Spotlight on biometric data

• The use of biometrics is on the rise, particularly in online authentication, where facial, fingerprint and iris recognition is increasingly widespread
• Tech companies have been quick to see the advantages, citing security and ease – e.g. maintaining that a fingerprint-enabled smartphone is safer and more convenient than one requiring a lengthy (and forgettable) password
• The GDPR places greater controls over the processing of biometric data. With prohibitive new sanctions for serious privacy breaches, companies wishing to use biometrics in the EU will need to proceed with upmost care

The benefits of biometrics

Biometric technology provides considerable advantages in terms of day to day convenience – something that is at a premium in digital customer journeys – minimising the friction by avoiding the need to remember multiple log-in codes and reducing the risk of identity fraud resulting from stolen credentials. But there are risks to the use of biometric data.  Privacy advocates argue that rather than protecting an individual's security, biometric authentication can in some cases create wider security risks. 

Software applications can only read digital data, so biometric authentication systems convert the analog biometric information collected into a digital format for the software to read. While technically difficult to do, just like any traditional authentication credential, digital data captured from biometric authentication processes can be intercepted or exfiltrated from insecure networks and/or duplicated by malicious actors. Given the uniqueness of biometric data to the individual, this creates a heightened risk that processors of biometric data must protect against.

Processing biometric data

Under the GDPR, all processing of personal data must adhere to the data protection principles, such as lawfulness, fairness, transparency and accountability. More restrictive rules apply to the processing of "special categories of personal data" where the data is particularly sensitive and its misuse poses significant risk to an individual's fundamental rights and freedoms, e.g. by exposing them to potential discrimination. In order to process special category data, controllers must identify both a lawful basis under Article 6 GDPR and a separate condition for processing special category data under Article 9 GDPR.

Special categories of personal data

The following categories give rise to special protection under the GDPR – data relating to:racial or ethnic origin;

• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• health; or
• sex life and sexual orientation.

The GDPR expressly includes genetic and biometric data under these special processing categories. Such data cannot be processed without the data subject's explicit consent, except in narrowly defined circumstances, such as:

• where processing is necessary for employment, social security and social protection law, 
• to protect the vital interests of the data subject or another natural person where the data subject is unable to provide consent, 
• in exercise or defence of legal claims and for various public interest reasons. 

The GDPR gives Member States the scope to add further processing conditions, and the Data Protection Act 2018 includes additional safeguards for special categories of personal data.

A question of consent

In practice, EU-based companies, or international organisations looking to use the biometric data of EU data subjects for commercial gain, are likely to require the explicit consent of data subjects. Consent under the GDPR is a high bar – it means offering individuals real choice and control, with a right to revoke that consent at any time. While this may seem like a difficult burden to meet, businesses can take comfort in the fact that customers are increasingly willing to trade in their personal information in return for an enhanced user experience and particularly for improved convenience. Few, for instance, will argue with the instant access to their bank accounts that their thumb can provide in preference to clumsy passwords. Yet it is essential that businesses think through their privacy procedures with respect to biometrics and provide consumers with the opportunity for real and informed consent.

Byte-sized news

Recent ICO fine focuses on appropriate technical and organisational measures‎. The Information Commissioner's Office (ICO) fined Yahoo! UK Services Limited £250,000 under the UK data protection 1998 regime (Principle 7) for a failure to implement appropriate technical and organisational measures in relation to 515,121 customer accounts and failure to take appropriate measures to flow down contractual obligations to processors within its group. James Dipple-Johnstone, Deputy Commissioner for Operations, stated, "the failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data." Dipple-Johnstone also emphasised that the inadequacies found had been in place for a long period of time and Yahoo! UK had "ample opportunity" to implement appropriate measures.

LIBE Committee calls for suspension of Privacy Shield. The European Parliament's Civil Liberties Committee (LIBE) has passed a motion calling on the European Commission (Commission) to suspend the EU-US Privacy Shield (Privacy Shield) unless the US complies with the terms of the data transfer agreement in full by 1 September 2018. Members of the European Parliament (MEPs) raised specific concerns about the Facebook/Cambridge Analytica data breach given that both companies are certified under the Privacy Shield. The European Parliament will vote on the text of the motion next month (July 2018). MEPs also suggested there is a potential conflict between EU data protection laws and the recently adopted Clarifying Lawful Overseas Use of Data Act (Cloud Act), which is a US law that allows US and foreign police access to personal data across borders.

With special thanks to Tom Brookes for his contribution.