Challenges of biometric identification in data protection
In recent years, reports and sanctioning resolutions have been published on projects using biometric data. There are a number of key issues that need to be taken into consideration as there is a high risk of loss of control of data, as well as security breaches or continuous tracking of individuals with a risk of discrimination or stigmatisation.
What is biometric identification?
Biometric identification is defined as the technology of facial recognition of individuals through unique physical traits held by each individual. It focuses, for the most part, on facial, voice, fingerprint or iris recognition.
Basically, it is a technique based on favouring processes and implementing highly secure software, as it allows avoiding the use of passwords and, thus, dealing with problems associated with lost or stolen passwords.
These technologies are classified according to the risk analysed: on the one hand, physiological risk, consisting of fingerprint, iris, retina and face recognition, among others, and behavioural risk, characterised by voice, gait or signature.
Main challenges of biometric identification
There are many challenges to be faced in this new reality brought about by biometric identification. Firstly, it must be borne in mind that biometrics is not unequivocal, as there may be doubtful cases in which the unequivocal identification of a subject cannot be 100% assured, and it is not infallible.
Secondly, this type of data is exposed in our daily lives, making it more exposed than any secure password. This is because biometric data can be susceptible to being copied even from high-resolution photographs, although it is not as easy as it seems, as it would currently require almost a live video feed to perform such authentication.
There is also a challenge common to any authentication system that contrasts access with the information stored in a database, generating a privacy problem derived from the traceability of our data. However, this is a challenge applicable to other types of technologies.
Pros and cons of biometric identification from a data protection point of view
The environment in which we live is in dire need of adaptation to this new reality. In other words, devices, installations, systems and processes must go hand in hand with a change in the behaviour of the individual, so that breaches are less affected.
On the other hand, it must be taken into account that, although this type of biometric authentication is an advance that is making great strides, it is a technology that needs to update its systems to be able to guarantee the necessary security to adapt to today’s online world.
It is also a major problem that biometrics is an authentication method that is not susceptible to change, and this means that if our security is compromised, we will not be able to change our biometric password.
However, one of the advantages of biometric identification is the end of the problems of PIN codes and passwords, as all access information would be stored on our own physical traits. This would avoid having to handle personal documents or passwords, minimising damage if lost.
In addition, there are a large number of applications or tools that can be managed by biometrics, and it remains to be seen how far this technology will be able to go.
Processing of biometric identification data
It is important that the following data protection obligations are fulfilled by the entity responsible for the data being collected, among which the most important are:
- Establishing the Register of Processing Activities.
- Carrying out an Impact Assessment relating to the protection of personal data.
- Informing the data subject about these processing operations under the terms of Article 13 of the GDPR.
- Respect the principles of purpose limitation, necessity, proportionality and data minimisation.
- Verify that the processing is adequate, relevant and not excessive in relation to the purpose for which it is carried out.
- Mechanisms based on encryption technologies must be used to prevent unauthorised reading, copying, modification or deletion of biometric data.
With all these safeguards, it can be demonstrated that the controller’s actions in relation to the processing of biometric data are in accordance with the rules on personal data protection.In Letslaw we are experts in data protection and privacy, and we can help you with any issue you may have.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.