EU data protection bodies bring the gavel down on biometric privacy violations

Fines and warnings are flying in the EU, as national data privacy watchdogs dole out disciplinary action for violations of European data protection law through their use of biometrics.

Italian privacy authority gives Worldcoin the evil eye over iris biometrics

Italy’s data protection agency, Garante per la protezione dei dati personali, has sent a warning to Worldcoin, saying that the biometric identity firm’s iris scanning operations, in theory, “would in all likelihood violate EU regulation (GDPR), with all the sanctioning consequences provided for by the legislation.”

Worldcoin trades units of its cryptocurrency, WLD tokens, for scans of a user’s iris biometrics, which it collects with a spherical iris scanner called the Orb to generate a World ID. “Even if Orb devices are not yet functional in Italy,” says the privacy guarantor, “Italian citizens can already download the World App from the app stores, provide their personal data and reserve their free WLD tokens.”

“The Authority believes that the processing of biometric data based on the consent of the participants in the project, issued on the basis of insufficient information, cannot be considered a valid legal basis according to the requirements required by the European Regulation,” says its summary of the warning. It notes that offering financial compensation undermines free and unconditional consent, and cites the absence of adequate age verification as a problem.

An article in the National Law Review, written by Charles-Albert Helleputte of Squire Patton Boggs (US) LLP, points out that the Worldcoin warning is not the first time the Garante has taken a stance against digital identity tech. But Helleputte says this particular warning is justified.

“Worldcoin proposes a very disruptive digital identity compared to where the EU currently stands,” says Helleputte. He believes the revision of the eIDAS framework promoting digital identity wallets does not go far enough to protect the online safety of minors. “Worldcoin is another dimension, close to science fiction,” he writes. “The potential of harm to those who have their iris scanned and their data later compromised is infinite. A digital identity based on iris scanning, when compromised, stays as such forever.”

In March, Portugal ordered Worldcoin to suspend its iris-scanning operations, also pointing to a lack of safeguards to stop minors from trading biometrics for WLD. The company has since  introduced age verification.

Watchdogs in Greece and Spain issue hefty fines for GDPR noncompliance

Should there be any doubt about the GDPR’s potency as an enforcement tool, privacy authorities in Greece and Spain have demonstrated how to wield it in monetary terms.

Following an in-depth investigation of biometric systems deployed for managing entry and exit into the Aegean islands, the Hellenic Data Protection Authority has imposed an administrative fine of €175,000 (approximately US$187,000) on Greece’s Ministry of Migration and Asylum, for “breaches found in relation to the cooperation with the Authority and the impact assessments.” A press release from the agency says it also sent the Ministry an order to comply within three months with its obligations under the GDPR.

The systems in question are an integrated digital system for managing electronic and physical security, known as “Centaur”; and the integrated entry-exit control system using a fingerprint reader for biometric data processing, called “Hyperion.”

An even larger financial penalty has been issued by the Spanish data protection authority (AEPD). The company CTC Externalización S.L. (CTC) faces a fine of €365,000 ($391,000)For multiple GDPR violations. The firm provides logistics, industrial services and other operations and services in Spain.

The AEPD launched its investigation after an individual submitted a complaint claiming CTC had collected biometric fingerprint data from employees without disclosing that the data would be stored on an employee platform. In its decision, the agency found that CTC “did not correctly inform its employees about the treatment of their biometric data, in violation of Article 13 of the GDPR.”

Furthermore, the company has not provided a proven guarantee that the biometric data will be deleted after collection, and the AEPD is unable to verify “the security measures implemented to access the hash of an employee fingerprint and employee identification data, in violation of Article 32 of the GDPR.”

The final claim says that “CTC did not consider the processing of biometric data as processing special categories of data or the risks to the rights and freedoms of employees and did not fulfill its obligation to carry out a Data Protection Impact Assessment (DPIA), in violation of Article 35 of the GDPR.”

The regulator has given the company six months to implement a series of corrective measures to attain GDPR compliance.

Article Topics

AEPD  |  biometrics  |  data privacy  |  data protection  |  GDPR  |  Greece  |  Italy  |  World