Banks & Biometrics: A match made in heaven or a catch-22 situation?

By no stretch of the imagination technological advancement has brought a whole new wave of challenges for banks. Nowadays, more and more credit institutions are launching novel products and mobile flows to catch up with the demand of a cutting edge digital society (i.e. P2P payments). However, this is not an easy task to deal with, especially when customers’ sensitive data are involved. Therefore, mixing both banking and biometrics data does indeed look like a match made in heaven but with a couple of data protection law challenges.

Connecting the Dots

Now, you might reasonably be wondering whether certain technological banking products could raise legal concerns regarding the processing of biometric data under the GDPR. To have a better understanding, imagine yourself going to a credit institution to open a bank account. As part of the process you are either:

• Asked to provide a facial image of yours + give your (explicit) consent for the processing of such data or

• Required to provide your facial image + they inform you, at least, that the image will be processed for significant public interest purposes.

Bearing in mind that this scenario is not a fiction of one’s imagination you are triggered to think:

1. Whether facial images constitutes personal or biometric data, and

2. To what extent article 9(2) of the GDPR is applicable for the processing of biometric data such as facial images by banks?

Facial Images: Personal vs Biometric Data

The alpha and omega of EU’s data protection law is the so-called GDPR. Following this line of thought, questions regarding definitions can be mostly answered under Article 4 GDPR. Therefore, both the concept of personal and sensitive data can be found in Article 4(1) and 4 (14) respectively. When it comes to biometrics, previous researches define biometric as a term deriving from the Greek words bios (“life”) and metrikos (“measure”), any personal physical feature unique to an individual, such as fingerprints, iris scans, DNA, and facial geometry.

Getting back to the GDPR, biometric data is personal data resulting from specific technical processing relating to the physical characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images. The “magic word” here is not facial image, but technical processing. Namely, the detrimental factor that makes an image fall under article 4(14), is the technology used in order to extract facial measures from that image.

This is further explained by the Article 29 Working Party (WP29) in its opinion where biometric data are defined as “…physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability.” Also, from this definition it is understood that biometric data can be stored and processed in different forms. For example, the sources of biometric data (e.g. face image) cannot be considered as biometric data themselves but can be used for the collection of biometric data (through the extraction of information from them).

Use of Biometrics by Banks

Currently, banks have adopted the idea to process biometric data of onboarding customers for identification and verification purposes. In principle, this is prohibited under Article 9 GDPR. If they obtain, however, explicit consent from their customers or fulfil all the requirements to process the data for substantial/important public interest purposes such as AML, they might have the “green light” to proceed.

Why onboarding customers? Because it is typically the first contact point an individual would have with a specific biometric system. In most cases, enrolment requires the personal involvement of the individual, and therefore may provide a suitable opportunity to provide information and fair processing notification.

On the other side of the coin, it is of great interest to mention that matching a facial image with an ID document falls under the meaning of biometric matching. Namely, the latter can be understood by WP29’s opinion as the process of comparing biometric data/template (captured during enrolment) to the biometric data/template collected from a new sample for the purpose of identification, verification/authentication.

In any case, in order to be in compliance with article 9(2) of the GDPR, banks should have to provide a well defined purpose for choosing to make use of biometrics. Also, in case of substantial public interest, it is a prerequisite to fulfil the following requirements or as known the “balancing test”:

1. Proportionality (the system is necessary to meet the identified needs)

2. Respect the essence of the right to data protection (lawful basis)

3. Provide high level of adequate measures and safeguards

Conclusions

To conclude, it is not a flight of fancy idea to use biometric technologies for the banking system. This compatibility could have enormous advantages for the financial security of customers or the fight against money laundering. On the other side of the coin, if such technologies are not used in a data protection friendly manner, it could result in serious infringements of GDPR or other privacy rights. There is a slight difference between facial images as personal data, and facial images as biometric data. Having said that, for biometric data one must look over whether physiological characteristics have been processed through specific technical means (i.e. biometric template) for the purpose of uniquely identifying a natural person. If so, credit institutions will ask for your explicit consent or will justify the processing of biometric data, most likely, for substantial public interest reasons under the GDPR.