Why it is almost never allowed to use biometrics

You can forget your passwords and your cards, but your fingers are always to hand. Would it not be handy to use physical characteristics – biometrics – to secure your business? Privacy expert Jules van Stralendorff explains that the rules for biometric security in the Netherlands are very strict. Still, there are opportunities for SMEs.

 

The action hero runs down the corridor. She has just dodged a thousand lasers and is now arriving at the door to the vault. Unfortunately, it opens only with a fingerprint and an iris scan. So now what? We have all seen this scene in a film at some point. This kind of biometric security also permeates our own lives. For instance, WhatsApp added a security option in late January 2021, with fingerprint or facial recognition. And Apple’s latest operating system, iOS 16, makes greater use of physical characteristics for security than previous versions did. 

Handy for businesses 

Biometric security can be useful, not only for individual users, but also for businesses. Perhaps you are a contractor, and workers and subcontractors come onto and leave your construction site. Or are you a shop owner who is affected by fraud with your point-of-sale system. Then facial recognition or fingerprint locking can help. You then record who is on site at what time, or who has opened the till. 

Strict rules 

So biometrics can be useful for your company’s security, but you are not allowed to use it just like that in the Netherlands. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) is quite strict. “Biometric security is of interest only if you are a nuclear power plant”, says the spokesperson, “or if you want to pay high fines.” A company that recorded employees’ fingerprints to track their attendance was fined €725,000 in April 2020 (in Dutch). And in 2019, a court ruled that shoe shop Manfield could not use a fingerprint lock on its checkout system. 

Highly sensitive 

Why are the rules so strict? That is because of the GDPR (General Data Protection Regulation). If you want to recognise your employee’s fingerprint, you need to store it. Jules van Stralendorff explains why that is not allowed just like that. He works as a senior privacy consultant at consulting firm Considerati. “Your fingerprint falls into the category of special personal data. Examples of special personal data include medical data, biometric data, or data that says something about your race, religion or sexual orientation. That data is so sensitive that it is basically forbidden to keep it.” 

Consent 

So is there no way for SMEs to use biometrics? Van Stralendorff says there actually is. It is allowed if people, such as customers or suppliers, give you explicit permission to store their physical characteristics. Asking your employees for permission is more complicated. “After all, consent must be given freely. Employees may feel pressured to agree if, for example, a good assessment depends on it.” 

But Van Stralendorff says that, if you give your employees a suitable alternative to biometrics, you can indeed make the case that consent is freely given. “If an employee is comfortable logging in with biometrics, then it is allowed. But you should also offer alternatives as an employer, such as logging in with a pass or PIN.” In that case, your goal is not primarily security, but the convenience for your employees. 

Necessary 

If biometric security is really necessary for the security of your company, your employees, or third parties, the law also allows you to use it without permission. A nuclear power plant processes such dangerous material, you can plausibly argue that facial recognition or an iris scan is needed for security. If you have a warehouse, you cannot. Indeed, there are non-biometric alternatives with which you can adequately secure a warehouse, such as cards, PINs or passwords. 

“One company we advised wanted fingerprint locks on a warehouse”, says Van Stralendorff. Their argument was: what if there is an emergency? Then we want to know exactly who is in the warehouse. But that argument is not enough. After all, you can also put someone at the door who takes down all the names. You do not need a fingerprint for that.” One solution: a fingerprint lock for employees who want it, but also the option to open the lock with a card system. 

Appropriate security 

“The more sensitive the data you process, the better you need to secure it”, says Van Stralendorff. “So think carefully before processing biometric data as an organisation, as this also involves hefty and costly security measures. The GDPR does not prescribe specifically what those measures are. But a simple password is not enough.” So always discuss that form of security with a security specialist. 

Replacing your face 

The rules for biometrics are stricter in the EU than in the United States or China. Privacy regulators in the United Kingdom and Greece, for instance, even hand out billions in fines to the American company Clearview, which offers facial recognition based on social media accounts. And the rules will not be relaxed any time soon, Van Stralendorff believes. “There is a reason for that. If your credit card details are leaked, you can get another credit card. But if your face falls into the wrong hands, you can never do anything about it. Because you cannot replace your face.” 

Ask for advice 

In summary, using biometrics to secure your business is not allowed just like that in the Netherlands. But if you follow strict rules, there are opportunities for SMEs. Seek advice from GDPR experts, and make sure you always involve your employees. Because you should not just put an iris scanner in front of the door, like in the film. 

Do you want to secure your business with biometrics, or are you already doing so? We would like to get in touch with you. Share your experience via kvk.cyber@kvk.nl.