• Gemalto is now part of the Thales Group, find out more.

Biometric data and data protection regulations (GDPR and CCPA)

​​​​​​​​​​​​​​​​​​​​​​​​​​​Estimated reading time: 12 minutesBiometric Data

Despite the very particular character of such information, there are virtually no legal provisions in the world that are specific to biometric data protection. 

Legal texts instead rely on provisions relating to personal data protection and privacy in the broad sense. But such legislation sometimes proves to be poorly adapted to biometric data. 

Assuming – that is – there is any such legislation at all.

For a general overview of biometrics, we suggest our dossier on biometric authentication.

Biometric data and privacy: what the law says

However, the General Data Protection Regulation (GDPR) for European Member States does address biometric data. 
It represents a significant step forward for data protection and privacy with a real international impact. 

The result?  

Twenty-eight countries, including the UK, now have a new regulation in place. 

In the United States, there is no single, comprehensive federal law regulating the collection and use of biometric data. However, Washington, following Illinois and Texas, passed a biometric privacy law in 2017. California enhanced its privacy protection regulation at the end of 2018. The law (CCPA) is frequently presented as a potential model for a US data privacy law.

US regulators are also increasingly focusing on the use of biometric data.

In August 2017, India's supreme court ruled privacy a "fundamental right" in a landmark case, illustrating that biometric data protection is now on top of the regulators' agenda in the largest democracy of the world.

Let's dig in.

In this web dossier, we will focus on five topics:

  1. Biometric data within the GDPR
  2. Main objectives and provisions of the GDPR (including a video)
  3. How to get prepared for a major privacy regulation: Focus on the UK and France
  4. US legal landscape for biometric data protection in 2020 (including CCPA)
  5. India and the emerging consensus on ​​biometric data protection.

​Biometric data and GDPR

​ The EU GDPR establishes a harmonized framework within the European Union, the right to be forgotten, unambiguous, and affirmative consent and, amongst other things, severe penalties for failure to comply with these rules.

  • The Regulation 2012/0011 was ​adopted officially on 27 April 2016 
  • It came into force on 24 May 2016 
  • Member States had to transpose it into their national law by 6 May 2018 
  • ​​The provisions of the Regulation are applying as of 25 May 2018.

​​National governments do not have to pass any enabling legislation. The new legislation replaces the existing national laws.

So, yes, you read that right. 

The law is now the same for 500 million people.

Biometric information

What is biometric data​​ for the EU regulation?​

The EU data privacy law​ defines biometric data as "special categories of personal data" and prohibits its "processing."

More precisely, biometric data are “personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic (fingerprints) data."

The Regulation protects EU citizens and long-term residents from having their information shared with third parties without their consent

Their processing for "​uniquely identifying a natural person” is prohibited. 

However, it does contain some exceptions:

  • ​​If consent has been given explicitly
  • If biometric information is necessary for carrying out obligations of the controller or the data subject in the field of employment, social security and social protection law
  • If it's essential to protect the vital interests of the individual and he/she is incapable of giving consent
  • If it's critical for any legal claims
  • If it'​​s necessary for reasons of public interest in the area of public health.

​Moreover, the Regulation permits the Member States to introduce other limitations regarding the processing of biometric information.

​Main objectives and provisions of the GDPR

The main objective of the text is to give back to European citizens control over their personal data, while simplifying the regulatory framework for companies. 

More precisely, this means that as of 25 May 2018, as we said earlier, there is only one set of rules directly applicable in all the European Member States regarding the protection of personal data.

But wait, there's more.

EU residents are gaining more control over their personal and biometric data. 

The right to be forgotten

The Regulation states that the consent must be explicit before the collection of the data. It also explains that "the data subject shall have the right to withdraw his or her consent at any time" also known as "the right to be forgotten."

Data breach must be notified within 72 hours

Not only does it establish a clear set of consumer rights, but GDPR also includes measures aimed at boosting enterprise security. For example, if a company discovers a data breach, then processors must inform the authorities within 72 hours of discovery. 

Companies managing biometric information could be hit with massive penalties if they do not make efforts to secure that data. These could reach 20 million euros or 4% of annual worldwide turnover.

A global law 

And here is why this law has a truly international impact.

Non-EU established organizations will be subject to the GDPR, where they process personal data about EU data subjects. This makes the GDPR a global law. 

Privacy by design and by default

Data usage should be limited to what is necessary. The Regulation states that personal data shall be collected for "specified, explicit and legitimate purposes."

It shall not be further processed "in a manner that is incompatible with those purposes."

The personal data collected should be adequate, relevant, and limited to what is necessary (the data minimization principle).​

The Regulation states that, by default, only personal data that is necessary for a specific purpose should be processed. To meet this objective, the controller must implement the technical and organizational measures needed. 

This means​​ that data protection will have to be designed into the development of business processes for products and services to avoid the well-known "function creep" effect.

With a clear focus on biometric data privacy

For biometric security to work well, citizen rights must be protected appropriately, and the data collected by private and public organizations managed carefully and sensibly. 

The new GDPR focuses especially on biometrics, clearly recognizing the technology's immense potential.

​​What does the GDPR mean for companies?

One of the goals of the GDPR is to simplify the requirements for companies working in several European Member States.

More precisely, the GDPR establishes a "one-stop-shop" for companies that are active in several European countries. They will only have to deal with the Supervisory Authority of the country where their "main establishment" is located (e.g., the place where the main processing activities take place). 

This Supervisory Authority will then play the role of "lead authority" and supervise all the processing activities of the company in the European Union.

Moreover, one of the most important new obligations is the appointment of Data Protection Officers (DPOs) in some specific companies (over 250 employees). The role of the DPO will only be to verify the compliance of the company's activities with the GDPR.

More details regarding the DPOs were adopted by the Article 29 Data Protection Working Party (WP29) on 13 December 2016 in its guidelines on the subject. 

Now, let's see how the UK and France have been preparing for the GDPR.

UK data protection bill

UK data protection bill, incorporating biometric data, announced on September 2017

In June 2017, the British government presented its legislative program for the next two years, bringing GDPR into UK law and the country into line with the EU. 

The UK's decision to leave the EU is not affecting the implementation of the GDPR.

Of course, some post-Brexit amendments are necessary as to the role of the UK supervisory authority and its relationship with the EU authorities, for example.

The notes to the Queen's speech (page 46) underlined the importance of maintaining data flow from the EU after Brexit to "cement the UK's position at the forefront of technical innovation, international data sharing and protection of personal data." ​

The September Data Protection Bill

On 14 September 2017, the Data Protection Bill was published in the UK. The goal of this piece of legislation is to modernize data protection law in the UK for the years to come. 

However, it is important to note that the GDPR is applying in the UK as of 25 May 2018. The Data Protection Bill only applies where the GDPR leaves Member States opportunities to make provisions for how it applies in their country. 

The Data Protection Bill, which has now received the Royal Assent, also concerns other topics than the provisions of the GDPR. The Information Commissioner’s Office (ICO), UK’s Data Protection Authority, explained that it is essential to read the GDPR and the Data Protection bill side by side. 

In summary, 

The GDPR is applying in the UK as of 25 May 2018.

GDPR France 

GDPR prep in France: a stakeholders’ consultation to identify difficulties 

In France, the Supervisory Authority for the General Data Protection Regulation is the Commission Nationale de l'Informatique et des Libertés (CNIL). The CNIL deeply invested in the preparation of the provisions of the Regulation as it occupied the Presidency of the WP29 until February 2018.

The CNIL launched several public consultations in France (June 2016, March 2017 and September 2017).

The CNIL keeps encouraging stakeholders to outline their difficulties and raise questions regarding the entry into force of the GDPR through its website.  

Moreover, the "law for a digital Republic​" officially adopted by France on 8 October 2016 already paved the way for the entry into force of the GDPR's provisions in the country.

More precisely, this law creates new obligations for data processing companies in line with the GDPR and, for example, permits the CNIL to impose sanctions of up to three million euros.  After 25 May 2018, the requirements of the GDPR are applying when there is a conflict with the "law for a digital Republic". 

And it's just the beginning.

In January 2019, the CNIL announced that it had fined Google 50 million euros (approximately USD$56 million) for breaching the GDPR through its use of targeted advertising. 

As of June 2019, it is the most significant data protection fine ever issued.

GDPR experience so far (May 2018- May 2019)

GDPR assessment after eight months

The EU Commission reported in January 2019 that:

  • 5 countries (Bulgaria, Greece, Slovenia, Portugal, and Czechia) were still in the process of adopting the Regulation.
  • 95,180 data protection complaints had been filed with Data Protection Authorities (DPAs)
  • 41,502 personal data breaches have been notified.
  • 3 fines have been issued (including Google for €50m).

It's interesting to note that Japan has put in place a set of rules (adequacy decision) to bridge the differences between its data protection system and the GDPR in January 2019.

GDPR assessment after one year

As reported by the EU commission in May 2019:

  • 3 countries are still in the process of adopting the GDPR (Greece, Slovenia, and Portugal)
  • 144,376 queries and complaints to data protection authorities have been filed
  • 89,271 data breaches have been reported
  • 5 fines have been issued (for a total of €52m)

What can we see here?

  • There is no avalanche of multi-million fines as predicted by scaremongers. The only big one is related to Google for its lack of transparency about the way it collects personal data for advertising.
  • GDPR did not change nor block everything, as feared by many. It's an evolutionary process. Over 1000 US sites blocked EU citizens in 2018. This situation is no longer the case.
  • The GDPR is having an influence worldwide and, more specifically, in the United States. To be honest, the debate is heating up in the country for two reasons: the introduction of the GDPR and California's CCPA.
  • The GDPR is not only about consent. That's probably one aspect that has been misunderstood.
  • However, the UK and France have seen a flood of businesses reporting themselves for violations.

​Biometric data protection in the United States

Biometric data protection usa 

​In the United States, there is no single, comprehensive federal law regulating the collection and use of personal data in general, or biometric data in particular. Instead, the country has a patchwork system of federal and state laws and regulations that can sometimes overlap or contradict one another.

But that's not all.

Government agencies and industry groups have developed self-regulatory guidelines, drawn from best practices and which are now taken into account by regulators.

Apple, Facebook, Google, and Microsoft have been self-regulating for some time, even though these companies have been investing heavily in the creation of powerful facial recognition technologies. Facebook, for example, has an agreement with the Federal Trade Commission. Under this, the company has to first obtain "affirmative, express consent" before going beyond a user's specified privacy settings. 

There's more.

In July 2018, Microsoft President Brad Smith called for federal regulation for facial recognition software use and ​ urged Congress to study it ​and oversee its implementation.

This unusual blog post​ illustrates how powerful technologies involving artificial intelligence — such as facial recognition — have set off a controversial battle among tech executives.

Identification without consent in 46 states

As of January 2020, it is legal in 46 states for software to identify an individual using images taken without consent while they are in public. California, Washington, Illinois, and Texas don't allow it for commercial use.

California is the fourth state to pass a biometric privacy law in 2020. It covers any business entity that collects biometric identifiers for commercial purposes.

So what's the situation in most states?

Facial recognition, for example, can be performed inconspicuously from a distance without the individual actively providing any information.

There's already facial recognition software that shops can use to signal pre-identified shoplifters or to identify customers that return goods too often. And it doesn't take much to imagine that - thanks to Facebook - these shops could quickly get immediate information on their customers when they enter the store: who they are, where they live, income or credit score.

From a privacy perspective, these practices conflict with critical principles such as anonymity, consent, and purpose.

Let's dig a little deeper.

california privacy law

Many parties to address the issue

The question of consent and how to manage biometric data is sensitive, and it seems as if virtually every agency in Washington is addressing at least part of the issue:

  • The National Institute of Standards and Technology for the evaluation of biometric technologies.
  • The Federal Trade Commission for data security with the FTC Act (15 U.S.C. §§41-58). This consumer protection law prohibits unfair or deceptive practices. It's been applied to offline and online privacy and data security policies.
  • The Food and Drug Administration for the security of implants.
  • The Department of Health and Human Services with the Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.) for medical information. The HIPAA Privacy Rule of 2003 regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities." They may disclose protected health information to law enforcement officials for law enforcement purposes and administrative requests; or to identify or locate a suspect, fugitive, material witness, or missing person.​

Four states have enacted a protection law for biometric identifiers, and several others are debating one.

So, US regulators have to focus increasingly the use of biometric data. 

Four significant steps in 2019-2020

Things have been moving fast in the last months in the US.

At least four significant privacy legislation fronts are worth mentioning:

  1. The California Consumer Privacy Act
  2. The 2008 Illinois Biometric Protection Act (BIPA) and the 25 January 2019 ruling in the Rosenbach v. Six Flags Entertainment Corporation case. 
  3. Federal legislative hearings 
  4. The anti-surveillance ordinance signed on 6 May 2019 by San Francisco's Board of Supervisors. 

#1 California's new privacy law

The California Consumer Privacy Act (CCPA) is a bill passed in June 2018. It enhances privacy rights and consumer protection for residents of California. The CCPA becomes effective on 1 January 2020.

California is the fifth-largest economy in the world and home of many tech giants. It is also traditionally a trend-setting state for data protection and privacy in the US.

The result?

The law is frequently presented as a potential model for a US data privacy law. In that sense, the CCPA has the potential to become as consequential as the GDPR.

CCPA definition of biometric data is a bit broader than that of GDPR: “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.”

The rights provided to California consumers to protect their personal information and biometric data include:

  • Accessing the data (right of disclosure or access),
  • Deleting them (right to be forgotten),
  • Taking them (data portability – the data must be received in a commonly used and readable format),
  • Requesting businesses not to sell their personal information,
  • Opting out (Opt-in is the primary consent standard mandated by European GDPR),
  • Right of action (penalties).

 For a more detailed comparison between CCPA and GDPR, we suggest this excellent document.

 #2 Illinois's BIPA and the Rosenbach v. Six Flags case

Illinois’ BIPA is the most robust biometric privacy law in the United States. 

The case was significant because the Illinois Supreme Court ruled that a plaintiff didn't need to show additional harm to impose penalties on a BIPA violator. A loss of statutory biometric privacy rights is enough. 

In other words, when companies collect biometric data like fingerprints or faceprints without opt-in consent, they can be sued. 

The Electronic Frontier Foundation praised the ruling, calling it a key privacy victory.

#3 Federal hearings and activity

It seems California has strongly motivated members of Congress. 

Federal legislative hearings and activity are aiming at combating the challenge, created by a “patchwork” of separate, individual state privacy laws. 

The House Oversight and Reform Committee held its third hearing ion 15 January 2020 about facial recognition.

But could California's privacy law be a model for the US as Government Technology put it? 

#4 San Francisco's ban on facial recognition

The anti-surveillance ordinance signed on 6 May 2019 by San Francisco's Board of Supervisors is the first ban by a major city on the use of face recognition technology.

It prohibits its government from using facial-recognition technology. This includes SFPD.  

Since the passage of the ordinance, the debate is hot in many cities and states. 

Should other locality follow this example? Is this a step backwards for public safety?  Is the ban just a "pause button" to better analyze the risks of such technology?

Somerville (Massachusetts) in June and Oakland (California) in July took the same decision. San Diego went along the same way in December 2019 with a three-year moratorium.

So, stay tuned for the outcome of all these discussions in 2020 and, in the meantime..let's move to India.

India and the emerging global consensus on biometric data protection​ ​

India and the emerging global consensus on biometric data protection​

On 24 August 2017, India made it very clear as the Supreme Court ruled privacy a ‘fundamental right’ in a landmark case.  A September 2018 supreme court judgment eventually ruled that it is unconstitutional for private companies to use Aadhaar data, impacting the massive country’s biometric identification program.

Just think about the size of this project.

Aadhaar was first unveiled back in 2009. Today, some 1.25 billion people have an Aadhaar number, accounting for more than 99% of India’s total adult population. 

The principle is simple. 

Biographic and biometric data are captured from all Indian residents aged over 18. This means name, date of birth, gender, address, a photograph, and ten fingerprint and two iris scans.

Each resident is then issued with their own, unique 12-digit Aadhaar number. It’s a residential and not a citizenship card and not compulsory so far. It’s a single, universal, digital identity number that any registered entity can use to “authenticate” an Indian resident. But the ID is not the card, it’s the number, and it’s purely digital and hence verifiable online.

You’re there. In India, it’s about you being the identity, not the card. 

So should this project be limited to a national ID scheme? It seems not.

On 28 February 2019, India’s Modi government approved the change of the law governing the country’s biometric ID program. In particular, the changes allow Aadhaar to be used by private entities— after a September 2018 supreme court judgment ruled that it was unconstitutional.

New Aadhaar amendments were passed in July 2019. They allow for the usage of the Aadhaar number for verification (such as electronic know your customer process or e-KYC), by private parties, and thereby doesn’t prevent them from collecting the Aadhaar details of an individual.

A global consensus on privacy?

Privacy demands rigorous accountability. We see the emergence of a global consensus in many countries, its fundamental principle being that mismanagement of personal information will not be tolerated and that companies that do not protect data adequately could be hit with hefty fines.

Let’s hope that these new laws and regulations can keep pace with digital change.

​Gemalto and digital security

An expert in strong identification with more than 200 civil ID, population registration, and law enforcement projects that incorporate biometrics, Gemalto can act as an independent authority in proposing and recommending the most suitable solution for each application.

Gemalto attaches a great deal of importance to the assessment of risks and to the capacity of private operators to manage such risks. Similarly, legal and social implications are also significant.

Although Gemalto keeps an open mind concerning biometric techniques, it remains no less convinced that, whatever the choice of biometric, this technology offers significant benefits for guaranteeing identity.

More resources