Although a paradigm shift towards flexible working arrangements was already underway before the COVID-19 pandemic, it is clear that remote and hybrid work arrangements are here to stay. Two years into the pandemic, many businesses continue to operate with a distributed workforce. Others, including major technology companies, have allowed their employees to work remotely on a permanent basis. This has resulted in a large and growing portion of the population working from their homes. These altered circumstances require a different approach to data security and protection.1 Remote work has created new vulnerabilities for hackers to exploit. With increasingly blurred lines between work and home life, employees are more likely to use work devices for personal reasons. They are also more likely to work in less secure environments and to use insecure devices to connect to corporate networks.2 In order to address these challenges, organizations need to update their cybersecurity policies and procedures. Two key means of protecting data and maintaining security are encryption and access control.3 In this regard, many organizations are turning to biometric technologies as part of a layered approach to safeguarding their assets.
Physical and Behavioural Biometric Identifiers
Biometric technologies can be used to digitally identify individuals and safely provide them with access to systems, devices, and data. Although biometric technology has the potential to streamline and strengthen the authentication process, employers must tread carefully and consider the privacy implications when it comes to the collection, processing, and retention of biometric data. The European Union’s General Data Protection Regulation (GDPR) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.”4 In short, biometric identifiers are distinct, measurable characteristics used to label and describe an individual. They also typically fall under two categories of information: physical or behavioural.
Physical biometric data includes finger and palm prints, hand geometry, iris patterns, and facial features. This category is relatively straightforward and consistent with what most people would consider to be biometric data. On the other hand, the definition of behavioural data is broader and, considering the evolving nature of how this data is used, it is less clear how it will be addressed from a regulatory perspective.5 Examples of behavioural biometric data include voiceprints, lip movements, typing cadence, and navigation patterns such as mouse and finger movements.6
Biometric security authentication works by verifying an individual’s identity through the enforcement of access control methods using unique biometric identifiers. As these identifiers are unique to an individual, they provide a greater accuracy of identification. Fingerprint scanning, and iris, facial, and voice recognition are among the most well-known types of biometric authentication. Behavioural biometric identifiers can also be used to flag unauthorized users and help distinguish between humans and bots.
In remote work environments, an organization may employ the use of facial or voice recognition software in order to verify the identities of employees as part of multi-factor user authentication. Authentication via facial or voice recognition would be required in conjunction with entering a username and password or personal identification number (PIN). In order to accomplish this, a database of employee voiceprints and face templates would need to be maintained for comparison purposes. A voiceprint is a digital model of the vocal characteristics of an individual. A face template is a geometric map of an individual’s face. Records of these must be created and maintained to verify the identities of the employees using facial or voice recognition software. The same principle applies to all other methods of biometric security authentication. These templates of biometric identifiers must be retained for use in the authentication process. Since the application of this technology has become more common, regulators have taken note. Organizations must understand the growing risks involved in processing this type of personal data.7 In particular, they must consider the often strict requirements under privacy laws and regulations.
Regulating the Privacy and Security of Biometric Information
In general, there are two types of laws governing the use of biometric data: laws that specifically address the use of biometric identifiers, and broad privacy laws that include biometrics in their definitions of personal data.8
In the United States, several states have implemented laws specifically governing the use of biometric technologies. The first states to do so were Illinois and Texas in 2008 and 2009 respectively, followed by Washington in 2017. The Illinois Biometric Information Privacy Act (BIPA) regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The BIPA provides that a private entity in possession of biometric data must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. The BIPA prohibits private companies from collecting any biometric data unless certain requirements concerning consent are met. The legislation enacted in Texas and Washington is similar to the BIPA, and any companies that operate in these states are required to obtain opt-in consent for the collection of biometric data.
On January 6, 2021, the New York General Assembly introduced the Biometric Privacy Act (BPA), modeled after the BIPA. If passed, private entities in possession of biometric data would be required to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Other states have expanded laws concerning privacy rights and data breaches to cover biometric data. For example, the California Consumer Privacy Act (CCPA) includes biometric data in its definition of personal data. In terms of regulating biometric data federally, the National Biometric Information Privacy Act of 2020 was introduced on October 3, 2020. If passed, private entities that obtain an individual’s biometric data would be required to take specific actions to maintain and ensure the privacy and security of this data. As with the BIPA, this federal bill establishes a private right of action for individuals.
Litigation related to biometrics in the United States has been growing, with 2021 being a record setting year for new cases. Class action lawsuits concerning privacy claims and employment-based disputes have been increasing.9 This growing risk of litigation makes it clear that organizations need to establish policies and procedures and safeguards concerning how to they use, store, and protect biometric data.
In Canada, there is currently no distinct legislation governing the use of biometric data. However, Quebec’s Act to Establish a Legal Framework for Information Technology provides that express consent is required for biometric data to be recorded.10 Also note that the Office of the Privacy Commissioner of Canada (OPC) is currently in the process of updating its guidance on the use of biometric technology in Canada.
The GDPR identifies biometric data as a special category of sensitive personal data subject to a higher level of protection. As such, the processing and protection of biometric data must proceed under the framework for sensitive personal data.11 Although the processing of sensitive personal data is prohibited, the GDPR recognizes certain exemptions to justify its processing, including situations where the data subject explicitly consents to the data processing. However, having a legal basis to process this data is insufficient on its own. In certain high risk situations, data controllers also may need to conduct privacy impact assessments. It should be noted that the GDPR expressly permits member states to impose additional conditions on the processing of biometric data.12 The Netherland’s General Data Protection Regulation Implementation Act (UAVG), for example, sets out additional conditions regarding the processing of biometric data. It can be processed for authentication or security purposes only where the need is proportionate to the invasion of privacy.13 If the need is not great and does not match up to this heightened level of security, the use of biometric authentication is not permitted.
Hong Kong’s Office of the Privacy Commissioner for Personal Data has published Guidance on the Collection and Use of Biometric Data. As in many other jurisdictions, biometric data is considered personal data under local privacy law and must be purged when no longer required for the purposes for which it was collected. In Hong Kong, any employee biometric data that is collected to control access to an employer’s premises or computer systems must be deleted upon termination of the employment.14
Although the number of countries enacting privacy laws is increasing, there are relatively few laws that specifically cover biometric data and technology. This is expected to change as concerns grow around surveillance and the use of biometrics by law enforcement. As biometrics is broadly defined and growing in usage, any organization processing biometric data must remain vigilant and monitor developments in order to ensure compliance with changes to privacy legislation in this area.
1 Koch, R. (n.d.), Tips to keep your company GDPR compliant while working from home. GDPR.EU. https://gdpr.eu/working-remotely-data-security/.
2 (2021, May 12) Study reveals growing cybersecurity risks driven by remote work. Security Magazine. https://www.securitymagazine.com/articles/95177-study-reveals-growing-cybersecurity-risks-driven-by-remote-work.
3 Koch, Tips to keep your company GDPR compliant while working from home.
4 https://gdpr.eu/article-4-definitions/
5 Ross, D. (2017, October 31) Processing biometric data? Be careful, under the GDPR. The International Association of Privacy Professionals. https://iapp.org/news/a/processing-biometric-data-be-careful-under-the-gdpr/.
6 Ball, K. Electronic Monitoring and Surveillance in the Workplace. Literature review and policy recommendations, Publications Office of the European Union, Luxembourg, 2021, ISBN 978-92-76-43340-8, doi:10.2760/5137, JRC125716. https://publications.jrc.ec.europa.eu/repository/handle/JRC125716.
7 Sitton, J.V. (2018 May/June) Understanding Biometrics’ IG Obligations. Information Management. https://magazine.arma.org/wp-content/uploads/simple-filelist/2018_03_IM_understanding_biometrics_IG_obligations _sitton.pdf.
8 Sitton, Understanding Biometrics’ IG Obligations.
9 Bryan, K.L., Lamoureux, C., and Lonergan, D. (2022 January 5) 2021 Year in Review: Biometric and AI Litigation. The National Law Review. https://www.natlawreview.com/article/2021-year-review-biometric-and-ai-litigation.
10 Soltani, H.G. (2021 March 17) Leaving Big Brother Off the Hook. The Canadian Bar Association. https://www.cba.org/Sections/Privacy-and-Access/Articles/2021/Leaving-Big-Brother-off-the-hook.
11 Ross, Processing biometric data? Be careful, under the GDPR.
12 Ross, Processing biometric data? Be careful, under the GDPR.
13 Dutch Data Protection Authority (n.d.) Biometrics. Autoriteitpersoonsgegevens.nl. https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_ethi_c11_2105/.
14 Office of the Privacy Commissioner for Personal Data, Hong Kong (2020 August) Guidance on the Collection and Use of Biometric Data. PCPD.org.hk. https://www.pcpd.org.hk/english/resources_centre/publications/files/GN_ biometric_e.pdf.
