Worldwide: Biometric Authentication In The Workplace In Terms Of Employee Privacy

1. Employee Monitoring

Employee monitoring is considered one of the employer rights. Reasons for monitoring stand as providing security, tracking work hours, authorizing access. Methods used for employee monitoring are numerous, especially after drastic technological developments. These methods could chronologically be counted as forms signed with wet signature, magnetic ID cards, fingerprint scanner etc. Fingerprint is biometric data thus should be protected by employers. Otherwise, the risk of data breach, paying for damages, administrative fines shall become unavoidable.

2. Employee Monitoring Software and Biometric Data

Data protection is regulated via Law No:6698 on the Protection of Personal Data ("PPD Law") in Turkey and General Data Protection Regulation ("GDPR") in the EU. In light of those regulations personal data, biometric data concepts and conditions to process employees' biometric data are explained below.

1. Personal Data, Special Categories of Data, Biometric Data

Although personal data is defined as "any information relating to an identified or identifiable natural person" in PPD Law, there is no definition for special categories of data. Instead those special categories of data are listed at Art. 6. on a numerus clausus basis. Biometric data is one of them.

Biometric data is defined as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data" in GDPR. From that definition one can say there is no suspect fingerprint qualifies as biometric data.

2. Processing Employees' Biometric Data

Employers are almost always in favor of monitoring employees for security, tracking working time, authorization, tracking leave, measuring efficiency purposes. Since falsifying timesheets or timecards are common complaints of employers there is a tendency to use fingerprint scanners. However, fingerprint is biometric data thus for a lawful processing, it must be proportional and necessary, also employees must give consent.

1. Employee Consent

Biometric data is forbidden to process on principle and can only be processed with consent of employee. Consent is only valid when freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.

It is debated whether an employee's consent is valid given the subordination relationship between employee and employer. There is no balance of power which means the employee is the vulnerable side.

2. Proportionality and Necessity

Even assuming employee consent is freely given and valid, processing fingerprint data must be proportional and necessary which means a lack of any other methods to monitor employees.

3. Employee Monitoring via Biometric Data in Terms of International and National Data Protection Law

The worldwide tendency to use fingerprint scanner for monitoring employees has created a sensitivity for data privacy. Because unlike passwords or ID cards once exposed, fingerprint data can create grave results. Indeed, two big companies, Suprema in 2019¹ and the Antheus Technologie in 2020², providing employee monitoring software were hacked into, and thousands of fingerprint data were exposed. Considering the risks, regulations in regard of biometric data protection are spreading across the world.

1. Illinois, Teksas, Washington³

The Illinois Biometric Information Privacy Act has entered into force in 2008 and is known as the must strict regulation. Providing necessary information to the data subject, presence of valid free consent, implementing technical and organisational measures are some of the conditions for processing biometric data. The Illinois Biometric Information Privacy also differs from other regulations by giving individuals the right of action for an amount of between 1.000 USD-5.000 USD.

Recently, Loews Hotels had to pay 1 million dollars settlement for unlawful employee monitoring via fingerprint scanner⁴. Trump's Hotel in Chicago is in the process of a settlement for the very same reason⁵. Also, it should be kept in mind data processor and data controller are both responsible in the event of employee monitoring software breach⁶.

In 2009, Texas enacted its own biometric privacy act. Unlike Illinois Act, in Texas only prosecutor has the right of action in case of data breach. Lastly in 2017, Washington enacted its own biometric privacy act. Altough on August 2020, National Biometric Information Privacy Act was proposed by Bernies Sander, it had not been voted.

2. France

Following GDPR, French Data Protection Act was revised in May 2018 in accordance. There were some additional conditions for employers to process biometric data, since GDPR lets member countries improvise. Those conditions are:

• employers must ask for permission of French Data Protection Authority ("CNIL") before processing biometric data,
• Data Protection Impact Assessment must be done and submitted to CNIL
• Lack of any alternative method, necessity and proportionality of processing biometric data and measures taken by employer must be explained in detail to CNIL. Life-threatening machine authorization, presence of areas that must be highly secured are examples to necessity of biometric data processing⁷.

In September 2018, CNIL issued a 10.000-Euro fine for a company which had processed its employees' fingerprint data without getting permission first⁸. Inspired by Illinois Act, CNIL published a guideline in March 2019 with an important difference: CNIL saw permission enough for processing, thus forgoing employee consent⁹.

3. Netherlands

The Dutch GDPR Implementation Act Art. 29 has some additional restrictions for processing biometric data. According to Article 29, the prohibition on the processing of biometric data for identification purposes is not applicable in cases where such processing is necessary for authentication or security purposes, meaning consent is not a condition in those cases¹⁰. Nonetheless, those cases must be treated carefully and interpreted narrowly¹¹.

In 2019, the Court of Amsterdam ruled that employer Manfield processed unlawful biometric data of employees¹². The company started fingerprint scanner for cash register authorization upon realizing lack of cash. An employee did not want to be a part of that system.

The company defended that they wanted to prevent fraud, personal codes are not enough for that, GDPR supports such technological developments. The Court ruled that:

• There was no valid consent since fingerprint scanner was imposed on employees without any other alternatives.
• The company had to pay damages for unlawful data processing since no other measures were taken such as security cameras, entry alarm; reasons why those measure were not enough was not explained, thus "highly secured area" condition was not fulfilled¹³.

In April 2020, Dutch Data Protection Authority ("AP") issued a fine of 725.000-Euros¹⁴. Similarly, the employer preferred fingerprint scanner for tracking working time unlawfully¹⁵. It was also stressed by AP that; the only objection mechanism was talking to the supervisor and those who talked to supervisor immediately have given consent meaning it was not freely given. The decision is not final yet.

Finally, it should be noted that the Court of Amsterdam indicated turning fingerprint into personalized codes is another method used by employers and in such cases those codes shall be treated biometric data as well. AP, cited that point in the decision mentioned above.

4. Germany

Article 26 of Federal Data Protection Act ("BDSG") lists conditions specifically for employee data processing¹⁶. These conditions are:

• personal data of employees may be processed for employment purposes, e.g. if the processing is necessary to enter into, perform and terminate an employment relationship
• or to perform of a collective agreement
• or employee's freely given consent.

During a trial of The Court of Berlin, it was claimed the employer at radiology clinic changed tracking working hour system from wet signature to fingerprint scanner¹⁷. Objection of an employee resulted in two notices to his personal file. Facing unlawful data processing claims, the employer defended that fingerprint data was not processed, only converted to a personal code and that code was used for time tracking, thus conditions for biometric data processing did not apply. On September 16, 2019 the Court ruled in favor of the employee, stressing even when converted into codes, fingerprint data was being processed, same as the Court of Amsterdam and AP.

The Labor Court of Berlin also cited a ruling (C-55/18, 19.05.2019) of The Court of Justice of the European Union ("CJEU") remarking it was both an employer's right and obligation to create an objective, reliable and accessible system to prevent manipulation of working hours providing such system does not breach data rights. It was stressed that biometric authentication could be used for areas where sensitive data is stored, the employer in question used such system for regular working areas and did not try other forms of measures beforehand. Although employer insistently defended that timesheets or timecards could easily be falsified by employees, the Court ruled out those arguments and remarked that supervision or some other method could be improvised to prevent falsifying. District Labor Court of Berlin-Brandenburg issued an appellate ruling on the use of biometric time tracking systems, in which it largely adopted the view of the trial court, the Labor Court of Berlin¹⁸.

5. Turkey

Articles 6 of PPD Law lists conditions for processing special categories of data, and The Board of The Protection of Personal Data ("The Board") published a mandatory guideline regarding "Necessary Measures for Processing Special Categories of Data". Most recently Remoted Working Regulation entered into force on March 10,2021 stressing data and privacy protection in a general manner¹⁹. Other than that, there no other regulations for using employees' biometric data.

Articles 6 of PPD Law states thar, biometric data can only be processed in the presence of freely given consent, unless permission granted by other laws. In other words, the only way for employers in Turkey to process fingerprint data is to get employees' consent. However, as explained above, concept of freely given consent is debatable and mostly considered invalid.

The Board ruled a decision on December 2020, declaring that municipality in question was unlawfully processing fingerprint data for authentication²⁰. Previous decision regarding biometric data was in gym context so this qualifies as the first decision solely focused on employees' biometric data²¹.

An employee of municipality did not want to be a part of fingerprint scanning system designed for time tracking, applied to be exempted from system wanting forms with wet signature instead, but his demands were not met. The municipality defended all stuff were subject to fingerprint scanner system for time tracking, but the system was pending due to Covid-19 pandemic and wet signature or ID cards were used in the interim. Also it was defended that fingerprint data was not processed directly, but converted to personalized codes instead.

The Board, similar to the Court of Amsterdam, the Labor Court of Berlin and AP, decided that even if fingerprint is converted to codes via algorithms, the data processed shall be treated as biometric data and be processed for specified, explicit and legitimate purposes, relevant, limited and proportionate to the purposes for which they are processed.

One important point differing this decision from precious ones about biometric data is that the Board stressed "necessity for high security measures" for processing biometric authentication for the first time and instructed municipality to remove the system. due to lack of necessity for high security measures and unproportionally processing.

The emphasis of "necessity for high security measures" is quite interesting because unlike Germany, France and Netherlands there is no regulation pointing in that direction. While harmony with decisions of other country boards is important, we hope the lack of regulation in that matter will be removed immediately. Because we believe creating new criteria to process data by stretching "the proportionality principle" will eventually give way to problems.

4. Conclusion

In the light of regulations and court/or board decisions across the world, employers should be mindful of the points mentioned below before processing biometric data for employee monitoring:

• Employees' consent is subject to debates about validity because subordination relationship is an obstacle to free will of employees.
• Procedures solely for processing biometric data must be prepared, employees must informed din detail, all measures must be taken.
• Other less intrusive method must be tried for employee monitoring such as tracking via wet signature/magnetic ID cards/QR codes/supervision etc. Reasons for inefficacy of those methods must explained and documented. Finally a risk assessment must be done with help of an independent auditor.

Footnotes

1. https://www.bbc.com/news/technology-49418931

2. https://helpy.io/blog/data-security-lessons-the-biggest-recent-hacking-incidents-2020/

3. https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/regulation-employer-use-biometric-data.aspx

4. https://news.bloomberglaw.com/securities-law/insight-a-national-biometric-privacy-law-could-spur-litigation-wave

5. https://www.classaction.org/news/trump-chicago-hotel-facing-biometric-privacy-class-action-over-worker-fingerprint-scans

6. https://www.hklaw.com/en/insights/publications/2020/04/district-court-finds-biometrics-data-vendor-may-be-liable ; ayrica https://www.biometricupdate.com/201806/another-bipa-lawsuit-over-biometric-time-and-attendance-system

7. https://www.eyeonprivacy.com/2019/04/france-biometrics-fingerprint/#page=1

8. https://www.biometricupdate.com/201904/cnil-sets-rules-for-biometric-employee-time-and-attendance-systems-in-france

9. https://www.cnil.fr/fr/biometrie-sur-les-lieux-de-travail-publication-dun-reglement-type

10. https://www.dataguidance.com/notes/netherlands-national-gdpr-implementation-overview

11. https://www.akd.eu/insights/the-dutch-gdpr-implementation-act-and-the-use-of-biometric-data

12. https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2019:6005

13. https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/the-use-of-biometric-data-in-an-employment-context

14. https://autoriteitpersoonsgegevens.nl/en/news/company-fined-processing-employees'-fingerprint-data

15. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_vingerafdrukken_personeel.pdf

16. http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0639

17. https://bdkadvokati.com/fingerprints-cannot-be-used-for-recording-working-hours-german-court-says/

18. https://www.reuschlaw.de/en/news/labor-court-of-berlin-data-protection-in-time-tracking-systems/

19. https://www.resmigazete.gov.tr/eskiler/2021/03/20210310-2.htm

20. https://www.kvkk.gov.tr/Icerik/6872/2020-915

21. https://www.kvkk.gov.tr/Icerik/6738/2020-167 ve ayrica https://www.kvkk.gov.tr/Icerik/5496/2019-81-165

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.