Commissioned by Nok Nok Labs, a white paper evaluates privacy implications of processing biometric data; comparing the benefits and risks of on-device and on-server matching of biometric data.
For organisations considering biometrics as they move away from reliance on usernames and passwords, the report points to why device-side matching of biometric data is an approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of choice and control around such personal data.
Biometric data is considered to be sensitive personal data and some jurisdictions have already specifically referenced it in privacy guidance and legislation. The paper emphasises key privacy considerations, sets out the implications of processing biometric data in the EU, Switzerland, Canada, USA and the Asia-Pacific region, and touches on best practice recommendations in these jurisdictions.
Stewart Room, partner at PwC Legal, said: “Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information. Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure.
“However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual. Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorised access or disclosure.”
Other findings in the white paper:
● Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the white paper;
● With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased; and
● On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted.
Phillip Dunkelberger, President and CEO of Nok Nok Labs, an authentication product company and a founding member of the FIDO (Fast IDentity Online) Alliance, said: “Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play. With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.”
The full report can be found here: https://go.noknok.com/PwCLegal-Biometric-WP.html.
