Privacy Commission renders opinion on the use of biometrics for authentication purposes

09 September 2008

Peter Van de Velde

On 9 April 2008, the Belgian Privacy Commission issued an advisory opinion on ‘the processing of biometric data for the authentication of persons.’ Authentication means the process of verifying an individual’s identity in order to establish that the individual is who he claims to be. Authentication will be important for controlling and managing access to certain premises (e.g. buildings, airports) or services (e.g. internet banking), or for controlling the working hours of employees. The Commission’s advisory opinion does not consider the use of biometrics for border control or law enforcement purposes.

Biometric systems can involve various data processing techniques, such as DNA analysis, iris recognition, fingerprint verification, hand pattern or ear shape analysis or face or voice recognition. Biometric systems are regarded as “strong authentication” tools (i.e. processing this data make it possible to establish a very strong link between a person and his identity).

Authentication on the basis of biometric data can generally be achieved through either identification or verification. Identification involves a “one-to-many comparison” of a person’s biometric sample with the biometric information stored in a central database. The comparison method allows individuals to be identified from all the other individuals whose biometric data are stored in the database. Verification, on the other hand, is based on a “one-to-one comparison” of a person’s biometric sample with the pre-registered information of that person (for instance, through storage on a secured removable carrier such as a badge or a smart card that can be kept by the data subject).

The Privacy Commission recommends the use of verification for authentication purposes (rather than the use of systems that require the storage of biometric data in a central database). This is in line with the position adopted by other national data protection authorities such as the CNIL in France. In its working document on biometrics (dated 1 August 2003), the Article 29 Data Protection Working Party raised concerns about systems based on the use of a central database.

In its advisory opinion of 9 April 2008, the Belgian Privacy Commission states that biometric data are to be considered as personal data within the meaning of Article 1 of the Data Protection Act of 8 December 1992 (“the DPA”). As a consequence, any processing of biometric data needs to comply with the (mandatory) provisions of the DPA. The Commission is also of the opinion that biometric data could be regarded as sensitive data as, in certain circumstances, the data can reveal information about a person’s health or race.

According to the Privacy Commission, in principle processing biometric data requires the free, specific and informed consent of the data subjects. Alternatively, processing biometric data will be allowed if it is provided for by law or if the processing is necessary for the purpose of the data controller’s legitimate interests (provided that the interests and fundamental rights and freedoms of the data subjects do not override the data controller’s interests). The Commission seems to regard the combat of fraud (for instance fraud on the work floor) as a sufficient legitimate interest of the data controller (as employer).

The principle of proportionality will be central to the assessment of any biometric data processing system. The Privacy Commission states that processing biometric data will be considered to be excessive if it is not “absolutely necessary” to attain the objective of the processing (i.e. authentication). For instance, the Commission’s view is that biometrics are not necessarily required to control access to normal consumer premises or services. The Commission also refers to the risks associated with the use of biometrics, such as identity theft. The Commission specifically recommends data controllers to compare biometric systems with other (non-biometric) systems available on the market (especially if the intended biometric system is based on data that leave physical traces, such as fingerprints). By doing so, the data controller can assess whether the objective of authentication could be attained through less intrusive systems (e.g. face recognition).

As a general rule, the Commission urges data controllers to assess very carefully whether the use of a biometric system is necessary for the purposes that they wish to achieve. The Commission states that the principle of proportionality should be interpreted in a very strict way to take into account factors such as the potential long term consequences for the data subjects. Data controllers are required to clearly define, justify and communicate the motives for their decision to implement a biometric system to data subjects. In addition, the Commission advises data controllers to provide the data subjects with information about (i) the type of  biometric system used, and how it works (including the way the data will be stored), (ii) the existence of a margin of error in the recognition of persons (which is inherent to each biometric system; the Commission is especially concerned of the risk that biometric systems are  presented as faultless), and (iii) the process that data subjects should follow if the system does not recognise them. This information is to be provided in addition to the general information requirements of Article 9 of the DPA.

Where processing biometric data appears to be necessary and proportionate, the Privacy Commission gives the following recommendations to data controllers intending to implement a biometric system:

  • the data should not be stored in a central database (but on a secured removable carrier that the data subject can keep under his control);

  • raw biometric data (e.g. images of fingerprints) should not be stored, but only the relevant extracts that are necessary for authentication;

  • echnologies that allow data controllers to collect or process biometric data without the data subjects’ knowledge should not be used; and
    a secured biometric system should be used.

The Commission also stated that because biometric systems are a strong means of authentication they should be reserved for situations that require a strong level of security. Therefore, the Commission’s view is that the biometric systems should be restricted to use within those premises/services that require and justify strong security measures (for instance, biometrics may not necessarily be required to control the access to a school or to control the working hours of employees in a company with only a limited number of employees). Although the Commission states that companies may take into account the economic benefit of implementing a biometric system, this argument alone could never justify the use of biometrics.

The Commission states that biometric data may not be stored for longer than necessary for the purpose of the processing (for instance, the biometric sensor that collects the sample data should not be able to store the data - for longer than required to make the comparison with the reference data). In relation to data security, the Commission requires a level of security that is not just appropriate but “very high”. This applies to both the method used for collecting the data and the physical carriers of biometric data. As a general rule, data controllers could be held liable for damages where they have not complied with the security requirements imposed by data protection law.

The Privacy Commission has issued its advisory opinion on biometrics on an ex officio basis. It intends to revisit its guidance as technology progresses and real-life experience with biometric systems grows.