FB pixel

CNIL sets rules for biometric employee time and attendance systems in France

 

France’s Commission nationale de l’informatique et des libertés (CNIL) has published regulations for companies using employee’s biometrics, requiring the use of the technology to be justified to the CNIL, “rigorous” security measures to protect biometric data, and a GDPR data protection impact assessment to be conducted.

The French Data Protection Act has required businesses to obtain approval from the CNIL for deploying biometrics to track employees, and the regulator issued a fine of €10,000 last September to a company that had failed to do so.

The CNIL launched public consultation on the draft of the regulations around the same time, amid a legal shift that includes GDPR but also legislative changes to French computer law made in recognition of the popularity and utility of biometric access control.

The regulation allows morphological biometrics, such as fingerprints, vein patterns, or iris scans, but not biological modalities, such as blood or DNA matching, or behavioral biometrics, following the definitions included in GDPR. Justifying the deployment of biometrics to CNIL will require identifying a specific context that requires a high degree of security, and demonstrating the inadequacy of “less intrusive means” to do so. Employee consent is not required.

This latter point marks a major departure from Illinois’ BIPA, which has generated hundreds of law suits on the basis of alleged violations of informed consent process rules.

The regulations apply to private and public sector employers alike, according to an FAQ accompanying the announcement, while third parties designing and installing biometric systems will be considered subcontractors under GDPR. This means the employer organization is considered the system’s controller and is responsible for ensuring the subcontractor meets the regulatory requirements.

Liisa Thomas of Sheppard Mullin Richter & Hampton LLP advises in a blog post to Lexology that business using biometrics should anticipate the possibility of other countries following France’s lead.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

Digital identity frameworks and their choices reflect different worldviews

At a talk for KuppingerCole’s European Identity and Cloud Conference (EIC), Markus Sabadello, CEO of Danube Tech, looks at the…

 

Clearview AI data harvesting not protected speech, says California appeals court

Clearview AI continues to slog through a quagmire of legal issues in the U.S., UK and Canada. In California, an…

 

World Bank demystifies PKI and electronic signatures at ID4Africa 2025

A workshop chaired by World Bank officials Nay Constantine, Tunde Fafunwa and Chris Tullis addressed how electronic signatures enable remote…

 

Rwanda launching digital identity, biometrics enrollment with $8.5M budget

The government of Rwanda is investing 12.2 billion Rwandan francs (approximately US$8.5 million) in the upcoming 2025-2026 fiscal year to…

 

Procurement integral part of digital ID system design from beginning: UNDP

Experts from the United Nations Development Program (UNDP) have advised governments implementing digital ID systems to make procurement an integral…

 

Iraq: 8M voters did not complete biometric registration for November election

Over 8 million eligible voters in Iraq have not yet completed biometric registration for the parliamentary elections in November, forcing…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events