Biometrics and GDPR: friend or foe?
Written by: Charlotte Bourguignon & Bavo van den Heuvel
Biometric data are hot, and no longer only used by the judiciary and police. They offer various advantages in terms of convenience and security, professional and private. Just think of how easy it is to unlock your smartphone with facial recognition or log into your PC through fingerprint recognition. Biometrics have the ability to make our daily lives easier, both at home and in the office.
The increasing use and storage of this type of data naturally also requires a conclusive legal framework that guarantees the privacy of the parties involved. The GDPR or General Data Protection Regulation, aims to protect, safeguard, and anchor those rights. However, we see that in practice, poor implementations, misinterpretations of the GDPR and a lack of a clear framework have led to biometrics gaining a somewhat bad rep, despite its undeniable benefits.
Biometric data: a definition
Generally speaking, biometric data can be considered anything you can measure on a body, such as fingerprints, blood vessels on the palm of the hand or a scan of the retina in your eye. However, unique behavior that characterizes a person can also fall under this. For example, you might recognize someone based on their morning routine: What’s the first thing someone does on their PC? In what order? How do they type on computer or smartphone? And so on.
Nevertheless, from a legal and security point of view, a stricter definition has emerged. Article 4(n) of the GDPR defines biometric data as follows:
‘Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
In other words, it concerns unique data that can be traced back to one specific individual. This can pose major risks in the event of unlawful use: for example, biometric data can reveal more information than is specifically intended in certain cases, such as ethnicity, state of health or state of drunkenness even. The processing of this type of data is therefore extremely delicate, which entails additional challenges in terms of privacy.
Article 9.1 of the GDPR (on special categories of personal data, popularly called “the sensitive data in the privacy law”) states that the processing of biometric data for the purpose of uniquely identifying a natural person is, in principle, prohibited. Biometric data for identification are considered under this article, as a special category of personal data due to their sensitive nature. Therefore, one must use one of the grounds for exception for processing, mentioned in Article 9.2.
Identification or verification?
However, what Article 9.1 does not seem to take into account is the difference between identification and verification, as it is made in Article 4 n). These two terms may seem interchangeable, but they do have different meanings.
Here’s the thing: with identification or recognition, a system will check whether someone’s biometric characteristics match with previously stored templates in a database. This process is also called the one-to-many or ‘one-to-many’ approach: a specific biometric feature (e.g. a fingerprint) of the user is compared with characteristics of all other registered users in the database. This comparison is done in the background on the basis of a calculated template by the biometric system and not on the basis of images of, for example, the fingerprint. This method is very important: after all, from those stored templates in the database, the biometric feature itself cannot be reconstructed. When the set threshold is reached in this comparison of the templates, there is a match and the correct identity is linked. Identification is therefore about recognising people without further ado: the person does not communicate who he or she is in advance.
In contrast, when verifying or confirming identity, a person’s identity is verified using a unique number or code offered by the person (via a keyboard or access badge) and the biometric identifier provided by them. These are also compared, but only with the previously stored template of the same user in a database. It is therefore only verified whether the person who presents themselves is the person they claim to be. Moreover, the user template can be perfectly stored on the access badge, so that the organisation does not have to keep it in the central systems.
An example of verification: when you get to your personal safe, enter your code and scan your fingerprint. The system then checks whether this fingerprint matches your template, which is requested based on your code. If yes, open the safe.
The risky option
Why is biometric identification considered a riskier application? An organisation with bad intentions could potentially abuse the database (with face templates) and, for example, follow staff members’ actions by permanently linking the images from the surveillance cameras with the stored template for identification in the database.
The problem is that, in our opinion, Article 9.1 of the GDPR only deals with the processing of biometric data for identification, which is also confirmed by Prof. Dr. Els Kindt. This implies that a database is always used during processing against which everyone is compared, when processing biometric data.
Supervisory Authority (SA)versus GDPR
The Supervisory Authority (SA) also does not take this distinction between verification and identification into account in its recommendation about the processing of personal data, which means that, according to them, the verification of biometric data also falls within the scope of Article 9.1.
Nevertheless, the difference from a privacy point of view is large. Take, for example, an organization or company with a database of 1000 employees. In case of identification, that company could uniquely identify employees without their cooperation nor knowledge even. This can be done for instance, based on sharp camera images from ordinary surveillance cameras. With verification, this is not possible, because you first have to know who is offering themselves before you can retrieve the template from the database of a system that is only designed for verification. Precisely to prevent this kind of abuse, biometric identification is very strictly regulated both in open (e.g. shopping streets, stations, airports) and closed spaces, and rightly so.
Moreover, in its recommendation, the DPA assumes that it is always the authentic, ‘naked’ images, i.e. the sensor output as such, that are stored in the databases of these biometric systems. In practice, this is not the case. Except for the government, which stores an authentic copy of a normalized photo of your face or fingerprints on your identity card or passport), this is not actually applied. Companies that use biometrics work with templates that are derived from the original info.
For example, a biometric system will convert the original image into a mathematical pattern, a “template”, during the initial registration of your biometric characteristic. It is impossible to go from this pattern back to the authentic image, but the system is able to recognize the attribute based on that template, by comparison with the saved template, or, in the case of identification, all saved templates. If the threshold is exceeded and there is a sufficient match, there is certainty about your identity.
It is important that the algorithm here always works in one direction. The data that an iPhone calculates and stores to recognize your face when unlocked, for example, will always be converted into a mathematical formula or template, but, based on this template (which, by the way, is stored in a highly secure hardware part of your iPhone) you will never be able to make the reverse movement and recreate an exact image of your face.
Biometrics in the business world: how it can be done safely
This recommendation and the negative connotation that biometrics sometimes generates, can stop, or even deter companies from using biometric systems. However, if you:
- use templates;
- work with verification (not identification);
- the template is only stored securely with the user himself (for example on an access badge);
- and you as a company have a valid reason for use (high security or convenience),
… then biometrics is certainly a valid technology.
One situation where the use of biometrics could be justified is, for example, to provide access to the operating room in a hospital. Biometrics is not only useful there, because surgeons can enter without having to take off their sterile gloves or face mask, but also provides extra security, by only giving access to a limited number of people. Authentication can be facilitated here, for example, by reading out a user’s access badge without contact.
Some best practices to keep in mind:
- Apply verification instead of identification;
- Use templates (instead of the authentic, ‘naked’ images);
- Store these templates with the end user (e.g. on an access badge), not centrally, with the controller himself;
- Always provide an alternative to biometrics (g. a sufficiently long PIN code or password).
- Work together with an expert partner who can advise you;
- Perform a DPIA (data protection impact assessment);
- Regularly update the saved templates by making a new registration.
And, remember: biometrics offer a myriad of possibilities, as long as it is handled with care. No one is perfect – not even biometric systems.
 The government has the perfect images of your fingerprints in their systems during the maximum three months it takes to create your identity card.
 The government has a central database containing all the facial photos of identity card, driver’s license and passport.