Biometrics are becoming more popular as an authentication method. We’ve explored the weaknesses of traditional password and username combinations before on the blog.
Simply put, the human brain isn’t wired to memorize long codes of information, and it’s much more difficult to steal or copy someone’s identity and fingerprints than their login credentials. We’re already seeing large companies such as Samsung include iris scanning and fingerprint authentication on their smartphones, while governments are also realizing the security benefits for border management and policing.
So, it’s about time regulators focus on the use of biometric data and make sure they protect key principles such as anonymity, consent and purpose.
UK data protection bill, incorporating biometric data, for September
For biometric security to work properly, citizen rights must be properly protected and the data collected by corporations and public sectors managed carefully and sensibly. The new GDPR regulations (General Data Protection Regulation) focus specifically on biometrics, clearly recognizing the technology’s immense potential.
The British government recently presented its legislative program for the next two years, bringing GDPR into UK law and the country into line with the EU.
GDPR defines biometrics precisely as “special categories of personal data” and prohibits its “processing”, thereby protecting people from having their information shared with third parties without their consent. However, it does contain some exceptions:
- If consent has been given explicitly
- If biometric information is necessary for carrying out obligations of the controller/data subject in the field of employment/social security/social protection law
- If it’s necessary to protect the vital interests of the individual and if they are incapable of giving consent
- If processing is necessary for reasons of public interest in the area of health
- If it’s vital for any legal claims
But wait, there’s more…
Not only does it establish a clear set of consumer rights, GDPR also includes measures aimed at boosting enterprise security. For example, if a company discovers a data breach, then processors must inform the authorities within 72 hours of discovery. Companies managing biometric information could be hit with massive penalties if they do not make efforts to secure that data. These could reach 20 million euros, or 4% of annual worldwide turnover.
But let’s see now what happens beyond Europe and the UK.
Washington Becomes Third State to Enact Biometric Privacy Law
While the regulatory environment in the US is more fragmented than in the EU, legislative authorities are still recognizing the increasing importance of biometric security. In June 2017, Washington became the third state to pass a biometric privacy law, covering any business entity that collects identifiers for commercial purposes.
India and the emerging global consensus on biometric data protection
All over the world, biometric data protection is on the top of regulators’ agenda.
On 24 August 2017, India made it very clear as India’s Supreme Court ruled privacy a ‘fundamental right’ in a landmark case. This decision could impact the country’s biometric identification program known as Aadhaar.
We’re seeing the emergence of a global consensus, its fundamental principle being that mismanagement of personal information will not be tolerated and that companies that do not protect data properly could be hit with large fines.
Enterprises and governments managing biometric data should seek independent consultancy when it comes to securing personal information. At Gemalto, we work on over 200 civil ID and law enforcement projects that incorporate biometrics, and can act as an independent authority on recommending the most suitable solution for each application.
What are your thoughts on biometric security? Can you see the issue preventing innovation in this area? Let us know by tweeting to us at @Gemalto.