Biometric data: Why this class of data deserves special attention

From fingerprints to face recognition, biometric data helps keep our devices and most sensitive personal information secure. But biometric data is not like other personal data, and the consequences of its loss or misuse can be costly and long lasting.

The use of biometric data has surged in recent years. We increasingly use our biometric data – whether a fingerprint or face imprint – to unlock our mobile phone, board a plane, or to securely log on to online accounts, apps and services.

In healthcare, it is used to identify patients, while banks use biometrics to authenticate customers and combat fraud. Insurers may use biometric data to incentivise healthy lifestyles or retailers to track consumer behaviour, while law enforcement agencies can use facial recognition and DNA to prevent crime or identify criminals.

Biometric data currently falls into two main camps: physiological biometrics, such as fingerprints, facial recognition and iris scans; and behavioural biometrics, which capture an individual’s unique behavioural patterns, such as voice, movement, gait, or keystrokes. These unique biometric markers offer more convenient and secure ways to access our most sensitive data, networks and physical spaces. But the integration of biometric data into everyday processes is not without challenges.

Biometric data comes with inherent privacy risks, as it involves handling sensitive personal information that, if compromised, could lead to irreparable harm to individuals’ privacy and security. An important characteristic of biometric data is that it is immutable. Unlike a password or PIN, an individual’s fingerprint or face imprint cannot be altered. Once stolen, a person’s biometric data could be used repeatedly to commit fraud, access systems, and steal money or valuable data.

Enhanced risk management

The nature of biometric data introduces a spectrum of risks for organisations, from data breaches and unauthorised access to legal non-compliance and reputational damage. These risks necessitate a strict risk management approach, including technical controls, legal compliance, and incident response strategies.

Organisations must obtain clear and informed consent from individuals before collecting biometric data, and implement robust security measures to protect biometric data. They should also regularly review and update privacy policies to address biometric data and keep pace with regulatory and legal developments regarding biometric data.

There are several specific measures that should be considered to protect biometric data:

• Data Minimisation: Limiting the collection and storage of biometric data to the minimum necessary helps reduce exposure.
• Encryption: Applying strong encryption to biometric data is a critical protective measure. Full encryption should be enforced both when data is at rest and in transit.
• Access Control: Employing strict access controls, including secure authentication measures and segregation of duties, help safeguard data from unauthorised access.
• Cancellable Biometrics: This method uses algorithms to distort biometric data before storing it, preserving the integrity of the original biometric data and effectively invalidating data should it be compromised.

Developing regulatory landscape

The regulation of biometric data varies by country. But due to its sensitive nature, biometric data is typically subject to additional requirements and controls under data protection and privacy laws.

Among the most prominent regulations concerning biometric data is the EU’s General Data Protection Regulation (GDPR). Under the GDPR, biometric data is considered a “special category” of personal data, subject to stricter processing conditions, including obtaining explicit consent and implementing robust data protection measures. In addition, the EU’s in-coming AI Act would establish new rules for biometric data, including a ban on real-time biometric identification for law enforcement purposes, albeit with some exemptions, such as for the prevention of terrorist attacks.

However, the GDPR allows individual member states to introduce additional provisions related to biometric data, while national data protection authorities (France, Italy and Spain, for example) have issued specific guidelines for processing biometric data. In Ireland, the Data Protection Commission has yet to publish specific guidance on biometric data, although it has expressed views on biometric data within wider data protection guidance, while the UK’s Information Commissioner’s Office (ICO) is in the process of developing specific guidance.

Notably, the Spanish Data Protection Agency published guidelines in November 2023 that emphasise the principles of legality, consent, purpose limitation, data minimisation, and security in the context of biometric data. The guide outlines legitimate bases for processing biometric data, and recommends conducting a risk analysis, an impact assessment, and a test of appropriateness, necessity, and proportionality to justify the use of biometric systems for access control.

US and rest of the world

Outside the EU, countries have taken diverse approaches to biometric data, ranging from specific laws to broader data protection legislation that encompasses biometric data. Several countries have either implemented GDPR-like legislation (Brazil) or country-specific data protection legislation (Canada, Australia and New Zealand) that provide for the use and protection of biometric data.

The US has been particularly active with regards to biometric data privacy regulation. Enacted in 2008, the Biometric Information Privacy Act (BIPA) is one of the most stringent laws specific to biometric data in the US, and has been the focus of high-profile lawsuits. Companies found liable for BIPA violations can face substantial financial penalties: BIPA allows for statutory damages ranging from $1,000 for each negligent violation to $5,000 per reckless or intentional violation.

In the absence of federal privacy laws, regulation of biometric data in the US is on a state-by-state basis. Texas and Washington have enacted specific biometric privacy legislation, while many states include biometric data within existing data protection laws. The California Consumer Privacy Act, for example, covers the handling of biometric data and requires businesses to disclose data collection and usage purposes.

Regulatory enforcement and litigation

The penalties for biometric data protection and privacy violations can be severe. While the GDPR does not prescribe higher penalties for data breaches, it does allow for fines of up to €20m, or 4% of the company’s global annual turnover (whichever is higher), for personal data protection or processing violations, including biometric data.

Recent years have seen data protection authorities take a range of enforcement actions against companies for the unlawful processing of biometric data, including financial penalties. In Europe, the CNIL issued a €10,000 fine in 2018 to a French company that used a biometric time clock device to control employee schedules, while Ireland’s DPC issued a €100,000 fine against care home provider after a phishing scam led to residents’ biometric data being compromised. The AEPD fined a gym in Spain €50,000 for using its clients’ fingerprints as a method of access control, while the Dutch privacy regulator fined an employer €725,000 in 2022 for processing biometric data unlawfully.

The legal landscape for biometric data is also evolving as the courts interpret laws like BIPA in the US, setting precedents that influence future litigation and regulatory practices. One notable example is Cothron vs White Castle System, which set a precedent stating that a separate BIPA violation occurs each time biometric data is collected without explicit user consent, thereby potentially multiplying legal claims and associated costs. The ruling was recently upheld by the Illinois Supreme Court.

Keeping pace with developments 

Cyber insurance is designed to cover risks associated with data protection, including biometric data. However, as an evolving area of risk, regulation and litigation, insurers are paying special attention to insureds’ biometric data exposures and related risk management controls and processes.

In the US, BIPA has resulted in some significant claims for insurers, which has led to some tightening of coverage terms for companies with US biometric exposure. Within Europe, where litigation has been less of an issue, insurance of biometric data continues to fall under general GDPR considerations. Going forward, insurers will need to carefully evaluate the scope of coverage for biometric data against the backdrop of a developing technical, regulatory and legal landscape.

Above all, underwriters will want to see adherence to best practices when it comes to biometric data. Organisations must adopt appropriate risk management practices, including regular security assessments, adherence to minimum data processing principles, and robust incident response plans. For insurers, understanding these practices is vital for assessing policy applications and guiding insureds in mitigating risks associated with biometric data.

Contributed by Carlos Rodriguez Sanz, AXA XL’s product leader cyber for APAC & Europe, and Alejandra Llobera, AXA XL’s financial lines practice leader, for APAC & Europe, with the collaboration of Clyde & Co.