Among all biometric data used currently, some data present the possibility of being captured and used unbeknownst to the data subjects. Such is the case for instance of genetic prints, since each of us involuntarily leaves behind traces, sometimes even minute, of our body, from which DNA can be extracted. This is also the case for fingerprints whose traces we leave behind us in our daily life and can be exploited with variable ease.
Over 25 investigations on the spot were conducted in 2007 to assess the implementation of biometric recognition devices from the standpoint of compliance with the French Data Protection Act (Loi informatique et libertés). Several lessons may be learned from the investigation findings.
First of all, it appears that fingerprint recognition systems rely too frequently on a centralised biometric database even in the absence of any compelling necessity for security that would justify such a choice. This may derive from a lack of knowledge about CNIL recommendations by the data controller, or from improper parameterising of the software, leading to this situation unbeknownst to the users.
Secondly, the investigations have established that information to data subjects was obviously insufficient, primarily as regards the purposes of the process and individual rights of access and opposition.
Lastly, it was found that biometric recognition systems are installed without the necessary security measures being implemented: access control software and biometric databases are not sufficiently protected.
Whenever serious cases of non-compliance were recorded during the investigations, e.g. absence of authorisation from the Commission, the matter was referred to CNIL restricted committee who has competence to order sanctions, in order to ensure that the organisation investigated would remedy its processing accordingly.
In addition, discussions are currently under way between the Commission and compagnies selling biometric devices, in an attempt to secure from them commitments to inform their customers on the need to apply for the Commission's authorisation prior to any installation of biometric processes, to raise the awareness of their sales staff to the requirements of the Data Protection Act, and to remove from their advertising material any misleading statement that would deceptively let anyone presume that CNIL may have granted any kind of seal of approval to their biometric systems (for the time being, the Commission has not yet used its labelling powers).
The term of biometrics designates all computerized technologies enabling the automatic recognition of an individual based on physical, biological or even behavioural features. Biometric data are regarded as personal data since they enable the identification of an individual. Most of them share the characteristic of being unique and permanent (DNA, fingerprints, etc.).