FB pixel

Biometrics beyond encryption; ‘unlinkability’ and pseudonymization under GDPR

EAB panel has advice but no easy answers
Biometrics beyond encryption; ‘unlinkability’ and pseudonymization under GDPR
 

Even biometric templates secured with encryption are subject to Europe’s General Data Protection Regulation, and must be further protected, according to a panel of subject-matter experts convened by the European Association for Biometrics.

The EAB turned to consideration of what GDPR legislation and courts decisions mean for biometric templates before closing its ‘Workshop on Protection of Biometric Data Under GDPR’ with panel discussion based on questions from the community.

The first portion of the workshop featured explanations of the biometric data protection standards and cryptographic methods that can be used to comply with them by Udo Mahlmeister, Patrick Grother, and Florian Hahn.

Els Kindt of the Biometric Law Lab at the Centre for IT & IP Law (CiTiP), KU Leuven, presented a legal perspective.

GDPR sets out some well established and defined concepts, Kindt says, and the volume of case law that can be drawn on is increasing. Helpful biometric vocabulary is also provided by the ISO/IEC 2382-37:2022 standard.

GDPR does not apply to anonymized data, Kindt notes, whereas pseudonymization is directly addressed in the law. It specifically dictates that additional information that can be used to identify individuals must be stored separately from pseudonymized data.

“Personal data” is the category under which most uses of biometrics are regulated under GDPR. “Identifiability” is a key concept in understanding how GDPR applies to biometric, according to Kindt.

Determining whether a person is “identifiable” from particular data requires an assessment base on “all the means reasonably likely to be used,” according to Recital 26, which was singled out for its importance earlier in the workshop by Mahlmeister. This includes means that might be used by both the data controller and other parties.

Case law involving data protection authorities makes clear that even data like dynamic IP addresses counts, as it could be combined with information from other sources to identify the individual. Not all information needed to identify the individual needs to be held by the same part for data to be identifiable.

Images count as biometric data at any stage of processing, according to the ISO standard, but some regulation from DPAs contradicts this definition, Kindt notes.

Further guidance from DPAs suggests that biometric templates are considered personal data in most cases.

Templates, stored separately from the individual’s name or other correlating data, is therefore dealt with under GDPR as pseudonymized personal data. At the same time, even salted hash functions do not make it impossible for templates to be reversed to recover the original image.

Identifiers that are irreversible, unlinkable and revocable are better protected, but still not “anonymized,” according to a European Data Protection Supervisor decision from 2011, Kindt points out.

Ultimately, Kindt interprets one-way encrypted biometric data as pseudonymized, and therefore protected by GDPR. This means the data can be used for identification or verification, as well as research, but only if protected in a compliant way.

Panel sees risk in assumptions and side-channels

Kindt then joined a panel with Patrick Grother, Florian Hahn and Agnidipto Tarafder of Jindal Global University in India for a panel discussion on GDPR and biometric template protection. The talk was moderated by Mahlmeister and Catherine Jasserand of CiTiP.

Templates compliant with IEEE-2410 are compliant with GDPR under certain conditions, Jasserand says, but dependent on what other information can be linked to them by the data-holder and third parties.

Hahn noted that the assumptions under which biometric templates are sometimes considered anonymized may not hold, due to side-channel methods of identifying an individual.

He suggests that differential privacy and the acceptance of lower certainty by applying tools like bloom filters could help introduce anonymization, but with trade-offs that might not be considered satisfactory for various use cases.

For now, biometric data controllers can implement one-way hashes to stay onside with requirements for privacy protection, even though doing so does not free them from potential liability.

The discussion also touched topics including on the relation between terminology in legal decisions with the terms used in technical standards, and whether standards can help with the assessment of concepts like linkability.

Between the length of time needed to codify technical standards and that taken by the legal system in interpreting the law, businesses will have to navigate some uncertainty around what constitutes compliant protection of European’s biometric templates.

EAB explores how to comply with GDPR mandate for biometric template protection

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

US Justice developing AI use guidelines for law enforcement, civil rights

The US Department of Justice (DOJ) continues to advance draft guidelines for the use of AI and biometric tools like…

 

Airport authorities expand biometrics deployments with Thales, Idemia tech

Biometric deployments involving Thales, Idemia and Vision-Box, alongside agencies like the TSA,  highlight the aviation industry’s commitment to streamlining operations….

 

Age assurance laws for social media prove slippery

Age verification for social media remains a fluid issue across regions, as stakeholders argue their positions to courts and governments,…

 

ZeroBiometrics passes pioneering BixeLab biometric template protection test

ZeroBiometrics’ face biometrics software meets the specifications for template protection set out in the ISO/IEC 30136, according to a pioneering…

 

Apple patent filing aims for reuse of digital ID without sacrificing privacy

A patent filing from Apple for ensuring a presented reusable digital ID belongs to the person holding it via selfie…

 

Publication of ISO standard sets up biometric bias tests and measurement

The international standard for measuring biometric bias, or demographic differentials, is now available for purchase and preview from the International…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events