In terms of emerging technologies which are bound to be more engaged with personal data for reasons related to wide range of interests, biometric data plays an important role for identity verification and authentication. Many devices produced by private sector actors include fingerprint or facial recognition technology as passwords to enter systems or seal transactions. More vitally, governments prefer to use biometric technologies to promote the security of procedures to be conducted in public bodies and ease the identity verification processes. According to its wide use and evolving space in individuals lives, lawful processing of biometric data holds significate importance for both private and public actors. In this article, main principles to be taken into consideration for processing biometric data under relevant jurisdictions will be handled in context of emerging technologies.
What is Biometric Data?
According to General Data Protection Regulation (“GDPR”), ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Therefore, wide range of personal data which may be considered as biometrics does not simply refers to such definition when they are not subjected to specific technical processing activities or being processed for identification purposes. For instance, the video footage of an individual cannot be considered as biometric data under the GDPR, if it has not been specifically technically processed for the identification of an individual (See for further details on such example, the European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices, Version 2.0, Adopted on 29 January 2020).
Processing of biometric data is prohibited unless it is in line with the principles of processing enshrined in the GDPR, especially regarding data minimization, necessity and proportionality. Moreover, such principles have to be reflected and furnished through the processes leaded by data controllers in line with the obligation of data protection by design and by default. On the other hand, in terms of processing of biometric data by law enforcement authorities the rules and principles of the Law Enforcement Directive (EU) 2016/680 have to be taken into consideration.
Perspective of Turkish Law
As per the Law on Personal Data Protection No. 6698 (“Law No. 6698”), biometric data is classified as special categories of personal data and may not be processed unless the explicit consent of the data subject or the processing is explicitly provided by laws. In regard to the rule of law, Turkish Data Protection Authority (“Turkish DPA”) further indicates that the provision stipulating the processing of biometric data must be explicit beyond reasonable doubt.
Even though the Law No. 6698 does not especially define biometric data, the Turkish DPA has recalled the definition of the GDPR on biometric data in its several decisions. Most recently, the Turkish DPA has ruled on biometric signatures in its decision numbered 2020/649 where it stated that the processing of biometric signature is lawful if the data subject provides his explicit consent.
In the decision numbered 2020/649, the Turkish DPA stated that individuals carry features of their biometric data on themselves in order to define and handle the concept of the biometric data. In this sense, the Turkish DPA further detailed the concept by stating that “Physiological biometric data refers to unique features on the human body. Within this context data such as iris and retina scan, fingerprint, face, palm print and blood vessels may constitute physiological biometric data. On the other hand, behavioral biometric data refers to dynamic behavioral features that can change regarding time, mood, age, and other similar factors. For instance, data such as the way people walk, the way they press the keyboard, the pressure, and the type of pressing they apply while using smart devices, and the way they drive constitute behavioral biometric data.”
Examples of Rule of Law on Biometric Data Under Turkish Law
Under Turkish Law, the use of biometric data as a means for identification and authentication is recognized under variety of regulations such as banking, health, or law enforcement.
Accordingly, as per the Law on Social Insurance and General Health Insurance numbered 5510, individuals in Turkey have to confirm their identities by virtue of biometric mechanisms and/or identity card, driver's license etc. when they apply to healthcare providers. In this respect, the healthcare providers who does not properly perform identification procedures are responsible for any pecuniary damages incurred by the Social Security Institution of Turkey due to providing health services to a person other than the real beneficiary under the relevant legislation.
As a prominent example of the use of biometrics, law enforcement authorities are entitled to use biometric mechanisms in order to identify the persons which are banned from sporting events pursuant to the Law on Prevention of Violence and Disorder at Sporting Events numbered 6222. In this regard, the Law No. 6698 also stipulates that data processing of public institutions and organizations duly authorized to do so by laws within the scope of preventive, protective and intelligence activities to maintain national defense, national security, public security, public order or economic security shall be exempted from the provisions of the Law No. 6698.
Global Examples on Biometric Data: Law Enforcement and Smart Solutions
In regard to the processing of biometrics for the law enforcement purposes, the use of automated facial recognition (“AFR”) technology by police has been considered unlawful in the well-known court of appeal judgment of United Kingdom in the case of R (Bridges) -v- Chief Constable of South Wales Police. The court of appeal has ruled that the legal framework in place regarding the AFR has fundamental deficiencies and such framework enables individual police officers to have too much discretion on who can be subject to the AFR technology or where such technology can be deployed.
While the anonymity in public spaces and consistent tracking of individuals is a cause of concern in many regions in terms of privacy, in contrary, the Chinese government aims to score the trustworthiness of each individual by a score based social credit system which continuously collects data on the social and economic activities of individuals. According to social credit system, the score of an individual may be used for benefits in terms of higher points, and several punishments for lower ones. Such system is well-known by its automated facial recognition which enables surveillance of individuals on every stage of their daily lives.
Due to its main virtue regarding identification of individuals, the biometric data has a significate place regarding digital transformation and emerging technologies. However, such unique nature of the biometric data also sustains many risks regarding the fundamental rights and freedoms of individuals. From such perspective, new and comprehensively well-defined regulations will be needed to govern and regulate the use of biometric data, especially in terms of facial recognition technologies, in order to promote the values of the democratic society in the near future.
Aslı Naz Ünlü