by Ugo Dallemagne,

Legal counsel @ Natural Security Alliance

As an important step toward regulation of biometrics in Europe, on 12th November 2014, the Italian DPA (Data Protection Authority, ‘The Garante’) has approved a regulatory framework for biometrics, after few months during which a public consultation took place.

Contemplating that more and more companies implement biometric solutions to improve their management of logical and physical access, but also that more and more authentication services based on biometrics are offered to the consumers, the Garante has developed a specific regulatory framework. This framework aims, on the one hand, to ensure the compliance of biometric treatments with data protection law, and, on the other hand, to foster, or at least not to deter, innovation in the field of biometrics, and to contribute to the improvement of security for authentication.

The regulatory framework imposes rules upon the controller of a biometric treatment for the electronic authentication, for the access to sensitive areas or usage of dangerous machines, for facilitating the access to services, and finally to sign an electronic document. As explained by the Garante, this regulation will make it easier to use biometric technologies. The controller, public or private entity, adhering to these rules is exempted of a prior verification by the Garante. Thus, the controller is allowed to undertake a biometric treatment without a special authorization. However, he is responsible for the treatment, and is accountable to the Garante if the treatment does not respect the rules imposed in framework.

The guidelines are a set of rules regarding the implementation of biometric authentication. Instead of enacting particular legal provisions the Garante has elaborated a checklist of technological requirements to be met.  There are four sets of requirements depending on the purpose of the treatment; however, there is a common core. For instance there must be an anti-spoofing system, the biometric data shall be deleted from the reader once the data collected and converted, in case of transmission of the data from a device to another a secure protocol has to be used, etc. In addition, the controller shall maintain documentation of the treatment and be able to prove the adequate technical and organizational measures taken to ensure the compliance.

So far, the Garante is the first and only national authority in Europe to implement such framework and to express an official position on regulation of Biometrics. The Italian DPA has taken the lead in Europe demonstrating the possibility and the efficiency of specific rules for biometric treatments. This is likely that other Member States, or the Working Party 29, will develop a similar framework.

This initiative should be welcome because it ensures the legal certainty for the implementers of biometric solutions, and because it integrates the accountability logic of the Reform Proposal on Data protection by promoting privacy-by-design, documentation, accountability instead of prior checking, etc.