Data Protection: An Overview of the General Data Protection Regulation Occurrences related to Biometric Data during the month of August

Biometric Data : The General Data Protection Regulation’s Application

August was a momentous month for the technological application of the General Data Protection Regulation, as several breaches regarding Biometric Data surfaced.  The General Data Protection Regulation has strengthened the data security of Biometric Data and Facial Recognition, with the latter now constituting biometric data as well. Article 4 of the General Data Protection Regulation illustrates this as being ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person’. This therefore includes both facial images as well as fingerprints. This being part of the special category of data, processing of biometric data incurs additional obligations on the controller. As stated by Diego Naranjo, a European Digital Rights advocate, processing of biometric data demands explicit consent from the person, unless it is necessary for national security and as long as there is no less intrusive alternative available. Whilst the General Data Protection Regulation has imposed increased levels of security, the EU Commission has expressed its ambition to establish legal instruments in the future, which would further restrict the processing of such data.

London Data Protection Probe : Kings Cross Facial Recognition Investigation

Whilst the General Data Protection Regulation has afforded higher levels of security to biometric data, the intrinsic irreversible nature of a biometric data breach has prompted discussion and additional attention to the processing of such data.  For instance, the British Data Protection Commissioner, the ICO, has triggered investigation into the adoption of facial recognition technology, installed in King’s Cross Railway Station’s CCTV cameras in London. This technology utilises a face scanning system for the detection and tracking of individuals in aims of preventing public attacks in London.  This is done through a system which translates recordings to a tracking database.  This investigation was instigated by media scrutiny which was later endorsed by the London mayor, who sought to enquire into the legality of the tracking. As stated by Elizabeth Denham, a British Data Protection Commissioner, this processing promotes wide concern due to the potential privacy threats which might arise. The developer has ensured that legitimate interest by virtue of public safety is in place, and that technical and organisational measures established in the General Data Protection Regulation have been adhered to. The British Data Protection Commission is however requesting detailed information pertaining to the data operation, an on sight inspection of the system used as well as a compliance exercise aimed at discerning compliance with the transparency, fairness and accountability principles established in the General Data Protection Regulation.

Sweden’s First Data Protection Fine : Facial Recognition Used for Tracking Student Movement

The Swedish Data Protection Commissioner has imposed its first fine, amounting to 18,000 Euros, against a local school which tested facial recognition technology for the purpose of tracking students’ entry and exit from classrooms. The successful application of the trial was aimed at expansion across the school, which would have reduced man power necessary to high standards of attendance recording. The GDPR fine imposed was relatively low on account of the tracking only being in place for a few weeks, with a minimal amount of 22 students being concerned. As established in the General Data Protection Regulation, the school had requested parental consent for the use of facial recognition, the Swedish Data Protection Commissioner did not believe that legitimate basis for processing was satisfied, since alternative systems could have been used with less intrusion. The Swedish Data Protection Commissioner also expressed the idea that whilst the academic building is public, the students are still entitled to a level of privacy within the classroom on account of the amount of time spent by students in the classroom.

Breach of Biometric Data : Suprema Data Protection Breach and its Implications

The critical nature of biometric data arises from the element of irreversibility, seeing as once exposed, any data left unrecoverable may not be replaced, leading to perpetual implications.  This is why, the British Data Protection Commissioner has acknowledged the allegations of one of the most prominent biometric data breaches in data protection history.  This breach emerged due to technological flaws in Suprema’s Biostar 2 Software, which exposed biometric data of more than a million platform users. This exposed unsecured biometric credentials and personal information, including fingerprints, facial recognition information, unencrypted usernames and passwords which ae amongst data published online. The platform was adopted by several respectable organizations globally, including the UK Metropolitan Police amongst other targeted governmental organizations. Whilst investigations are in their primitive stages, Suprema have been reported as being unresponsive and uncooperative, even if data protection professionals are alluding to their deficiency in adopting adequate hashing systems which could potentially have limited the risk of identity fraud.

For more information on the General Data Protection Regulation
Get in touch with us


  📞 2166 1273

Share this post?

Get in

+356 2166 1273