Already in the English version of the document, X can take biometric information “based on consent” from the user, to use it for security and identification-related purposes. Specifically, the update on X’s privacy page states that “Based on your consent, we may collect and use your biometric information for security, safety and identification purposes”.
The Elon Musk-owned social network does not specify the type of biometric information it expects to collect, nor does it even define what is considered biometric. Nor does it explain how it will collect this data, which typically involves fingerprint scans, parameters about your physical traits, such as face, fingerprint, or iris patterns. For its part, X says it will use this data to improve the platform’s security and add a facial recognition system to its paying members.
When it comes to the use of this information, there are some suspicions. Steve Moser, a well-known app developer, revealed that X plans to implement support for fingerprint-based passkeys, facial recognition, and device PINs to log in to its service.
How Data Protection is affected
As pointed out by the Spanish Data Protection Agency (AEPD), biometric data processing techniques are based on collecting and processing physical, behavioural, physiological or neuronal traits of individuals by means of devices or sensors, creating signatures or patterns that enable the identification, tracking or profiling of individuals.
In accordance with the provisions of article 9.1 of the GDPR, it is understood that biometric information is sensitive data, and consequently, must be treated as such; this does not mean that it cannot be collected or processed, but rather that a series of requirements must be met in order to do so.
In the framework of a processing operation, any of the various biometric techniques involved have to be assessed according to their appropriateness, proportionality and necessity, their purpose, their impact on the rights and freedoms of natural persons and the risks they entail, both for the individual and for society.
Last month, Twitter’s successor entity was already involved in a class action lawsuit for violating the Illinois Biometric Information Privacy Act by failing to adequately inform users.
However, it will have to ensure clear and meticulous compliance with the rules and regain the trust of users and advertisers who have abandoned Twitter since the blue bird disappeared.
At Letslaw by RSM, we have Data Protection lawyers who will help you with any advice that you may need. Do not hesitate to contact us.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.