Biometric data processing of employees under French law

Another specific contradiction concerns the ongoing discussion on balancing interests. The AP frames that collecting data on third-country nationals is a legitimate aim of a controller to maintain order and safety, per the final Commission, Implementing Decision on technical specifications regarding the standards for security features and biometrics of 30 November 2018. However, according to the manuscript, the reference to personal safety does not equate to public safety under the CFREU, Article 52. From the perspective of the DPA, a person should be informed, and the private party must provide information about the processing. In this regard, the person's biometric data must be controlled for each applicable purpose. Decentralized unique identification remains the person's possession to the loss of anonymity, as noted by Kindt [11]. Knowledgable, in Germany, there is a practice where the GDPA in 2004, within the German Olympic team participation in Athens, admitted security matters through biometric extracts. Certified guests of the Olympic crew were given unique ID tags that included the person's fingerprints. Hence, both AP and GDPA mention alternative identification methods, but they are overall limited. Consequently, the research claims that the earlier idea about adopting legislation in relation to technical concepts of the PET is relevant.

The position of DPAs regarding the criterion of purpose limitation for biometric operations is also problematic, as they need to apply it uniformly. The FDPA and AP have contradictory positions on a similar detail, such as the procedure of fingerprint processing. To avoid conflict with CFREU Article 7, the AP uses an alternative method called a smart object holder, which carries finger characteristics. This means the person can put their finger on the machine without putting their finger on the machine. The FDPA's explanations are a condition before the safeguards for using human characteristics that do not leave traces, which could balance interests. This safeguard can be used to mitigate risks because the practice commonly uses the characteristics of a finger, which, due to its nature, leaves an imprint. Using an intelligent object holder is recommended to address the issue of characteristics that leave traces. This solution also aligns with the GDPA's application to confidentiality and integrity in biometric systems. However, the FDPA has a different opinion on this s olution, as seen in its Opinion N° 04-018 on the request for an opinion by the Hospital of Hyeres relating to the employment of a fingerprint verification application for the management of employee's time and attendance in 2004. The FDPA is concerned that the database will store samples for later use, which could compromise data protection.

To define, it is essential to distinguish between biometric data that leaves a trace and biometric data that does not leave a trace. Legal safeguards must be properly balanced, prioritizing biometric data that does not leave a trace. The FDPA proposes employing hand geometry and vein characteristics, which do not leave a trace. Proportionality must also be devoted to storage, with consideration given to the place of storage for such unique characteristics. To restate, there are two feasible solutions for balancing the storage of biometric data: a central storage server of the private entity or the reader/other objects under an individual's control. The FDPA proposes using hand geometry and vein as unique characteristics that do not leave traces and suggests applying proportionality to storage matters. Personal access via code stored together with the template is recommended. The IDPS clarifies that balance must be complied with via e-indexing the information. The AP imposes a limitation on BDP through a storage requirement that biometric characteristics must be reserved within 24 hours in a central database and removed. The FDPA refers to the general rule that biometric data shall not be kept longer than necessary. The approach of the Netherlands is considered beneficial in achieving the implementation of additional measures.

Conclusions and Recommendations

The research position concerns the criterion of a legitimate basis for processing biometric data in a workplace. The study associates the legitimate basis proportionally to the position of the person. It distinguishes and rules a legitimate basis for two categories: employees and security have a legitimate basis, while enrolled e-users of biometric e-tools have a legitimate permissible basis. For the latter category, individual consent is strictly necessary. The legitimacy of the basis is an explicit and purposeful ground provided only by a legislator. As such, national law shall forbid processing in an incompatible way, such that the unique identification process does not reveal data relating to health, race, etc. The research position could be emphasized by legitimizing the criteria used regarding the biometric system.

Based on the findings, the manuscript proposes a distinction for processing biometric data of employees based on two criteria. The first is security, where the person cannot opt out of such processing, and consent is not required to be taken by the company. The second is identification for convenience purposes, where the person's consent must be brought, and a private entity cannot claim security as the basis for processing. In case of a person's refusal, an alternative for further access should be made available to them.

Assuming that Data Protection Authorities are concerned about the criteria of proportionality, it is strongly recommended that biometric data processing be evaluated under the proportionality test proposed by the European Data Protection Supervisor's Guidelines on Assessing the Proportionality Measures that Limit the Fundamental Rights to Privacy and the Protection of Personal Data of 19 December 2019. This proportionality test is a set of guidelines that assists in setting the mark of criteria that cap fundamental rights to privacy and personal data protection. It comprises an exhaustive analysis of the measure's legality, legitimacy, and proportionality, weighing the specific context and circumstances of processing private data. By operating this proportionality test, DPAs can confirm that unique identification is used appropriately and proportionally to counteract the data subjects' interests with the data controllers' legitimate interests.

Transparency in biometric data processing refers to the obligation of organizations to provide clear, understandable, and easily accessible information to individuals and data protection authorities. This includes details on why and how biometric data needs to be processed and the use of automatic algorithms and predictions related to the nature of the biometric data. On the other hand, accountability involves conducting independent audits on biometric data processing and taking necessary bars when needed. This cannot be replaced by self-regulation and must be complemented by designing goods, services, and applications prioritizing biometric protection through design and default. This responsibility should be integrated into the current GDPR framework, and hardware or software solutions should be chosen carefully while respecting individuals' dignity.

Therefore, the manuscripts offer recommendations for countries open to updating data protection law in the context of permission unique identification, which should include several key provisions. Firstly, it should require organizations to justify their use of biometrics based on specific considerations such as context, risks, and technical and regulatory constraints, especially for biometric types that pose the most significant risks. Secondly, the regulation should impose rigorous requirements for organizational and technical security measures to protect personal data. Thirdly, organizations should be required to document their decision -making process and justifications when deploying biometric devices. Fourthly, the regulation should reinforce GDPR obligations, including the requirement to inform individuals about the use of their data.

The manuscript presents a valuable table [3], 'Risks Mitigation of Biometric Data Processing based on the Principle of Proportionality Application,' to assess the risks of biometric data processing by applying the principle of proportionality. Among exemplified risks are: 1) uncertainty on the necessity; 2) conflicting interests; 3) respect for privacy; 4) data disclosure and processing for incompatible purposes. Accordingly, the table consists of several steps that need to be considered, including but not limited to the mitigation methods based on 1) the legitimacy or legal ground for the unique identification under GDPR Article 9, 2) the balance of interests involved via a common consent, 3) purpose limitation with stress to the storage and database used, 4) assessment technical and organizational measures via the condition of unique type characteristics taken.

Table

Risks Mitigation of Biometric Data Processing based on the Principle of Proportionality Application

Under the table [3], 'Risks Mitigation of Biometric Data Processing based on the Principle of Proportionality Application,' the biometric identification concedes with the GDPR framework following the next statements: 1) to determine when GDPR Article 9(1) does not apply, it is essential to implement an identification or authentication procedure that enables the unique identification of an individual. This becomes necessary when non-unique recognition methods are insufficient and a more robust verification process is required; 2) according to the Charter of Fundamental Rights of the European Union, Article 1 guarantees freedom of choice for individuals while respecting their human dignity. This means that individuals have the right to make choices and decisions, without any coercion or undue influence from others, in a manner that upholds their inherent worth and value as human beings. The study emphasizes the need for ensuring informed consent, alternatives for refusal, and maintaining transparency in the processing of biometric data; 3) Decentralized storage is a method of storing data that can improve privacy by distributing information across multiple locations rather than storing it in a single central location. Additionally, under GDPR Article 21, individuals can access and review their biometric data anytime. Additionally, the manuscript recommends that this can be facilitated by implementing a Personal Information Management System (PIMS) under EU regulatory concepts. By using a PIMS, individuals can better manage their online identities, including their biometric data, while protecting their privacy rights; 4) Specific safeguards must be implemented to protect individuals' privacy when dealing with biometric data, such as fingerprints. One approach is to use a material sensor holder, which allows a person to apply a material object with the biometric characteristics of a finger to the biometric system instead of the finger itself. This method can help to prevent the collection and storage of actual fingerprints, which can leave traces that could be used to identify individuals. By using a material sensor holder, individuals can have their biometric data captured and stored in a way that is less likely to be used for malicious purposes. This is just one example of how specific safeguards can be put in place to protect biometric data and the privacy of individuals.

The comprehensive contribution is that - by following the steps presented in the table `Risks Mitigation of Biometric Data Processing based on the Principle of Proportionality Application' and adhering to the principle of proportionality, organizations, companies, institutions, authorities, and other persons that desire to employ biometric technology - can confirm that their biometric data processing practices are lawful, ethical, and respectful of individuals' privacy and data protection rights.

References

1. Brkan, M. (2016). The Unstoppable Expansion of EU Fundamental Right to Data Protection. Little Shop of Horrors? Maastricht Journal of European and Comparative Law, 23(5), 812-841. URL:https://doi.org/10.1177/1023263X1602300505

2. Brumnik, R. and Podbregar, I. (2010). Biometric Technology and Human Rights. US-China Law review, 7 (1).

3. Bulgakova, D. (2021). Application of the Principle of Proportionality on Biometric Data Processing in European Union Law. University of International Business and Economics (UIBE), Law Faculty, Doctoral Dissertation, 1-371.

4. Bulgakova, D. (2022). Case Study on the Fingerprint Processing in a Workplace under GDPR Article 9 (2, b). Teise, 124, 22-38. URL:https://doi.org/10.15388/Teise.2022.124.2

5. Bulgakova, D. (2022). The Protection of Commodified Data in E-Platforms. Analytical and Comparative Jurisprudence, 1(2022), 208-212. URL: https://doi.org/10.24144/2788-6018.2022.01.39

6. Blazy, O., & Yeun, C. Y. (2019). Blockchain and the GDPR: A Data Protection Authority Point of View. In Information Security Theory and Practice (Vol. 11469, pp. 3-6). Springer International Publishing AG. URL:https://doi.org/10.1007/978-3-030-20074-9_1

7. Duque de Carvalho, S. L. (2019). Key GDPR Elements in Adequacy Findings of Countries That Have Ratified Convention 108. European Data Protection Law Review (Internet), 5(1), 54-64. URL: https: //doi.org/ 10.21552/edpl/2019/1/9

8. Gayrel, C. (2016). The principle of proportionality applied to biometrics in France: Review of ten years of CNIL's deliberations. The Computer Law and Security Report, 32(3), 450-461. URL: https://doi.org/10.1016Zj.clsr.2016.01.013

9. Jasmontaite, L., Kamara, I., Zanfir-Fortuna, G., & Leucci, S. (2018). Data Protection by Design and by Default. European Data Protection Law Review (Internet), 4(2), 168-189. URL: https://doi.org/10.21552/edpl/2018/2/7

10. Kindt, E. (2007). Biometric applications and the data protection legislation: The legal review and the proportionality test. Datenschutz Und Datensicherheit, 31(3), 166-170. URL: https://doi.org/10.1007/s11623-007-0064-6

11. Kindt, E. (2012). The Processing of Biometric Data, A comparative Legal Analysis with a focus on the Proportionality Principle and Recommendations for a Legal Framework. Doctoral thesis.

12. Lubin, A. (2020). The liberty to spy. Harvard International Law Journal, 61(1), 185-243.

13. Milaj, J. (2016). Privacy, surveillance, and the proportionality principle: The need for a method of assessing privacy implications of technologies used for surveillance. International Review of Law, Computers & Technology, 30(3), 115-130. URL.https://doi.org/10.1080/13600869.2015.1076993

14. Paul de Hert & Christianen K. (2013). Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University.

15. Sprokkereef, A. (2007). Data Protection and the use of Biometric Data in the EU. The Future of Identity in the Information Society, 277-284. URL:https://doi.org/10.1007/978-0-387-79026-8_19

16. Stitilis, D., & Laurinaitis, M. (2017). Treatment of biometrically processed personal data: Problem of uniform practice under EU personal data protection law. The Computer Law and Security Report, 33(5), 618-628. URL:https://doi.org/10.1016/j.clsr.2017.03.012

17. Taylor, M. (2015). "Safeguarding the Right to Data Protection in the EU," 30th and 31st October 2014, Paris, France. Utrecht Journal of International and European Law, 31(80), 145-152. URL: https: //doi.org/10.5334/uj iel.cw

18. Worku, U. (2016). The Feasibility of Applying EU Data Protection Law to Biological Materials: Challenging Data as Exclusively Informational. Journal of Intellectual property, Information Technology, and Electronic Commerce Law, 7, 97.

Размещено на Allbest.ru