The National Commission for Information Technology and Liberties of France (CNIL) has published regulations for companies that use employee biometrics, which demand that the technology be justified for the CNIL, "rigorous" security measures to protect biometric data and GDPR data protection. impact evaluation to be carried out.
The French Data Protection Act has required companies to obtain approval from the CNIL to implement biometric data to track employees, and the regulator issued a fine of € 10,000 Last September to a company that had not done so.
The CNIL launched Public consultation in the draft regulations almost at the same time, in the midst of a legal change that includes GDPR but also legislative changes to the French computer law made in recognition of the popularity and usefulness of biometric access control.
Regulation allows morphological biometrics, such as fingerprints, vein patterns or iris scans, but not biological modalities, such as blood or DNA, or behavioral biometrics, following the definitions included in GDPR. The justification for the deployment of biometric data in the CNIL will require identifying a specific context that requires a high degree of security and demonstrating the insufficiency of the "least intrusive means" to do so. The consent of the employee is not required.
This last point marks a major deviation from the Illinois BIPA, which has generated hundreds of lawsuits based on assumptions violations of the rules of the informed consent process.
The regulations apply to both public and private sector employers, according to a Frequently asked questions Accompanying the announcement, while third parties designing and installing biometric systems will be considered subcontractors under GDPR. This means that the employer organization is considered the controller of the system and is responsible for ensuring that the subcontractor meets the regulatory requirements.
Liisa Thomas of Sheppard Mullin Richter & Hampton LLP advises on a blog post to Leology that business that uses biometrics should anticipate the possibility that other countries follow the example of France.
Topics of the article