French Data Protection Authority Approves Implementation of Biometric Authentication Tools in Banking Sector

Jones Day

On May 29, 2017, the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL") announced that it had authorized nine banking institutions to implement, on an experimental basis, authentication tools based on voice recognition, in the context of user authentication procedures that are mandatory when processing banking transactions.

CNIL determined that these projects comply with the applicable data protection requirements, such as the prior consent of the data subject, limited data retention period, limited scope, confidentiality guarantees, and commitment to provide a report upon the term of the experiment.

As such experimental data processing must ensure that the data subject will control his/her biometric information, CNIL emphasized that biometric information either must be stored on a device in the possession of the data subject, or stored in a centralized database in an encrypted format, provided that only the data subject holds the decryption key necessary to access the biometric data. Following the same trends, other banking institutions have started to use "selfie" authentication tools (biometric authentication that confirms a person's identity using facial recognition technology via a selfie taken by that person) to enable client access to their bank accounts.

In preparation for the effective implementation of the General Data Protection Regulation in May 2018, CNIL also announced that the implementation of data processing involving a voice recognition tool or other tools relying on biometric data (e.g., fingerprints and photographs) will require the data controller to carry out a data protection impact assessment—a comprehensive analysis of the impact of the envisaged processing operations on the protection of the personal data.

CNIL's ability to understand and take into account the appetite of businesses for innovative data processing tools involving biometric data is well illustrated by these experimental projects. Banking institutions operating in France, as well as other businesses for which robust user authentication is critical, should assess the opportunity to implement new authentication tools to simplify interactions with their customers while ensuring a high level of security, in compliance with data protection regulations.

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.