Biometric data and the General Data Protection Regulation

​​​​​​​​Biometric Data Last updated 18 September 2017​

Despite the very particular character of such information, there are virtually no legal provisions in the world that are specific to biometric data protection. Legal texts instead rely on provisions relating to personal data protection and privacy in the broad sense. But such legislation sometimes proves to be poorly adapted to biometric data. Assuming – that is – there is any such legislation at all...

Biometrics and privacy: what the law says

However, the General Data Protection Regulation (GDPR) for European Member States does address biometric data and represents a major step forward for data protection and privacy. 28 countries are impacted including the UK. We will see how France and the Netherlands are getting ready for this new law.

In the United States, there is no single, comprehensive federal law regulating the collection and use of biometric data. However Washington, following Illinois and Texas, just passed a biometric privacy law in June 2017. Clearly, US regulators are also increasingly focusing on the use of biometric data.

Let's dig in.

In this web dossier we will focus on 5 topics:

  • Biometric data within the GDPR
  • Main objectives and provisions of the GDPR (including a video)
  • Specific implications of the GDPR for companies
  • Preparation for the GDPR in two countries: France and the Netherlands
  • US legal landscape for biometric data protection

GDPR time line: 25 May 2018

The GDPR establishes an harmonized framework within the European Union, the right to be forgotten, clear and affirmative consent and, amongst other things, serious penalties for failure to comply with these rules.

It came into force on 24 May 2016. Member States have to transpose it into their national law by 6 May 2018.

The European Commission first proposed an ambitious reform of the European rules regarding data protection in January 2012.

The Regulation 2012/0011 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was eventually adopted officially on 27 April 2016. 

The provisions of the Regulation will apply from 25 May 2018, after a two year transition period (national governments do not have to pass any enabling legislation). 

Biometric information  

What is biometric data​​ for the EU regulation?​

The Regulation defines "biometric data" as "personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data" (i.e. fingerprints).

Biometric data represents one of the categories defined as "special categories of personal data" and the Regulation states that its processing "shall be prohibited". Nonetheless, exceptions are foreseen within the text:

  • If the data subject has given explicit consent for the processing of their biometric data for one or more specified purposes.
  • If processing of biometric information is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
  • If processing is necessary to protect the vital interests of the data subject and he/she is incapable of giving consent.
  • If processing is necessary for the establishment, exercise or defense of legal claims.
  • If processing is necessary for reasons of public interest in the area of public health.

Other more specific exceptions are presented within article 9 of the text.

Moreover, the Regulation permits Member States to introduce other limitations regarding the processing of biometric information.

​Main objectives and provisions of the GDPR

The main objective of the text is to give back to European citizens control over their personal data, while simplifying the regulatory framework for companies. More precisely, this means that after 25 May 2018, there will only be one set of rules directly applicable in all the European Member States regarding the protection of personal data.

What is the scope of the General Data Protection Regulation?

The Regulation applies:

  • If the "data controller", the "data subject" or the "data processor" is based in the European Union.
  • To organizations based outside of the European Union if they are collecting or processing the personal data of European residents.

How does the GDPR apply to law enforcement activities?

The Regulation does not apply to the processing of personal data for law enforcement or national security activities.

The rules regarding this kind of personal data were adopted by the European Institutions within the Data Protection Directive for the police and criminal justice sector on April 27 2016. This aims at ensuring the protection of personal data of individuals involved in criminal proceedings (as witnesses, victims, or suspects).

It also aims at implementing a smoother exchange of information between Member States' police and judicial authorities by further harmonizing the national legislations of the Member States.

What constitutes personal data?

In the Regulation, "personal data" is defined as any information relating to an identified or identifiable natural person (data subject). 

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Data usage limited to what is ….necessary 

The Regulation states that personal data shall be collected for "specified, explicit and legitimate purposes". It shall not be further processed "in a manner that is incompatible with those purposes". The personal data collected should be adequate, relevant and limited to what is necessary (the data minimization principle). 

Further provisions regarding use of the data processed can be introduced by European Member States, provided they are in line with the GDPR rules. 

Consent must be explicit

The Regulation states that the consent must be explicit before the collection of data. It also explains that "the data subject shall have the right to withdraw his or her consent at any time".

Data protection by design and default 

The Regulation states that, by default, only personal data which is necessary for a specific purpose should be processed. In order to meet this objective, the controller must implement the technical and organizational measures needed. This means that data protection will have to be designed into the development of business processes for products and services. 

Certification and the European Data Protection Seal 

  • The board, an independent body of the EU whose mission is to promote the consistent application of the Regulation, will collate the certification mechanisms and the data protection seals and marks in a publicly available register.
  • The Regulation establishes data protection certification mechanisms and data protection seals and marks at EU level. 
  • When the board approves the criteria of a certification it may become a common certification: the European Data Protection Seal.
  • A certification is issued for a maximum period of three years. It can be renewed if requirements continue to be met.
  • The certification will be voluntary and available via a process that needs to be transparent.
  • The adoption of implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognize those certification mechanisms, seals and marks is foreseen by the European Commission. 

 Who are the certification bodies? 

  • The certification bodies are accredited by the Member States.
  • The accreditations of the certification bodies are issued for a maximum period of five years. They can be renewed if requirements continue to be met.
  • All the certification bodies accredited shall demonstrate their independence, their expertise and that their tasks and duties do not result in a conflict of interests. They should also establish procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks.  

How should a personal data breach be notified?

  • The Regulation states that when a data breach occurs, the controller has 72 hours to notify the personal data breach to the competent supervisory authority (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). The controller shall also document any personal data breaches.
  • If the notification is not made within the 72 hours, it shall be accompanied by reasons for the delay.
  • The processor shall also notify the controller without undue delay after becoming aware of a personal data breach.
  • The notification shall describe the nature (number of data subjects and number of personal data records concerned) of the data breach. It shall describe the consequences of the data breach and the measures taken to address the personal data breach. It shall also communicate the name and contact details of the contact point who is able to give more information about the breach.  

The personal data breach and its nature shall be communicated by the controller to the data subject when it results in "a high risk to the rights and freedom of a natural person"

What are the sanctions?

The GDPR foresees the possibility for each supervisory authority to impose sanctions such as administrative fines. These fines could go up to 20 million euros, or 4% of the annual worldwide turnover of a company. ​

​What does the GDPR mean for companies?

One of the goals of the GDPR is to simplify the requirements for companies working in several European Member States.

More precisely, the GDPR establishes a "one-stop-shop" for companies that are active in several European countries. They will only have to deal with the Supervisory Authority of the country where their "main establishment" is located (e.g. the place where the main processing activities take place). This Supervisory Authority will then play the role of "lead authority" and supervise all the processing activities of the company in the European Union.

Moreover, one of the most important new obligations is the appointment of Data Protection Officers (DPOs) in some specific companies (over 250 employees). The role of the DPO will only be to verify the compliance of the company's activities with the GDPR.

More details regarding the DPOs were adopted by the Article 29 Data Protection Working Party (WP29) on December 13 2016 in its guidelines on the subject. 

Now, let's see how two European countries are preparing for the GDPR.

GDPR France 

GDPR in France

In France, the Supervisory Authority for the General Data Protection Regulation is the Commission Nationale de l'Informatique et des Libertés (CNIL). The CNIL is deeply invested in the preparation of the entry into force of the provisions of the Regulation as it occupies the Presidency of the WP29 until February 2018.

The CNIL launched a public consultation in France in June 2016 regarding the four priority subjects identified by the WP29:

  • New portability right
  • Notion of high risk, and Data Protection Impact Assessment (DPIA)
  • Certification
  • Data Protection Officer 

The goal of this public consultation was to invite feedback from the various actors working in the field of data processing and identify their difficulties regarding the new Regulation. The consultation was closed in July 2016 and the CNIL published its first summary of the responses it received on March 2017 (the summary regarding certification has not been published yet).

The CNIL is still encouraging stakeholders to outline their difficulties, and raise questions regarding the entry into force of the GDPR.

Moreover, the "law for a digi​tal Repu​blic​" officially adopted by France on 8 October 2016 is already paving the way for the entry into force of the GDPR's provisions in the country.

More precisely, this law creates new obligations for data processing companies in line with the GDPR and, for example, permits the CNIL to impose sanctions of up to three million euros.  It is important to note that, after 25 May 2018, the provisions of the GDPR will apply when there is a conflict with the provisions of the "law for a digital Republic". 

GDPR in the Netherlands  

GDPR in the Netherlands

In the Netherlands, the Supervisory Authority for the GDPR is the Autoriteit Persoonsgegevens (AP). The AP, whose powers will become stronger with the new Regulation, is starting to prepare for the entry into force of its provisions.

To help companies based in the Netherlands prepare for the introduction of the GDPR on May 2018, the AP has declared itself available to answer all questions by phone or email.

Moreover, from June 2017, every month the AP will publish on its website the responses to the three most frequently asked questions regarding the implementation of the GDPR.

Currently, the main data protection rules in the Netherlands are:

  • The "Dutch Data Protection Act" (WBP) which implemented in national law the European Union Data Protection Directive 95/46/EC on September 1 2001.
  • The "Breach Notification Law" of 2016. This is paving the way for some provisions of the GDPR, as it states that a data breach must be reported to the AP and that data subjects have to be informed about a data breach if it can have consequences for their privacy. 

GDPR in the United Kingdom

The GDPR will apply in the UK from 25 May 2018.

The UK Government presented its legislative program for the next two years in 21 June 2017. It confirmed that the GDPR will be brought into UK law. The GDRP will then apply to UK companies dealing with the EU.

Some post-Brexit amendments will be necessary as to the role of the UK supervisory authority and its relationship with the EU authorities for example.

The notes to the Queen's speech (page 46) underlined the importance of maintaining data flow from the EU after Brexit to "cement the UK's position at the forefront of technical innovation, international data sharing and protection of personal data." ​

Biometric data protection in the United States

Biometric data protection in the United States 

​In the United States, there is no single, comprehensive federal law regulating the collection and use of personal data in general, or biometric data in particular. Instead, the country has a patchwork system of federal and state laws and regulations that can sometimes overlap or contradict one another.

But that's not all…

Government agencies and industry groups have developed self-regulatory guidelines, drawn from best practices and which are now taken into account by regulators.

Apple, Facebook, Google and Microsoft have been self-regulating for some time, even though these companies have been investing heavily in the creation of  powerful facial recognition technologies. Facebook, for example, has an agreement with the Federal Trade Commission. Under this, the company has to first obtain "affirmative express consent" before going beyond a user's specified privacy settings. According to Wikipedia, DeepFace, Facebook's facial recognition system, is said to be 97% accurate. This compares with 85% for the FBI's Next Generation Identification System.

Identification without consent in 47 states

As of July 2017, it is legal in 47 states for software to identify an individual using images taken without consent while they are in public. Illinois and Texas don't allow it for commercial use.

As of June 2017, Washington is the third state to pass a biometric privacy law. It covers any business entity that collects biometric identifiers for commercial purposes.

Facial recognition, for example, can be performed inconspicuously from a distance without the individual actively providing any information.

There's already facial recognition software that shops can use to signal pre-identified shoplifters or to identify customers that return goods too often. And it doesn't take much to imagine that - thanks to Facebook - these shops could easily get immediate information on their customers when they enter the store: who they are, where they live, income and/or credit score.

From a privacy perspective, these practices conflict with key principles such as anonymity, consent and purpose.

Let's dig a little deeper.

Many parties to address the issue

The question of consent and how to manage biometric data is sensitive, and it seems as if virtually every agency in Washington is addressing at least part of the issue:

  • The National Institute of Standards and Technology for the evaluation of biometric technologies.
  • The Federal Trade Commission for data security with the FTC Act (15 U.S.C. §§41-58). This consumer protection law prohibits unfair or deceptive practices. It's been applied to offline and online privacy and data security policies.
  • The Food and Drug Administration for the security of implants.
  • The Department of Health and Human Services with the Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.) for medical information.

Three states have enacted a protection law for biometric identifiers and several others are debating one.

In particular, the California legislature debated a bill in 2015-2016 that would have expanded data security requirements for businesses that maintain personal information of California residents to include protection for geolocation and biometric data

Biometric information was defined in the bill as data generated by automatic measurements of an individual's fingerprint, voice print, eye retinas or irises, identifying DNA information, or unique facial characteristics, which are used by the owner or licensee to uniquely authenticate an individual's identity. However the bill failed to pass the Senate Judiciary Committee. 

But clearly, US regulators are increasingly focusing on the use of biometric data. 

Gemalto and digital security

An expert in strong identification with more than 200 civil ID, population registration and law enforcement projects that incorporate biometrics, Gemalto is able to act as an independent authority in proposing and recommending the most suitable solution for each application.

Gemalto attaches a great deal of importance to the assessment of risks and to the capacity of private operators to manage such risks. Similarly, the legal and social implications are also very important.

Although Gemalto keeps an open mind with regard to biometric techniques, it remains no less convinced that, whatever the choice of biometric, this technology offers major benefits for guaranteeing identity.

For a broader view of privacy laws, we recommend Global Tables of Data Privacy Laws and Bills (2017 edition) by Graham Greenleaf, University of New South Wales, Faculty of Law.

You can also find more information in our April 2017 web dossier: eIDAS Regulation in 2017 – A pivotal year for digital services in the EU.​

For a general overview of biometrics, we suggest our June 2017 dossier on biometric authentication. ​​