Belgian data protection authority, Gegevensbeschermingsautoriteit, may launch an investigation into supermarket chain Carrefour’s fingerprint payment system.
There’s no denying that we currently live in a fast paced, highly technological era. One which constantly ushers in new means of identifying individuals and processing digital payments—all geared towards increased convenience. At this stage, thanks to mobile phone advances, fingerprinting may very well be one of the more widely used means of identification but its uses are certainly not confined merely to mobile devices. In fact just this week, one of Europe’s largest supermarket chains, Carrefour, announced that it will organise a pilot project allowing clients to pay for their groceries with their fingerprints in a store in the centre of Brussels.
A report from the Brussels Times explains that the Carrefour pilot project will enable clients to pay by scanning their finger at the cash register, after which the money will disappear from their bank account. And while this may result in faster check out times and a more convenient means of shopping there are undoubtedly privacy and security risks—risks which the Belgian data Protection authority would not only like consumers to be aware of but which may warrant and lead to an investigation by the DPA.
Referencing a report from De Standaard, the Brussels Times presented the following comment from David Stevens, president of the GBA;
“We asked Carrefour a few questions and discovered that a test had already taken place . . . It turned out that Carrefour had already collected fingerprints. Now that we’ve heard the news about the new experiment with fingerprint payments, there’s a good chance we’ll send our inspectors. I cannot yet formally confirm that we will do that, but I think there is a good chance.”
“….that is more than just a signature on paper. Customers really have to understand the risks. If, through hacking, your password falls into the wrong hands, you can replace it. But you cannot just change your fingerprint, face or the iris of your eye. Hence the strict rules,”Stevens is further reported to have said.
Fingerprint risks are covered by GDPR Article 30, which generically refers to online identifiers, which means data protection rules directly apply to fingerprint. This is because fingerprinting constitutes the use of biometric data—i.e a way to measure a person’s physical characteristics to verify their identity. Biometric data is therefore personal data which must be processed on a lawful basis in compliance with GDPR and the UK’s Data Protective Act.
Does your company utilize biometric data such as fingerprinting, voiceprinting and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.