Amazon launches new technology in two of its physical stores, which allow for contact free identification and payment, by scanning an individual’s palm.

Amazon is on the verge of launching a new biometric payment system which scans an image of customers’ palms, according to this new BBC article. This new methodology is an attempt at a contactless replacement of traditional membership and physical loyalty cards. The accuracy and unique identifiers lie within the vein patterns in the hands of individuals, which still remain fairly inconspicuous to the naked eye. These scanners would require the customer to wave their palm a few inches away from a scanner making it a viable contactless form of ID/payment simultaneously. The system is currently being tested at two Amazon stores. Physical bills and data will be stored locally at the stores, but will not be sent to Amazon data centers, and clients will be allowed to delete the data from their website.

Amazon developers think this technology is safer and more secure than other methods of biometric identification. 

The application seems to be as accurate and effective as fingerprints, but not as easily identifiable by human vision, and therefore presumably more difficult to replicate. Amazon developers claim it is more secure than other forms of biometrics, which is especially relevant after issues with racial bias have been shown in the company’s facial recognition software that has currently been suspended by officials. Recently, we published an article on The National Biometric Information Privacy Act, which was introduced into US congress. Bills like these are an attempt to curtail any negative effects or security breaches that may arise in using biometric scanners and similar technology.

While this technology is convenient, some point to possible data security risks.

In the midst of the pandemic, the introduction of a new payment method requiring less human interaction, and no physical contact seems like a much needed innovation, however some groups are advocating against biometric forms of ID and payments due to the possible privacy issues associated with biometric data being stored by governments or large corporations. Director of the privacy rights groups Big Brother Watch, Silkie Carlo says that this new technology is invasive, unnecessary and provides just another outlet for Amazon to cultivate personal data freely despite privacy laws and agreements. 

The convenience of biometrics is not overshadowed by the possible invasion of privacy it risks, as a direct consequence. The implementation of these scanners in many different buildings is being discussed if this initial trial in Seattle locations goes well. This technology is a part of Amazon’s vision of a non human staffed supermarket, where everything is tracked by AI and machines in the store and payment can be completed using this new palm scanner for a full contactless experience.

What does the GDPR say about this type of data processing?

The scans being picked up by these machines fall under biometric data, the processing of which is prohibited, under the GDPR, unless certain conditions are met. When processing biometric data, unless at least one of those conditions are met, the processing is deemed unlawful. Article 9 of the GDPR dictates that one of the following criteria must be met in order for the processing of biometric data;

1. Explicit consent to process that personal data has been given by the data subject for one or more specified purposes, except in instances where union on member state laws prevent the prohibition from being lifted by the data subject.
2. Processing the biometric data is necessary for the purposes of fulfilling obligations or exercising specific rights of the controller or the data subject in the field of employment, social security or social protection law.
3. The processing is necessary to protect the vital interests of the data subject or another natural person if the data subject is physically or legally incapable of giving consent.
4. The processing of biometric data is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body, on condition that the processing relates only to members or former members of the body,  or with a person’s in regular contact with the body, in connection with its aim or purposes related to political philosophical religious or trade unionism.
5. The processing is relating to personal data which is manifestly made public by the data subject.
6. The processing is necessary for the establishment, exercise or defence of legal claims.
7. The processing is necessary for reasons of substantial public interest, including in the area of public health.
8. The processing is necessary for the purposes of private or occupational medicine.
9. The processing is necessary for archiving purposes in the public interest, whether scientific, historical or statistical purposes.

For more clarity on what is classified as biometric data as well as other aspects of this technology, check out our post; 14 common misconceptions on biometric identification and authentication debunked.

Does your company process biometric identification data? Aphaia provides a number of services in relation to compliance with regard to data protection, including regarding biometric data: data protection impact assessments, Data Protection Officer outsourcing, and EU AI ethics assessments. Get in touch today to find out more.