Biometrics are increasingly becoming a part of everyday life, from unlocking your phone with your face to iris recognition for e-government services or airport security and voice recognition when you talk to Siri or Alexa.
For the financial services industry, biometrics are quickly forming a crucial part of future regulatory requirements, especially with the advent of strong customer authentication (SCA).
However, despite the particular character and sensitive nature of biometric information, there are no legal provisions anywhere specific to biometric data protection. Instead, legal texts and references broadly rely on provisions that relate to personal data protection and privacy. Unfortunately, such legislation often proves poorly adaptable to biometric data.
Several personal data privacy regulations, like GDPR, CCPA, or NIST, address biometric data. Recent years have seen increased interest in biometrics’ regulation, which represents a significant step forward for data privacy and protection globally.
What is Biometric Data?
Biometrics refers to physical, physiological, and behavioral human characteristics that can digitally identify individuals or grant them access to devices, systems, and data. Examples of these biometric identifiers include facial patterns, fingerprints, voice, typing cadence, iris or retina scanning, DNA, and palm veins.
While GDPR does not explicitly define biometrics’ behavioral characteristics, the European Banking Authority (EBA) does with relation to SCA. According to EBA, behavioral biometrics include behavioral processes that the body produces, including heart rate, keystroke dynamics, or the angle users hold their devices.
GDPR means the General Data Protection Regulation for European member states. The regulation addresses biometric data privacy and covers 28 countries and over 500 million people. The EU GDPR establishes a harmonized framework for member states and includes:
- The right to be forgotten
- The right of unambiguity
- The right of affirmative consent
GDPR protects European Union citizens from having commercial entities share their personal information with a third party without their consent. They have gained more control over their biometric and personal data. Companies must report any data breach within 72 hours and should only collect personal data for “specified, explicit, and legitimate purposes.”
The National Institute of Standards and Technology supports increased use of biometrics collection and data sharing between U.S. agencies. It also seeks to improve biometrics by making them accurate and interoperable.
NIST researches biometric modalities such as iris, face, voice, DNA, fingerprint, and multimodal. It also partners with government agencies using biometrics to:
- Fight crime
- Secure facilities
- Protect access to computer systems and networks
- Screen people at the borders
- Counter fraud
NIST biometric standards and guidelines are essential for building useful biometrics. The NIST cybersecurity framework is also a comprehensive risk management tool designed to protect the U.S.’s critical infrastructure.
The CCPA or California’s Consumer Privacy Act enhances California residents’ consumer protection and privacy rights. California, the world’s fifth-largest economy, is home to many tech giants and is a traditional trend-setting state for U.S. data protection and privacy.
Therefore, many people see CCPA as a potential model for the country’s data privacy law. Additionally, the act can become as widespread and consequential as the GDPR. It has already inspired many national laws, including South Korea, Japan, Brazil, and Argentina.
CCPA provides California residents and consumers the following rights regarding their biometric data and personal information:
- Access to the data
- Deleting the data (right to be forgotten)
- Data portability – taking the data in a readable format
- Requesting commercial entities not to sell the data
- Opting out
- Right of action (penalties)
The health Insurance Portability and Accountability Act ensures medical data privacy and protection. HIPAA has a privacy rule that regulates the sharing, disclosure, and use of Protected Health Information (PHI) that covered entities hold.
Under the act, companies can disclose protected health data for administrative requests or law enforcement purposes. Law enforcement agencies can use the information to identify or locate suspects, fugitives, material witnesses, or missing people.
5. SHIELD Act
New York State’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act became effective in March 2020 and revolutionized its existing data security law.
SHIELD describes private information as personal data. It includes:
- Biometric data
- Social security number
- Financial account information
- Driver’s license
- State I.D.’s number
- Username or email address plus a security question or password
The SHIELD act requires companies to implement a cybersecurity program and other protective measures for state residents.
BIPA is an Illinois regulation that stands for Biometric Protection Act. It’s presently the U.S.’s most robust biometric privacy law. Thanks to the Rosenbach vs. Six Flags case, the Illinois Supreme Court ruled that plaintiffs did not need to show or prove additional harm to impose penalties on violators. Instead, it’s enough to show a loss of your statutory biometric privacy rights.
The processing of biometrics must comply with legal privacy frameworks such as GDPR, NIST, or CCPA. Failure to consider the implications of non-compliance can land companies in hot water. Hence, thinking about privacy risks from the outset helps businesses design effective biometric solutions and protection systems to ensure personal data privacy and compliance with the statutory requirements.