CNIL sets rules for biometric employee time and attendance systems in France
France’s Commission nationale de l’informatique et des libertés (CNIL) has published regulations for companies using employee’s biometrics, requiring the use of the technology to be justified to the CNIL, “rigorous” security measures to protect biometric data, and a GDPR data protection impact assessment to be conducted.
The French Data Protection Act has required businesses to obtain approval from the CNIL for deploying biometrics to track employees, and the regulator issued a fine of €10,000 last September to a company that had failed to do so.
The CNIL launched public consultation on the draft of the regulations around the same time, amid a legal shift that includes GDPR but also legislative changes to French computer law made in recognition of the popularity and utility of biometric access control.
The regulation allows morphological biometrics, such as fingerprints, vein patterns, or iris scans, but not biological modalities, such as blood or DNA matching, or behavioral biometrics, following the definitions included in GDPR. Justifying the deployment of biometrics to CNIL will require identifying a specific context that requires a high degree of security, and demonstrating the inadequacy of “less intrusive means” to do so. Employee consent is not required.
This latter point marks a major departure from Illinois’ BIPA, which has generated hundreds of law suits on the basis of alleged violations of informed consent process rules.
The regulations apply to private and public sector employers alike, according to an FAQ accompanying the announcement, while third parties designing and installing biometric systems will be considered subcontractors under GDPR. This means the employer organization is considered the system’s controller and is responsible for ensuring the subcontractor meets the regulatory requirements.
Liisa Thomas of Sheppard Mullin Richter & Hampton LLP advises in a blog post to Lexology that business using biometrics should anticipate the possibility of other countries following France’s lead.
Article Topics
biometrics | CNIL | data protection | France | privacy | time and attendance
Comments