French Data Protection Authority Approves Implementation of Biometric Authentication Tools in Banking Sector
O May 29, 2017, the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL") announced that it had authorized nine banking institutions to implement, on an experimental basis, authentication tools based on voice recognition, in the context of user authentication procedures that are mandatory when processing banking transactions.
CNIL determined that these projects comply with the applicable data protection requirements, such as the prior consent of the data subject, limited data retention period, limited scope, confidentiality guarantees, and commitment to provide a report upon the term of the experiment.
As such experimental data processing must ensure that the data subject will control his/her biometric information, CNIL emphasized that biometric information either must be stored on a device in the possession of the data subject, or stored in a centralized database in an encrypted format, provided that only the data subject holds the decryption key necessary to access the biometric data. Following the same trends, other banking institutions have started to use "selfie" authentication tools (biometric authentication that confirms a person's identity using facial recognition technology via a selfie taken by that person) to enable client access to their bank accounts.
In preparation for the effective implementation of the General Data Protection Regulation in May 2018, CNIL also announced that the implementation of data processing involving a voice recognition tool or other tools relying on biometric data (e.g., fingerprints and photographs) will require the data controller to carry out a data protection impact assessment—a comprehensive analysis of the impact of the envisaged processing operations on the protection of the personal data.
CNIL's ability to understand and take into account the appetite of businesses for innovative data processing tools involving biometric data is well illustrated by these experimental projects. Banking institutions operating in France, as well as other businesses for which robust user authentication is critical, should assess the opportunity to implement new authentication tools to simplify interactions with their customers while ensuring a high level of security, in compliance with data protection regulations.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Daniel J. McLoon
Mauricio F. Paez
Undine von Diemar
Hatziri Minaudier, an associate in the Paris Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.