Privacy rules aimed at facilitating the processing of biometric data have been just issued by the Italian data protection authority (the Garante) with the purpose of fostering technologies relying on their usage including Internet of Things technologies.
We previously referred to a consultation of the Italian data protection authority (DPA) on the new rules regulating biometric data. Following such consultation the Italian DPA now issued a decision together with guidelines on the processing of biometric data.
Obligations in the processing of biometric data
The Italian DPA confirmed that the processing of biometric data requiring is subject to:
- The provision to individuals (i.e. the data subject) of a privacy information notice that not only shall list all the information prescribed by Italian law, but shall also inform them on whether there are technologies alternative to the collection of biometric data, shall mention specific instructions regarding the usage of the device held by the user and shall include signs or warnings where such data are collected for instance in case of access to specific areas;
- The prior consent from the individuals, unless the scenarios mentioned below apply;
- The prior notification of the data processing to the DPA, save for some exceptions such as the processing performed by medical practitioners;
- The implementation of stringent security measures in terms, among others, of
- obligations of deletion of raw data collected during the biometric capture,
- usage of encryption technologies for their storage and transfer and
- usage of mobile device auditing technologies;
- The storage of such data for no longer than the term required which varies depending on the type of processed biometric data;
- The notification to the DPA through a dedicated email address of data breaches within 24 hours from their occurrence; and
The prior approval by the DPA which will prescribe the measures to be implemented in the data processing whose application shall list specific information.
Exceptions to the privacy regime
Also the good news is that the Italian DPA identified the following cases when the processing of biometric data is deemed to be exposed to a lower risk
- Electronic authentication where the data processing can occur also without the individual’s consent,
- Access to sensitive areas or usage of dangerous machines where likewise the data processing can occur also without the individual’s consent,
- Circumstances where fingerprints and the topography of the palm of the hand are used to facilitate the usage of some functioning, and
- Execution of electronic documents through the so called advanced electronic signature.
In the circumstances above no prior approval of the Italian DPA is necessary for the processing of biometric data.
Consequences for the Internet of Things
The Internet of Things technologies and in particular wearable technologies will considerably rely on the processing biometric data and such new rules are welcomed. This approach aimed at pushing for a growth of the Internet of Things market is reflected also in the current consultation of the Italian telecom regulator on the Internet of Things.