Biometrics and data privacy: What regulation is in place?

Be the first to comment

Biometrics and data privacy: What regulation is in place?

Contributed

This content is contributed or sourced from third parties but has been subject to Finextra editorial review.

Revolut is currently facing a class action lawsuit in Illinois, US alleging that the company unlawfully collected, used, and stored customers’ biometric data.

In the current age of instant payments and increasing consumer demands, biometric data has become increasingly significant in facilitating authentication and verification during the payments process.

The biometrics industry is booming as more and more payment companies are implementing biometric technology to enhance security and create a more seamless customer service journey. However, due to the personal nature of biometric data, that records users’ faces, fingerprints, and voices, there is a need for heightened security to hold the data and ensure that users are protected.

In light of the recent charges facing Revolut, it’s necessary for consumers and companies be aware of the data privacy regulation in place to protect user data from being exploited and to keep payment companies in check when they are handling sensitive information.

Biometric data regulation in the UK, EU, and USA

In the UK, the General Data Protection Regulation (GDPR) does not address biometric data and does not currently have any solid regulatory restrictions for financial institutions in the handling of biometric data. However, UK Data Protection Bill outlines that companies must receive direct consent to store and process user information.

In the EU, there is references to the use of biometric data-related concerns in the Artificial Intelligence (AI) Act, the European Commission has biometrics as a “high-risk” AI system and the European Parliament has banned biometric AI systems with certain exceptions. The Council of the EU does not categorise biometrics as high-risk, but does impose obligations on biometric systems. However, when it comes to fraud prevention and the use of biometrics for financial services organisations, the European Parliament does not include biometric AI fraud prevention systems on its high-risk list.

In the US, regulation of biometric data is not federal, but depends on state laws. California, Illinois, New York, Texas, Virgina, and Washington have passed legislation on biometric privacy. In 2018, the California Consumer Privacy Act (CCPA) was enacted, and in 2020 the California Privacy Rights Act (CPRA) passed, which made amendments to the CCPA. The CCPA outlined consumer privacy requirements, preventing companies from sharing private information. The CPRA adds to the privacy law, banning companies from collecting children’s personal information, accessing and controlling sensitive personal data, and holds businesses accountable for failing to meet security precautions when it comes to consumer data privacy.

Biometric privacy laws in India and China

In India, the Aadhaar system verifies identity using biometrics for its residents and is used throughout government and civil facilities. India’s Digital Personal Data Protection Act (DPDP) states that citizens have the right to privacy and demands that commercial organisations offer a compelling purpose to use biometric data. The Act requires explicit consent from users, ensuring their protection and holding businesses accountable.

China similarly has explicit cybersecurity and data protection legislation in place designed to protect consumers from commercial entities that would take advantage of and share personal data. The Personal Information Protection Law was enacted in 2021, which requires consent and purpose to use biometric technology. There is also a plan to limit the usage of facial recognition technology in public spaces to protect citizens’ identities.

Financial services must keep ahead of biometrics privacy regulation

Following the lawsuit on Revolut, which was preceded by a similar charge levelled at Facebook in Illinois, where the company paid users $650 million for misusing biometric data, it is essential that the financial sector must pick up the pace for biometric data regulation.

If the financial services industry goes unchecked, there are serious security risks to user privacy and the threat of sensitive data leaking out. Therefore, companies that are implementing biometric technologies to improve customer experience must do so with transparency and explicit consent from the user to ensure protection and compliance.

Channels

Comments: (0)

Contributed

This content is contributed or sourced from third parties but has been subject to Finextra editorial review.