Spanish data authority clarifies biometric processing rules
24 June 2020 17:44 GMT

The Spanish data protection authority ('AEPD') has published a technical note explaining on 14 misunderstandings in relation to biometric identification.

The document, aimed at data protection officers, managers and delegates, among others, aims to offer information about the most common confusions and inaccuracies that are usually associated with the use of this technology, so that these groups can understand the implications of such a complex type of treatment .

The technical note has been developed together with the European Data Protection Supervisor (EDPS) in the framework of the collaboration that the AEPD maintains in the technological field with various national and international institutions. Collaboration with EDPS materialized for the first time in the development of the technical note Introduction to Hash as a pseudonymisation technique for personal data .

The General Data Protection Regulation (RGPD) defines in its article 4 biometric data as those “personal data obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the Unique identification of said person, such as facial images or fingerprint data ”. Likewise, when biometric data is used as a means of identification, the RGPD establishes in its article 9 that it deals with special categories of data and expressly prohibits its treatment aimed at uniquely identifying a natural person.

Among the most common misunderstandings related to biometrics is the claim that biometric identification and authentication systems are safer for users.. In this sense, the Agency warns that unauthorized access to biometric data in one system would allow or facilitate access in the rest of the systems that use such biometric data. This would have the same effect as using the same password on many different systems, and unlike password-based systems, once biometric information has been compromised, it cannot be canceled. It also alerts that biometric information is increasingly stored in more entities and devices, exponentially increasing the probability of a biometric information security breach.

Another example of the fourteen points that make up the list is that referring to biometric identification and authentication is a strong system . By definition, using biometrics alone is considered to be a weak identification and authentication process. Although in many cases biometric authentication requires a prior identification process, the Agency warns that if after the identification process the authentication is only biometric, it would still be a weak system.


Industry Events

connect:ID 17-18 Mar 21