How does biometric data fit in with the GDPR?

Biometric data GDPR

A new debate about biometrics has sparked off

Biometrics and privacy have long been a point of discussion, even before the GDPR came into force.

In 1997, a US law professor named John D. Woodward wrote a groundbreaking paper published in IEEE Proceedings titled Biometrics, Friend of Privacy or Foe of Privacy?

Woodward argued that biometrics could be a friend to privacy because it provided a means of establishing identity that depended on the unique properties of a single load of an external comparator such as a password. The user cannot forget his face, fingerprint or retina and leave it at home, but he can forget a password or leave an access badge on the dresser.

A password can be guessed or obtained by spoofing, a badge can be stolen, but duplicating a fingerprint or retina is a challenge. The argument is valid to some extent today, although Woodward did not have to deal with the security issues that exist today in protecting biometric data, and he did not have to deal with artificial intelligence, which in certain circumstances can make accurate identifications based on incomplete or circumstantial data. Moreover, the use cases he had referred to in his argument were all authentication, not identification, use cases. We will examine the differences. Finally, there was no GDPR, so biometric data GDPR-related issues did not influence his thinking.



Identification vs. authentication with biometrics


Woodward defined two use cases for biometric data; identification and authentication. For identification, the identity of a subject has not been established. The system captures image data and extracts features relevant to the person being assessed. The system then compares the feature data with known information and attempts to establish a link with a degree of statistical confidence.

This entire activity can be done secretly and without the user's consent. Since the human face is usually exposed, and in its entirety it is unique, facial recognition is the most commonly used identification approach. With authentication, the user gives consent and willingly provides a sample of biometric data, such as a fingerprint image, retina scan or similar, then the system uses this information to verify a user's identity before granting the user access to a facility or potentially highly secured information.

Essentially, authentication answers the question "Are you who you say you are"? Identification answers the question "Who are you"?



Applications for biometric data


Biometric data applications for authentication are widespread, especially in cell phones. In these cases, the user assumes that the data is stored on the cell phone and will not be duplicated anywhere else without the user's consent. In these circumstances, the user controls the data. In cases where a user is given access to an online bank account with biometric data, this data is stored on the bank's servers and the bank controls the data. A cell phone user may share stored biometric data with a mobile service provider to unlock online services.


Application: Who are you?
Consent: Yes
Data control: user or provider or both
Technology: Fingerprint scan Retina scan


Application: Are you who you say you are?
Consent: No
Data control: third party
Technology: Face recognition

Identification use cases are the responsibility of governments concerned about security. Image capture/face recognition is used at international airports around the world to help identify known criminals or foreign activists.

The premise is that the facial features of ordinary citizens are scanned, compared to known data, then dropped if there is no match. Problems can occur when the data for citizens is not dropped, often for the best of intentions, as that person could be identified as a criminal at a later date, knowing where that person had been would be very valuable.

This is a slippery slope, data storage is cheap, modestly priced digital video cameras offer excellent performance, and can be installed wirelessly almost anywhere. The temptation for security professionals to record everything from as many cameras as they can afford is very high.



Will biometric data fall under the GDPR?


GDPR and biometric data are dealt with by the Regulation and with rules laid down at each Data Protection Authority (DPA). The GDPR explicitly prevents the use of biometric data for authentication or identification, but there are several exceptions mentioned in Article 9(2). For authentication, the application must require a high level of reliability that cannot be obtained from other technologies. Biometric data for individuals are considered sensitive personal data and therefore require a higher level of protection.

Various countries have taken specific positions on biometric identification, for example, the French CNIL recently published a position paper in which they recognized the need for a government to secure borders, but refused to set hard rules, preferring to review on a case-by-case basis.

  • According to these regulations, the need for such devices must be determined on a case-by-case basis: Facial recognition cannot be used without a specific requirement to ensure a high level of reliability in verifying the identity of individuals. These texts also stipulate that both the proportionality of the means used and the specific protection of children must be guaranteed. They require that people are at the center of the systems, for example by obtaining their consent or ensuring that they are in control of their data. By applying these principles, which were recently reaffirmed at European level, the CNIL has already had the opportunity to allow certain uses in principle while regulating them in practice (border control at airports) and to refuse others (control of access by pupils in schools).

The CNIL also warned companies against promoting experimental or experimental applications with the sole aim of socializing the public to these technologies and obtaining their tacit consent, these will not be allowed by the CNIL.

The Italian DPA (The Garante) took a different approach in its 2014 guidelines, focusing on the method of collection rather than use and choosing to define passive and interactive biometric collection systems:

  • Biometric systems are referred to as interactive or participatory when they involve the data subject and require them to participate in the biometric data collection phase - e.g. retinal scanning or the placement of a handwritten signature. Conversely, passive systems collect biometric data without the data subject being aware of or aware of them - e.g. facial image capture or voice recordings that are captured without the data subject being aware of them.

This has remained essentially unchanged since 2014, although a legislative decree (Italian only) called for the introduction of new provisions every two years (from 2018) that would revise the guidelines in line with the use of new technologies.
Germany does not have a central data protection authority. Responsibility lies with state organizations, of which there are 16.



Resolving the biometrics debate


The debate about the use of biometrics for identification or authentication in a privacy-centric world is ongoing and has been for over 20 years. Recognizing that the debate actually has two distinct use cases will likely go a long way to achieving some agreement and understanding. The case of identification almost guarantees that the information will be collected without the explicit consent of the individual. On the other hand, there are many use cases for authentication that seek the consent and active participation of the individual, and the individual often benefits from more reliable access and better security. While it is understood that law enforcement at the nation-state level desperately needs biometric identification, its use by others may be unnecessary when other less invasive approaches may be acceptable.


  • Biometrics, privacy’s friend or privacy’s foe:’s-foe-or-privacy’s-friend-Woodward/45db09c52035fcee984525397b56d8b5c9b80b57
  • Position paper:
  • 2014 Guidelines: RECOGNITION.pdf/3ac0d4ff-7575-4f5e-a3fa-b894ab7cf517?version=1.1
Share this post :