What is Biometric data?
Unlike with a password, that consists of letters and numbers or with an e-mail address, any collected, stored and processed biometric data, such as fingerprints or facial scans, is harder to forge, making it a reliable way to identify people. However, this also means that once this data is exposed or compromised in a data breach, it is compromised for good. While you can change your e-mail address or your telephone number, you cannot change your iris or your face as easily. Biometric data uniquely identifies a person, making the security and privacy measures implemented for the processing crucial.
But what are the current legal safeguards in place to protect biometric data?
The EU GDPR establishes a harmonized framework within the European Union for the processing of personally identifiable data. The regulation has been in place as of May 25th 2018 and is now the same for 500 million people. The E.U. data privacy law defines biometric data in Article 4 as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.
As the GDPR considers biometric data to be a special category of sensitive personal data, processing and protecting it must proceed under the framework reserved for sensitive personal data generally. While the GDPR broadly prohibits the processing of special category of personal data, it recognizes certain bases to justify its processing. Another critical aspect of the GDPR with regards to biometric data is that the GDPR expressly permits Member States to impose additional conditions and limitations on the processing of biometric data.
Several other jurisdictions, including Canada (PIPIDA), Australia (Privacy Act), and China, also strictly regulate the collection and use of biometric identifiers (CSL). A number of US states directly regulate biometric data, including Texas (Capture or Use of Biometric Identifier Act), Washington (H.B. 1493), and Illinois (BIPA). Biometric identifiers are included in the definitions of Personal Information or “Sensitive Personal Information” in California, Virginia, and Colorado. In addition, biometric data is included in a number of other states’ breach notification regulations (e.g. New York’s SHIELD Act.).
The evolving nature of biometric technology while not having a clear, unified approach to the correct processing of biometric data globally, creates a grey zone with potential high risk implications for people all over the world.
Biometric data – a potential security issue
The most recent international crisis in Afghanistan shows how Biometric data can be an active threat for citizens when not protected accordingly. The existence of a biometric system containing the personal information of millions of Afghans is one of the main concerns for the privacy and security community. This system contains millions of fingerprints, iris scans, and face photos of Afghans whose biometric information was collected by US and coalition forces. The system was built more than 15 years ago to facilitate tracking and quickly identifying people for a variety of purposes, ranging from the World Food Programme’s distribution of e-vouchers to the upkeep of an electronic national identity card system. Should this data get into the wrong hands, it can have serious safety implications for the Afghan people.
This case should act as a lesson for governments that biometric data should be protected and biometric systems should be built with security and emergency cases in mind.
References:
https://www.natlawreview.com/article/anatomy-biometric-laws-what-us-companies-need-to-know-2020
https://www.weforum.org/agenda/2021/09/untangling-the-benefits-and-risks-of-biometrics/