On September 27, 2016, the French Data Protection Authority (“CNIL”) announced the adoption of two new decisions, Single Authorizations AU-052 and AU-053, that will now cover all biometric access control systems in the workplace. These two new decisions repeal and replace the previous biometric decisions adopted by the CNIL and lay down the CNIL’s new position on biometric systems used to control access to the premises, software applications and/or devices in the workplace.
Since 2006, the CNIL has distinguished between “traceless” and “traceable” biometric systems. Traceable biometric systems, such as systems based on fingerprint recognition, allow personal data to be captured and used without the knowledge of the individual. Conversely, traceless biometric systems (e.g., systems based on hand geometry recognition and finger vein pattern recognition) leave very few traces of data. As a result, the CNIL imposed stricter rules on the use of traceable biometric systems because of the higher risks that these systems posed to the individuals’ privacy (i.e., risks of identity theft).
Given new technical developments, the CNIL considers that this distinction is now irrelevant: all biometrics should be considered traceable. The CNIL now only differentiates biometric systems on the basis of the storage method used.
The new Single Authorizations AU-052 and AU-053 repeal and replace the CNIL’s previous Single Authorizations AU-007, AU-008, AU-019 and AU-027.
The CNIL’s Single Authorizations AU-052 and AU-053 distinguish between the two following types of biometric systems:
- Biometric systems that allow individuals to retain control of their biometric template because it is stored on a device held by the individual (e.g., chip card or USB key) or in a database in a form that is unusable without the involvement of the individual (e.g., by providing the individual with a secret key to decrypt the template). These systems must comply with the requirements laid down in the CNIL’s Single Authorization AU-052.
- Biometric systems that do not allow individuals to retain control of their biometric template. These systems are subject to stricter rules and must comply with the requirements laid down in the CNIL’s Single Authorization AU-053.
The CNIL makes it clear that, in a professional context, organizations should use biometric access control systems that allow individuals to retain control of their biometric template. If that is not possible, organizations must justify the implementation of another biometric system and complete an analysis grid.
The CNIL’s new Single Authorizations AU-052 and AU-053 anticipate the application of the EU General Data Protection Regulation (“GDPR”) in May 2018. They take into account the principles of privacy by design and privacy by default, as well as the requirement to conduct data protection impact assessments, which data controllers will have to comply with by May 25, 2018.
As a general rule, biometric systems require the CNIL’s prior authorization. However, organizations may use the CNIL’s simplified registration procedure if the biometric system complies with the CNIL’s requirements laid down in one of its new Single Authorizations.
Organizations that previously filed a simplified registration in line with the CNIL’s previous Single Authorizations (AU-007, AU-008, AU-019 and AU-027) have two years (i.e., until September 2018) to comply with the new Single Authorization AU-052 or AU-053 and file a new simplified registration, or request the CNIL’s specific authorization. As permitted by the GDPR, EU Member States may impose additional limitations on the processing of biometric data, as will be the case in France.