Biometric Data under the GDPR

With the launch of the iPhone X, the debate around using biometric data as an authentication method has become mainstream.  To recap, the iPhone X is making thumbprint access to a mobile device a thing of the past:  now, all you need is your face (and, of course, the iPhone X).  While thumbprint access has become standard in most mobile devices, the use of facial recognition is new for most consumers.

Biometric data can be divided into two main categories:  (1) physiological characteristics; and (2) behavioral characteristics.  Physiological characteristics are related to the actual shape of your body, i..e, fingerprints or facial recognition.  Behavioral characteristics are your pattern of behavior; i.e., how long it typically takes you to enter a password or what hand you typically hold your phone.  The government has been using biometric data for decades, for a variety of reasons:  fingerprinting suspects, as a mechanism to identify seeking entry into the United States, etc.

In the private sector, biometric data is gaining popularity as an authentication method.  It is user friendly — you don’t need to enter or even remember a password.  All you need is a thumb (or a face) and you can gain access to a device, system, or application.  Further, it seems like a trustworthy option:  a hacker can steal your password and enter it but it is much harder to steal a thumb or a face (or at least that is the hope).  The security issue is what do you do once a face is stolen, get a new one?

Beyond the security implications of biometric data, it presents an interesting data privacy issue, both within the United States and in Europe.  In the wake of the Equifax breach, companies (including banks, financial institutions, credit card companies) are unable to rely solely on your name, address, and social security number as a unique identifier.  So, what can they rely on? Companies are exploring biometric data.

While the United States is still, on a state-by-state basis, attempting to determine how to regulate biometric data, the GDPR addresses it head-on.  The GDPR defines “biometric data” as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”  (Art. 4(14).  Further, it expressly segments out biometric data as a special category of personal data and prohibits the processing of “biometric data for the purpose of uniquely identifying a natural person” unless one of the enumerated exemptions under Article 9(2) apply. (Art. 9(1)).

Because of its sensitive nature, biometric data requires extra protections under the GDPR.  Article 35 lays out the requirements of Data Protection Impact Assessments (“DPIA”), which are required when processing “is likely to result in a high risk to the rights and freedoms of natural persons.” (Art. 35(1)).  The GDPR goes further by stating that a DPIA “shall in particular be required in the case of . . . processing on a large scale of special categories of data referred to in Article 9(1).”  (Art. 35(3)(b)).  The GDPR does not define “large scale” but Recital 91 sheds some light on what is amounts to “large scale”:  “a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk.”  Further, the Article 29 Data Protection Working Group provides further guidance, laying out a set of factors to be considered:

a. the number of data subjects concerned, either as a specific number or as a proportion
of the relevant population;
b. the volume of data and/or the range of different data items being processed;
c. the duration, or permanence, of the data processing activity;
d. the geographical extent of the processing activity.

Before building a new product or application, or enhancing an existing product or application to use biometric data as an authentication method, a company needs to assess whether conforming with the GDPR’s heightened requirements is technologically and economically feasible.  The added layer of a DPIA, plus the requirement that biometric data be collected only within one of the enumerated exceptions of Article 9(2), caution against using biometric data unless it is deemed necessary.

Finally, to complicate matters even further, Member States are allowed to “maintain or introduce further conditions, including limitations, with regard to the processing of . . . biometric data.”  (Art. 9(4)).  For example, Germany enacted the new Federal Data Protection Act, Bundesdatenschutzgesetz (“BDSG”), to bring German law into conformity with the provisions of the GDPR.  The BDSG aligns with the GDPR in its definition of biometric data (§ 46(12)) and expressly includes biometric data as a “special category of personal data.” (§ 46(14)(c)).  The BDSG limits processing of “special categories of personal data” by private entities to three situations:  (1) “processing is necessary to exercise the rights derived from the right of social security and social protection and to meet the related obligations;” (2) processing is necessary for the purposes of preventive medicine and other health related treatment; or (c) “processing is necessary for reasons of public interest in the area of public health . . . .” (§ 22 (1)).  And, “[t]he processing of special categories of personal data shall be allowed only where strictly necessary for the performance of the controller’s tasks.”  (§ 48(1)). Further, “appropriate and specific measures shall be taken to safeguard the interests of the data subject.”  (§  22(2)).

It is readily apparent that the processing of biometric data is complex under the GDPR and any corresponding Member State law.  When approaching the use of biometric data from a purely commercial stand-point, entities need to ensure that the use of biometric data is done in a compliant manner and that the data collected is provided with sufficient safeguards, including both the security and privacy of that data.  While the use of biometric data may provide increased convenience to consumers, it correspondingly creates increased liabilities to a company.  Companies need to be aware of and address these increased liabilities in the design of both the product and the network infrastructure collecting and maintaining the data.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.