France Continues to Focus on Use of Biometrics
Posted on April 2, 2019
The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe, and like the biometric laws in the US (in particular in Illinois, which we have written about here), it has fallen under scrutiny in France. Late last year the CNIL issued a fine for a company’s use of fingerprint timeclocks, stating that use of biometrics could not be done without CNIL approval under the French Data Protection Act. Around the same time, the CNIL sought input on proposed regulations, which have now been adopted.
Under the regulations, companies that wish to use biometric scanning systems like facial recognition, fingerprint clocks, or retina scans will need, among other things, (1) to justify to the CNIL why it need to use these systems as opposed to another, less intrusive method, (2) have “rigorous” security measures in place to protect the biometric data, and (3) conduct a GDPR data protection impact assessment. With respect to the first element, justifying the need to use biometrics, companies will need to point to a specific context or reason that it needs to use biometrics as identifiers. This might be, for example, the employee being authorized to use dangerous machinery or having access to valuable items or large sums of money. Additionally, the company will need to show why a less intrusive identification method (a badge or password, for example) is not sufficient. Finally, the company will need to document its decision.
PUTTING IT INTO PRACTICE: Companies who use biometric identifiers for their workforce should keep in mind this new French law, ensuring that they have addressed its requirements (and anticipate that other countries may follow suit).
European Data Protection Board’s Priorities for 2019/2020
Posted on March 26, 2019
The European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about privacy-related issues, to help with the “consistent application” of GDPR, and to promote cooperation among the EU Member States’ supervisory authorities. Among the activities it anticipates engaging in over the next two years are a variety of guidelines, including those relating to the targeting of social media users and guidelines on children’s information. It also expects to have a guideline on the territorial scope of GDPR (which it will finalize after public consultation), and a guideline on data subjects’ rights.
The EDPB also anticipates engaging in other activities in the next two years, including a follow-up on the EU-US Privacy Shield, the development of an EDPB Enforcement Strategy, and work on data breach notifications. The EDPB has also indicated that it will continue to engage in its regular and ongoing work, including ensuring the consistency of opinions and decisions amongst the various supervisory authorities. These might include codes of conduct, Binding Corporate Rules, and the like.
PUTTING IT INTO PRACTICE: The EDPB Work Program gives a comprehensive overview of its planned activities. Other helpful resources from the EDPB can be found on its website: https://edpb.europa. eu/.
     39 Eye on Privacy 2019 Year in Review