The French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe, and like the biometric laws in the US (in particular in Illinois, which we have written about here), it has fallen under scrutiny in France. Late last year the CNIL issued a fine for a company’s use of fingerprint timeclocks, stating that use of biometrics could not be done without CNIL approval under the French Data Protection Act. Around the same time, the CNIL sought input on proposed regulations, which have now been adopted.
Under the regulations, companies that wish to use biometric scanning systems like facial recognition, fingerprint clocks, or retina scans will need, among other things, (1) to justify to the CNIL why it need to use these systems as opposed to another, less intrusive method, (2) have “rigorous” security measures in place to protect the biometric data, and (3) conduct a GDPR data protection impact assessment. With respect to the first element, justifying the need to use biometrics, companies will need to point to a specific context or reason that it needs to use biometrics as identifiers. This might be, for example, the employee being authorized to use dangerous machinery or having access to valuable items or large sums of money. Additionally, the company will need to show why a less intrusive identification method (a badge or password, for example) is not sufficient. Finally, the company will need to document its decision.
Putting it Into Practice: Companies who use biometric identifiers for their workforce should keep in mind this new French law, ensuring that they have addressed its requirements (and anticipate that other countries may follow suit).