6 October 2016
The French data protection authority (‘CNIL’) announced, on 27 September 2016, that it had updated its biometrics doctrine to take into consideration technological changes. In particular, the CNIL repealed single authorisations AU-007, TO-008, TO-019 and TO-027 and adopted two new single authorisations encompassing biometric access control systems in the workplace (‘the Authorisations’).
Cécile Martin, Special International Labour & Employment Counsel at Proskauer Rose LLP, told DataGuidance, “The Authorisations take into consideration the principles enacted by the General Data Protection Regulation (‘GDPR’), [in that] companies must be able to document the characteristic of the data processing, demonstrate the proportionality of the data processing, and comply with the principles of Privacy by Default and by Design.”
The Authorisations impose three main obligations on organisations regarding a lawful use of biometrics in the workplace. Firstly, businesses must ensure the use of biometrics is justified, considering whether less intrusive means could be employed. Secondly, entities should favour Privacy by Default or by Design solutions, in order to limit the risk of misuse of biometric data. Finally, organisations need to properly justify, document and safeguard the storage of such data. The adoption of measures to minimise the risk to privacy such as encryption are also encouraged.
The main drawback is that the CNIL issues the Authorisations at a time when everyone knows that once the GDPR comes into effect, such formalities will not be necessary anymore
Martin said, “The main drawback is that the CNIL issues the Authorisations at a time when everyone knows that once the GDPR comes into effect, such formalities will not be necessary anymore.”
Currently, under Article 25(I)(8) of the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (‘the Act’), the processing of biometric data would be subject to prior authorisation by the CNIL. However, Article 25(II) of the Act gives the CNIL the power to issue single authorisations for processing which have the same purpose, relate to the same categories of data and have the same recipients.
“[In such cases], the process is simplified given that the employer who intends to implement a biometric data processing just needs to adhere to a norm (i.e. the single authorisation),” noted Martin.
In addition, the Authorisations do not replicate the previous distinction drawn between ‘trace’ and ‘no-trace’ biometric features; the CNIL explained that such a difference is no longer justified, given that all biometrics must today be regarded as somehow leaving ‘traces.’
Martin observed, “While before the update the CNIL used to distinguish between biometric data processing with trace (e.g. DNA) and biometric data processing without trace (e.g. voice), now it discerns between biometric data processing which enables data subjects to keep the control of their biometric data and ones which do not offer such a protection.”
Cristina Ulessi | Privacy Analyst