- consent has been given explicitly
- biometric information is necessary for carrying out obligations of the controller or the data subject in the field of employment, social security and social protection law
- it is essential to protect the vital interests of the individual and he/she is incapable of giving consent
- it is critical for any legal claims
- it is necessary for reasons of public interest in the area of public health.
Taking on Compliance Concerns
by Dan Miller
April 5, 2021
Biometric authentication is already a fact of life for billions of people around the world. They routinely use their faces or fingerprints to activate smartphones, PCs or other personal devices. Hundreds of millions of people with smart speakers are delighted to find that their voice assistant is able to offer personalized responses based on the unique quality of their voices. Opus Research estimates that over half a billion people have already enrolled their voiceprints with their banks, brokers, tax offices and others in order to simplify and accelerate required authentication procedures and carry out their business on trusted communications links. Popularity already extends to the commercial space where, in 2019, Deloitte published results of an executive survey in which 52% of respondents indicated that they were planning or evaluating the use of biometric authentication. 61% of them expected to use it in contact centers; 59% integrated in a mobile app or chatbot; and 56% expected to integrate biometrics with a “voicebot.” Acceptance of biometrics to support secure or trusted access, interactions and transactions is not surprising. There has been a steady crescendo in efforts to replace time-consuming and inconvenient knowledge-based identifiers (KBIs), especially username/password combinations, as well as the even-more-time-consuming “challenge questions” with techniques that are more convenient and speedier. Biometric authentication, thanks to its popularity for device activation is a worthy candidate. Yet all of the forces militating toward more biometrics takes under the shadow of global concern surrounding “compliance” with prevailing laws, regulations or industry standards surrounding protection of privacy and personally identifiable information (PII). In terms of PII, they ask, “What could be more personal than a biometric template?” It is literally a digitized version of “something you are.” Proper Handling of “Sensitive Information”Compliance with privacy parameters is, rightfully, an evergreen concern. Stories that Apple, Amazon and Google are capturing and storing voice biometrics data (voiceprints) without permission has been a magnet for law firms to step in on behalf a class of plaintiffs who, they believe, are entitled to significant damages. They invoke a wide range of privacy laws, but you most often hear of GDPR (General Data Privacy Regulations), which was passed in 2016 in the EU where it was fully enacted in 2018. GDPR puts biometric data into a “sensitive category of personal data.” Yet it is not the only set of rules that pertain to compliance. There are privacy regulations enforced or being legislated in over 60 countries worldwide In the United States we often hear of the state of Illinois’ Biometric Information Protection Act (BIPA), which was very far-sighted when it went into effect in 2008. It has been the basis of hundreds of class action lawsuits and is a foundation on which litigators continuously expand the definition of activities and processes that comprise “improper collection, use, storage, and dissemination of biometric data.” In a nutshell, GDPR and BIPA expressly prevent these special categories of personal data to be used in a process that “allows or confirms the unique identification of that natural person…” unless: