EU expresses ‘critical concerns’ with parliament’s biometric register
The European Data Protection Supervisor (EDPS) has expressed critical concerns earlier this week about the European Parliament’s plans to install a biometric register.
Elsewhere on the continent, Poland’s data protection authority (UODO) has published new privacy guidelines about the use of biometric data for companies, and Latvia’s Data State Inspectorate (DVI) has released guidance on how to process biometric, facial recognition data in the retail sector.
EDPS warns against use of sensitive data in biometric register
The EU data watchdog has published a written opinion addressing concerns related to the European Parliament’s plans to create a new biometric register, EURACTIV reports.
The solution, which was first trialed last October, creates a central attendance register for Members of the European Parliament (MEPs) based on fingerprint biometrics. The register will allow MEPs to automatically receive their daily allowance, thus eliminating the need for signatures in meeting rooms.
Now, however, the EDPS’ new opinion suggested the European Parliament explore other options for registering MEPs not requiring the “use of sensitive data.”
The document also clarified that, in case of approval from Parliament, the implementation of the new biometric system should be supported by additional privacy safeguards as well as the preservation of the principle of data minimization.
According to documents viewed by EURACTIV, the new system would be costing the EU more than €100,000 (roughly US$117,500).
Poland releases new privacy guidelines for biometrics
UODO pushed back against a court case reversing a ruling it had issued that a school implementation of biometrics as part of a lunch program in the document, claiming that the consent of parents could not be withheld without subjecting children to discrimination, and therefore is invalid under the General Data Protection Regulation (GDPR). The agency further argues that unnecessary biometrics use can lead to risks of sensitive data exposure.
To tackle these issues, the Polish data protection authority clarified that biometric data should only be collected in exceptional circumstances, as per Article 9 of GDPR.
In addition, any attempt to collect biometric data should be preceded by a Data Protection Impact Assessment (DPIA) taking into consideration the basic principles of data protection: necessity, proportionality, and data minimisation.
The new report also highlighted how some institutions in Poland have already been collecting biometric data without conducting serious risk assessments, which eventually led to discrimination.
Latvia unveils biometric data processing plans for retail applications
New guidelines published by DVI address the use of face biometrics in Latvia’s retail sector. The document specifically focused on the risks connected to the processing of biometric data, and the legal basis for biometrics processing.
DVI explained how biometric data could be exposed if not separated from other data flows, as well as highlighting the existence of security risks connected to smartphones and other devices utilizing facial recognition to provide access to specific resources.
The new report concluded by calling companies and institutions to comply with GDPR when it comes to biometric applications in retail, particularly Article 6 and 9.