July 10, 2020

Volume X, Number 192

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

France Continues to Focus on Use of Biometrics

The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe, and like the biometric laws in the US (in particular in Illinois), it has fallen under scrutiny in France. Late last year the CNIL issued a fine for a company’s use of fingerprint timeclocks, stating that use of biometrics could not be done without CNIL approval under the French Data Protection Act. Around the same time, the CNIL sought input on proposed regulations, which have now been adopted.

Under the regulations, companies that wish to use biometric scanning systems like facial recognition, fingerprint clocks, or retina scans will need, among other things, (1) to justify to the CNIL why it need to use these systems as opposed to another, less intrusive method, (2) have “rigorous” security measures in place to protect the biometric data, and (3) conduct a GDPR data protection impact assessment. With respect to the first element, justifying the need to use biometrics, companies will need to point to a specific context or reason that it needs to use biometrics as identifiers. This might be, for example, the employee being authorized to use dangerous machinery or having access to valuable items or large sums of money. Additionally, the company will need to show why a less intrusive identification method (a badge or password, for example) is not sufficient. Finally, the company will need to document its decision.

Putting it Into Practice: Companies who use biometric identifiers for their workforce should keep in mind this new French law, ensuring that they have addressed its requirements (and anticipate that other countries may follow suit).

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 92


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...