The Brave New World Of Biometrics

Have you ever found yourself frustrated at forgetting a login or having to reset your pass word? More importantly, are you worried that your online profile has been compromised because of a pass word-based system? As more people are using multiple devices and have numerous accounts, security concerns about pass word or PIN-based authentication have become more prevalent.

Biometrics offers a viable and convenient alternative - it is a more reliable identifier and it compensates for weak pass words or the fallibility of human memory. Biometrics systems identify or authenticate an individual`s identity by reference to a physical or behavioural characteristic. Unique identifiers include fingerprints, hand geometry, retina and iris patterns, voice waves and DNA.

The concept of biometrics is not a particularly new one it has long been a popular topic in dystopian science fiction. In that context, biometric technology typically serves a sinister surveillance function which is designed to restrict and control the movement of individuals.

These futuristic visions are not that far removed from the technologies we use today. The development of more widely available and affordable biometric technologies has allowed organisations to consider the use of such technologies as a viable alternative to pass word-based authentication. The emphasis on convenience for consumer is one of factors driving the move towards biometrics. For example, Apple`s newer generations of iPhones, iPads and MacBooks all feature fingerprint identification, which allows users to unlock the device, make purchases on iTunes and the App Store and authenticate Apple Pay.

The most significant advantage that biometric technologies offer is the prevention of identity theft and fraud. In contrast to traditional security systems, biometrics is based on an individual`s unique characteristic, which, in theory, cannot be duplicated. In a biometrics system the individual provides a sample of a biometric identifier, which is stored in a database. When a live sample of a biometric is presented, the system compares the sample against the records in that database to determine if there is a match, and this process can even be done in real-time.

It is perhaps unsurprising, therefore, that more and more institutions are replacing yesterday`s security technology with biometric-based ones. Iris recognition technology has, for many years, been used in airports around the world. Also, the demand for the use of fingerprint scanners for high value commercial and residential buildings has grown significantly. As tenants want to ensure greater security by upgrading their outdated security systems, building managers may find themselves wanting to implement biometric technologies in their buildings, and therefore, be responsible for processing biometric data.

Security and privacy concerns

Unsurprisingly, the use of biometrics is often compared to an Orwellian process, with fears that biometric data could be used for purposes other than those it was originally acquired or without the individual`s consent. Back in 2001, at Super Bowl XXXV in Tampa, Florida, police cameras used facial-recognition software to scan 100,000 faces of unsuspecting fans in real time to match these faces with their records of terrorists and criminals.

Critics argue that a biometric system is easier to hack than a pass word-based one, and that the consequences of a breach are much more severe. pass words are inherently private and are meant to be kept secret. In contrast, biometrics are inherently public, and it is difficult to envisage a world where people, in order to keep their biometric information secret, cover their eyes or always wear gloves to avoid leaving fingerprints. More importantly, biometric data is permanently associated with an individual so what happens once a biometric identifier has been stolen? Whilst it is easy to replace a pass word with a new one, the same cannot be said for replacing one`s fingerprints or iris patterns.

With consumer-level biometric verification being readily available, companies are quickly building up vast biometric databases. Accordingly, questions about how and where biometric data is stored how it is secured and how it is used, are being asked. If the data is stored in a central database, is it stored anonymously or is it linked with an individual`s other personal information? Is the biometric data segregated from other forms of personal information? Can the data be used without the individual`s consent (for example, can law enforcement organisations require companies to provide them with the biometric data that they have about an individual for the surveillance purposes)?

The EU`s new General Data Protection Regulation (GDPR) seeks to introduce new provisions to address some of these concerns. Accordingly, organisations that are using or intend to use biometric authentication, should be aware of the implications of the GDPR.

Biometric data under the GDPR

The GDPR is the new EU-wide data protection framework which takes effect on 25 May 2018, replacing the UK`s Data Protection Act 1998 (DPA).

The GDPR expands on the "special categories" of "Sensitive Personal Data" to include "genetic data" and "biometric data" where processed "to uniquely identify a person". By classifying biometric data as "Sensitive Personal Data", it effectively means that biometric data needs to be treated separately. Organisations that process sensitive data must satisfy one or more of the conditions of processing which apply specifically to such data, as well as one of the general conditions which apply to regular personal data.

The GDPR introduces substantial fines for violations, which far exceed those under the current DPA. National data protection authorities will be able to impose fines as high as 4% of total worldwide annual turnover or 20m (whichever is higher). For less serious violations, the data protection authorities will be able to impose fines of up to 2% of total worldwide annual turnover or 10m. The level of fine imposed will inevitably be higher for breaches which involve sensitive personal data, such as the loss of such data or failure to have appropriate procedures in place.

Consent under the GDPR

The GDPR therefore imposes a higher threshold for consent compared to the DPA and consent, in general, has become harder to obtain. Under the GDPR, whenever an organisation processes personal data, it will need to ensure that the consent they obtain is specific and indicates unambiguous agreement from the data subject.

Under the DPA, consent could be inferred by an action or inaction, which allowed the possibility of "opt-out" consent. Under the GDPR, the requirement that the data subject has to make a statement or clear affirmative action excludes this possibility. Furthermore, data subjects will also have the right to revoke their consent at any time.

On top of that, to process biometric data (i.e. "sensitive personal data") at least one of several additional conditions must also be satisfied. The condition which would most likely apply is that the data subject has given "explicit" consent to the processing. The meaning of "explicit" consent is not specifically defined, but is broadly the same as the standard under the DPA.

Impact of Brexit?

The result of the 23 June 2016 referendum and the process by which the UK formally withdraws from the European un ion has meant that the UK government has had to review the impact of the GDPR. Article 50 is a two-year procedure, and during that time, the Directive and the DPA are still applicable. The current speculation is that Article 50 will be triggered at some point during 2017. This would mean the UK would still be part of the European un ion until 2019, at the latest. Once the GDPR comes into force, it will be relevant for many organisations in the UK, particularly for those operating internationally.

Summary

There will always be critics of biometrics and as these technologies become more prevalent, each new data breach will raise questions about how far data subjects are willing to accept the trade-off between security and convenience.

With such technologies becoming more readily available, organisations that plan to use them should be aware that biometric data will attract greater protection under the GDPR, particularly given the need for explicit consent, unless other lawful grounds for processing apply. The coming into force of the GDPR presents a good opportunity for organisations to start their preparations now by reviewing their compliance with current privacy standards and the standards which will apply under the GDPR.