Ugo Dallemagne
Juriste / Legal councel @ Natural Security

Biometric authentication is the use of a certain unique property of an individual for the identification and/or the authentication. It makes the identification and the authentication procedures easier, faster, improving thus the use-experience. However, biometrics presents also important risks for the users. The misuse of the biometric data and the use of spoofed and stolen biometric sources can lead to serious damages in terms of privacy.

Until now, the European data protection framework (the Directive 95/46/EC) does not take into account expressly biometrics. This led to discrepancies among the domestic regulation of the Member states. Contrarily, the Regulation proposal (EU General Data protection Regulation) gives a legal definition of biometric data, and – despite the fact it is actually being discussed – proposes a legal status.

Nevertheless, the Regulation proposal stipulates general principles but no specific rules for specific situations, such as the processing of biometric data. For instance, the conditions of the consent of the data subject, essential to legitimate processing of biometric data in a business-to-consumer context, have been reinforced: the consent shall be freely given, specific, explicit, and revocable at any time. In addition, the Regulation proposal consecrates the accountability principle, according to which the data controller (of a biometric system) shall be able to prove at any time that the adequate and necessary technical and organizational measures to comply with the law have been taken.

The Regulation proposal is providing, all the same, new tools for data controllers to comply with the accountability principles; new tools that apply perfectly to biometrics.

Firstly, data controllers are bound to apply the privacy-by-design principle. This is a method of designing processes and devices in order to take into account privacy-risks and to mitigate them by implementing appropriate technical measures. In regards with biometrics, such measures should prevent remote authentication, function creep, spoofing, alteration of the data, etc.

Secondly, actors are encouraged to develop certification schemes, labels, and codes of conduct. In a context where several actors (manufacturers, vendors, integrators, resellers, service providers) are involved in the design of the biometric authentication, these tools permit to build a privacy-compliant ecosystem in which devices can be tested and trusted, actors are contractually bound to a specific code of conduct they have elaborated, and users/consumers profit from a greater visibility thank to the label that serves as a guarantee that privacy is respected.

For now on the Regulation proposal is still under discussion. But in the future, a close collaboration of companies with data protection authorities should take place in order to foster the elaboration of specific guidelines regarding biometrics and to encourage the private sector to develop privacy-friendly biometric systems.