At the end of March, the Data Protection Authority of France, Commission Nationale de l'Informatique et des Libertés ("CNIL") published a regulation model (the "Model regulation") That governs the use of biometric access controls in the workplace. Unlike many personal information elements, biometric data (such as a person's face or fingerprints) are unique and, if they are stolen or compromised in another way, they can not be changed to prevent misuse. According to article 9 of the GDPR, the biometric data collected "for the purpose of uniquely identifying a natural person" is considered "sensitive"And it guarantees additional protections. The GDPR authorizes the member states to implement such additional protections. As such, the French Data Protection Act 78-17 of January 6, 1978, as amended, now provides that employers, whether public or private, who wish to use biometric access controls must comply with the binding model regulations. adopted by the CNIL, the first of which is the Model Regulations.
The Model Regulations, which the CNIL finalized and adopted after a public consultation, specify solid requirements for the processing of biometric data for access controls to the workplace. Such access controls include the use of a biometric authentication system to allow entry to the workplace (or sensitive work areas) or access to certain databases, equipment or computer networks. Below are some of the key aspects of the Model Regulation:
- Justify the use of biometrics.: The Model Regulation requires employers to justify the use of biometric data according to the specific context of the workplace (for example, the presence of dangerous machinery, valuables, confidential materials or products subject to strict regulation) and demonstrate by what the use of other traditional authentication devices (for example, credentials or passwords) are not suitable from the point of view of security. Such justification must be documented explicitly by the employer, including the reason for selecting one biometric feature over another for authentication. The Model Regulation also describes the various types of biometric access control systems, based on the method of data transmission and storage, and the data security risks that accompany them by keeping biometric templates in a central database . It states that only critical environments would guarantee stronger protections involving central databases containing biometric template data. Otherwise, the biometric data must be stored in a medium that would remain under the exclusive possession of the person (for example, credentials or smart cards) without any durable copy retained by the employer or its service providers.
- Maintain strong data security: The Model Regulation details many ways in which employers must maintain robust organizational and technological data security procedures. The security measures listed are related to data, organization, hardware, software and computer channels, and the employer must audit, at least annually, the implementation of these measures. The Model Regulation also stipulates maximum retention periods for biometric data. For example, unprocessed biometric data (such as a photo or audio recording) can not be stored for longer than necessary to create a biometric template that can be analyzed by the system software. In addition, all resulting biometric templates must be encrypted and eventually deleted once an employee no longer works in the organization. The Model Regulation also describes the types of individual personal data that may reside in a biometric control device and the types of registration data that may be collected.
- Remember the obligations of GDPR: Beyond the Regulation Model, employers must still comply with the applicable provisions of GDPR with respect to any biometric access control system. Such compliance may include obligations of notification of data breach, record keeping requirements and compliance with the person's data protection rights. Specifically, the CNIL noted that the collection of biometric data for access control is likely to create a high risk to the rights and freedoms of individuals. In light of this, the data employer / controller must perform an impact evaluation of data protection before the implementation of any biometric access control and update at least every three years.
The above summarizes some of the main aspects of the Model Regulations at a high level and, as such, the language of the Model Regulations and the CNIL Frequently asked questions provide additional practical comments beyond the text of the Model Regulations should be read carefully to know the specific requirements before establishing biometric access controls within the scope of the Model Regulations.
We note that the protection of biometric data also attracts attention in the US. In the USA, where several states have enacted biometric privacy statutes, in particular Illinois, whose statute contains a right of private action and has produced a wave of biometric privacy suits, including those against employers for the use of biometric time control devices without proper notification and consent Back in the EU, the Model Regulations for biometric access controls in the workplace could serve as a model for continue with other Member States, and we will continue to observe such potential developments and other actions of the CNIL.