EU Data Protection Supervisor backs moratorium on biometrics deployments

The growth in popularity of biometrics has been accompanied by widespread misconceptions, according to European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski, who urged experts and non-experts alike to engage in informed debate to further the efforts of groups like the Biometrics Institute in a recent presentation.

Wiewiórowski’s keynote address on ‘The State of Biometrics’ was made during the opening session of the 2020 Biometrics Institute Congress.

“I fear we in our societies still lack the full picture of the individual and societal impact of automated recognition in public spaces of human features, not only of faces but also of gait, voice, and other biometric or behavioural signals,” Wiewiórowski said in the address. “I therefore support the idea of a moratorium on their deployment, in the EU, so that an informed and democratic debate can take place.”

Wiewiórowski began his remarks by acknowledging the rapid proliferation of biometric technology, the impact of the COVID-19 pandemic, and the establishment of two new large-scale IT border control systems involving biometrics, the Entry-Exit System (EES) and the European Criminal Records System for Third Country Nationals (ECRIS-TCN).

People need to check assertions about biometric technology, rather than accepting them unquestioningly, he says, which is why he jointly wrote the ‘14 misunderstandings with regard to biometric identification and authentication’ paper with Spain’s data protection authority. That paper was responded to by the EAB, which checked its assertions and called for collaboration.

Meanwhile Clearview AI has grabbed headlines for its use of web-scraping with facial recognition, but as Wiewiórowski points out, Poland-based PimEyes provides the same kind of service.

Mechanisms for biometric template protection, including ISO/IEC 24745, could help with biometric data security, but Wiewiórowski is unsure how consistently the standard is followed.

THE EDPS also reviewed the conditions which biometrics implementations must satisfy to be legal under GDPR, including proof of necessity and proportionality, relevant data protection principles, purpose limitation and data minimization.

Ultimately, for biometrics to thrive, “it is vital to invest in public trust,” Wiewiórowski says.

He also says he and his staff are closely following the industry, and lauds the work of the Biometrics Institute, and in particular its ‘Good Practice Framework’ and ‘Three laws of biometrics’ publications, both of which were released this year.

Article Topics

best practices  |  biometric data  |  biometric identification  |  biometrics  |  Biometrics Institute  |  data protection  |  EU  |  privacy