Risky business: privacy and biometric data

21 February, 2022

Biometric technology is evolving rapidly but what are the privacy and data protection implications that employers need to consider?

Biometrics partnered with artificial intelligence is making enormous strides in capability, transforming the ways that organisations protect their business.

Security models are being developed that better protect devices against cyber attacks, and banking services are refining protections against fraud, while AI is becoming demonstrably more accurate at detecting biometric spoofs.

Biometric data is seen as an increasingly important tool in identity management globally, helping countries reduce fraud and integrity risks, but the counter argument is that it represents an unacceptable invasion of privacy, regardless of any perceived benefits. 

“Biometric data is data that allows a unique identification of an individual so, for example, if there is an identity theft, you can’t replace, you can’t change the data because it is unique.”

Carmen Dinnella
Associate Attorney
Baker Tilly Italy

Europe is looking to stem the tide of biometric AI, from banning facial recognition technology in public places to warning against emotion recognition by employers, advertisers or health carers, to restricting fingerprint technology for time and attendance.

In the United States, there are no Federal laws but individual states have created their own data-related laws, while Canada, Brazil and South Africa are also among countries that have enacted data protection laws.

Carmen Dinnella, an Associate Attorney at Baker Tilly Italy, understands that many people are aware of the benefits from biometric AI technology but from a legal standing, they must also appreciate the dangers.

“There are a lot of advantages in applying this type of technology, but they are also very dangerous technologies,” she says.

“Biometric data allows a unique identification of an individual so, for example, if there is an identity theft, you can’t replace, you can’t change the data because it is unique.”

“There are a lot of risks in using all these types of data.”

When is consent not consent?

The General Data Protection Regulation (GDPR) imposes obligations on organisations that target or collect data related to people in the EU, but countries can tailor laws specifically as long as they don’t go beyond the EU law.

The GDPR doesn’t ban the use of biometric data but Giovanni Querzani, a Legal Consultant at Baker Tilly Italy, says without laws or regulations governing the use of biometric data specifically in the field of employment, there is little way forward.

“A specific law for the use biometric data of the employees is needed and this is missing in Italy,” he says.

“We have an authority that is required to set these guarantee measures to use biometric data, but for the moment, there are no guaranteed measures so in Italy, we have to update our current laws surrounding data.”

The difficulties of using biometric data in the EU was reinforced through a case in the city of Enna, in Sicily that was concluded in 2021.

“The employees consented to grant the right of the employer to process biometric data, but the Italian authorities said the consent was actually not valid because of the position of subjection.”

Giovanni Querzani
Legal Consultant
Baker Tilly Italy

The Italian Data Protection Authority fined the Enna Provincial Health Authority in Sicily €30,000 for the use of an attendance monitoring system based on processing biometric data.

This was despite employees providing their consent, as was stipulated.

“The problem, in the opinion of the Authority, was that the interests were not balanced, because the processing of biometric data was not proportionate to the need to check if employees have entered the workplace,” Mr Querzani says.

“The Authority ruled that there are other ways to obtain the same result, that were less intrusive.

“The employees consented to grant the right of the employer to process biometric data, but the Italian authorities said the consent was actually not valid because of the position of subjection.”

Ms Dinnella says consent needs to be freely given and in order to be free, employees have to have a choice.

“You can say yes, I want, or you can say no, I don’t want to,” she says.

“But whether you say yes or no, it means two things. The first one it’s not easy to demonstrate free consent when you deal with the working relationship, because you are an employee and you are in a position of subjection, irrespective of your employer.

“The second problem is that if you have a choice, as in yes or no, it means that that there is another way, less impacted, to obtain the same result. And so why do you have to process biometric data?

“If I can say no, then the employer has to find another solution, which means there is an alternative.”

Brazil opens doors for biometric data

Brazil has opted to allow biometric data to be used in certain circumstances related to employment, but again with the full consent of the employee.

Modelled on the EU’s legislation, Brazil’s LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located.

Graziela Baffa, a lawyer who specialises in data privacy at Baker Tilly Brazil, says personal data is sensitive so it is necessary to have their consent for its use.

“There are exceptions where the employer can use biometric data, for some circumstances to comply with the law, for instance, Brazilian labour legislation,” she says.

“It’s necessary to collect the biometric for the employee to prevent fraud and guarantee the time that he enters in the building to start their services, for example.

“But for marketing use, it’s necessary to have their express consent. A business cannot, for instance, capture their biometric data to increase their sales.”

Regions around the world have been putting in place protection laws to regulate how businesses and authorities can collect, store and use all data, including biometric to prevent it from being stolen and exploited for commercial gain.

Ms Baffa says the onus is on the business to ensure personal data is stored and used safely, and companies face penalties of up to 50 million reais.

“If the individual feels that they were damaged somehow because their biometric data was stolen, they can go to the judge and sue the company,” Ms Baffa says.

“They can also go to the ANPD, the National Data Protection Authority in Brazil, and push for reclamation, which would force the company to pay compensation.”

Brazilian authorities have stipulated that organisations that collect personal data must have security safeguards in place and they face stiff penalties if they do not comply.

People can file a complaint formally against the data controllers, who have 15 days to respond. If the issue is not resolved, the complainant can then petition the ANPD to take further action.

“The company must prove that they followed all security and IT mechanisms to safeguard the data and if there is a breach, the company will be held responsible for that,” Ms Baffa says.

But it is an issue that cannot be governed and that may end up being the most challenging problem facing companies – a culture of data protection.

The culture within small and medium businesses in particular, Ms Baffa says, is lacking and that leaves personal information at risk.

“There are some companies in Brazil that do not have the culture of data protection yet,” she says.

“We have seen that big companies are taking the data protection law seriously in Brazil, but the middle and smaller companies not as much.”

Meet the experts
Carmen Dinnella
Baker Tilly, Italy
Giovanni Querzani
Legal Consultant
Baker Tilly, Italy
Graziela Baffa
Baker Tilly, Brazil

Related content

Case study Legal Europe
13 May, 2024
Press release Legal Europe
12 February, 2024
Article Advisory Global
Francesca Lagerberg • 2 January, 2024
Article ESG regulatory reporting Global
30 November, 2023
Article ESG regulatory reporting Global
30 November, 2023
Press release Legal Europe
2 November, 2023
Article ESG regulatory reporting Global
Gabriel Buzzi - Brazil • 5 October, 2023
Article Indirect tax Tax Latin America
Eliel Amaya - Mexico • 4 August, 2023
Article Indirect tax Tax Europe
Marisa Hut - Netherlands • 3 August, 2023
Article Advisory Global
28 July, 2023
People on the ground.
Wherever the opportunity lands.
International enquiries

Multi-jurisdiction and cross-border services

National enquiries

Domestic expertise, local insights