be used for other purposes?
If a user agreed to be onboarded for biometric access to a company’s services, their continued consent cannot be assumed for every subsequent additional data use. It must be asked for explicitly.
4.- How transparent and accurate is the company’s communication on biometric data collection to its employees and customers?
For the sake of transparency and proper notice it is necessary to enforce clear and constant communication prior to data collection. The answers to the first three questions need to be known to those onboarding on your biometric technology. But not only those. Also, what biometrics is being collected, when is it collected, and why, and how long will that data be stored and for what purpose.
5.- Is my company fully transparent in my collection, retention, and use of biometric data?
Data protection regulation and laws requires full transparency on the part of those implementing it. If a company does not have a clear answer to the first three questions of this list, maybe it should revise its reasons for using biometrics.
6.- Does my company have a data hygiene plan?
It is mandatory for organizations using biometric technology to implement a reliable records keeping system including an end-of-life plan for biometric data consistent with their stated purpose for collection.
7. Does my company know everything there is to know regarding biometric data collection and current regulation?
The best way to make sure a company is using biometrics in a privacy-respecting, legal way is seeking legal advice. If the organization is willing to contact a legal expert to ensuring that it is using a strong identity technology as biometrics legally and in good faith, then it is ready to benefit from it.
B-FY, biometrics by the book
B-FY’s identification protocol has been designed in accordance with European data privacy directives, taking the utmost care of the user’s privacy and that of the company.
The Regulation protects E.U. citizens and long-term residents in the 27 member countries from having their information shared with third parties without their consent.
We need to highlight that, due to the nature of biometric operations, there is a high probability that the treatments that are included require an impact assessment, as required by article 35 of the GDPR and, when appropriate, the prior consultation provided on article 36 of the GDPR.
In this sense, B-FY has the advantage of being exempt from carrying out said assessment since B-FY does not store or collect said information. This allows our clients to benefit from the advantages of using biometric identification, minimizing to the extreme the risks entailed thanks to our unique BFY Onboard solution.
B-FY Onboard allows companies to use their mobile App as the standard form of identification to access any of the online services and physical facilities they have. In this identification, B-FY consults the phone if the person who is using it is authorized at the biometric level, making use of the biometric management that we all already use daily in our mobile phones to unlock our phone, guaranteeing that the user’s biometrics always it stays on his/her device. In this way, B-FY carries out the identification without risking data privacy.
This approach gives the user complete control, deciding when to use their biometrics, which is verified with their own mobile device, not through external devices. These external devices, unfortunately, have become very fashionable, but generally represent great risks regarding how the collected information is sent and stored.
The solution is designed for quick integration and is activated in minutes, without making significant changes to the client’s App. With a simple call from their system, B-FY Onboard performs all interactions with the user for identification.
Sergio Lázaro is DPO – QA & Compliance Manager for B-FY.