Biometric authentication: The privacy implications

Biometric authentication specialist Nok Nok Labs has published a white paper from PwC Legal looking at the key privacy implications of holding on-device and on-server biometric data.

For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why holding biometric data locally is a better approach when it comes to satisfying key privacy requirements on cross-border personal data transfers.

There is a general prohibition on cross-border transfers of biometric data in most of the jurisdictions covered by the PwC paper, as biometrics are considered personal data. Therefore, when storing biometric data on a central server/in the cloud, organisations must be mindful of the restrictions on the transfer of biometric data across borders. Some exemptions to the general prohibition exist, such as obtaining consent from individuals or ensuring that the cross-border transfers are only to countries that ensure an adequate/similar level of protection for the rights of individuals.

The report reminds that organisations must establish technical and organisational measures to protect biometric data from unauthorised access and other unlawful processing operations. In addition, staff with access to biometric data must be trained on how to handle and protect such data. Staff and suppliers must also be vetted to ensure that they are reliable.

After comparing in some detail the differences between storing biometric data on-device and on-server, the report finds that on-device storage inherently gives users more control over their personal data and is consistent with privacy best practices to provide an individual control over his/ her personal data.

It concludes: “Biometric data is personal data (and some jurisdictions consider it to be sensitive personal data). There are common privacy requirements in place that govern the processing of personal data in the EU and Switzerland, Canada, the USA and the Asia Pacific Region. Compared to ‘on server’ storage of biometric data, the storage and matching of biometric data ‘on device’ for authentication purposes is a compelling and easier approach to satisfy global privacy requirements on cross-border personal data transfers, and individuals’ choice and control around such personal data.”

“Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information,” said Stewart Room, partner at PwC Legal. “Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure.

“However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual. Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorised access or disclosure.”

The full report can be found here: