CNIL clarifies biometric ID systems


In two decisions on 8 April 2004, relating to the use of biometric systems for identification purposes, the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), has reaffirmed its general opposition to the creation of fingerprint databases where such creation is not justified by an undeniable security imperative.

The CNIL rejected a request by a hospital to implement a fingerprint recognition system in order to monitor and control its employees' working hours. The decision was based on the grounds that (i) the biometric data was stored in a database, which is not a method that protects the data subject against inappropriate use of the data, and (ii) the aim of better management of working hours, while legitimate, does not justify the collection and storage of fingerprints.

In a second decision, the CNIL approved the implementation of a fingerprint recognistion control system to allow employees access to secure areas of Orly and Roissy airports in Paris. CNIL stated that if the fingerprint template is solely stored in a personal item, e.g. badge or smart card, the system does not conflict with the Data Protection Law.

In each case of biometric data use, the CNIL considers whether the use is adequate and proportionate to the purpose. Furthermore, although it agrees that in certain cases biometric systems can be justified by safety considerations, the CNIL requires there to be adequate security measures, e.g. the encryption of fingerprints stored in the database. For example, the CNIL has accepted the implementation of biometric systems to control access to certain places for security reasons, including the offices of the French Central Bank.

However, even where security reasons justify the implementation of biometric systems, the CNIL prefers the use of means other than fingerprint recognition, such as hand outlines or iris recognition, as such data cannot be collected as easily as fingerprints. The CNIL approved a hand outline recognition system for a school dining hall, noting that the use of such a system was more respectful of the rights of the individuals concerned than a fingerprint system.

In addition, French police traditionally use fingerprints to identify offenders. The use of a non-fingerprint recognition system therefore guarantees that the company concerned cannot be connected with the police databases.

CNIL's powers regarding biometric systems are soon to increase under the new data protection law, which is due to enter into force before the end of the year. All biometric systems will have to be authorised by CNIL before being implemented.