Banking entities may continue to use the biometric data of their clients, such as fingerprints or facial recognition, as an authentication method to carry out operations. But in no case will they have the right to demand that information at the time of opening an account. This is concluded by the Spanish Data Protection Agency (AEPD) in a report presented on Friday by its legal office, in which it is made clear that said data can only be requested on a voluntary basis.
As EL PAÍS has learned, the aforementioned report responds to a project presented within the framework of the so-called sandbox o test bed for the digital transformation of the financial sector, a safe environment to test technological innovations in the field of fintech before its commercialization launched last year by the Government and in which the AEPD participates. A bank, whose identity the agency cannot reveal, proposed “the treatment of facial recognition data at the time of client registration at the office or through a channel on-line in order to verify their identity and thus carry out the appropriate verifications (…) for the prevention of money laundering and the financing of terrorism (…), as well as for the control of fraud ”, the report reads.
The answer is overwhelming. As to date there is no law that specifies the cases in which it is possible to appeal to the general interest to request biometric data, nor that establishes the necessary guarantees and safeguards, the privacy of citizens must prevail. “The proposal for data processing based on facial recognition for identification purposes (…) lacks a legitimate basis (…) and is contrary to the principles of necessity, proportionality and minimization.” In silver: customers cannot be asked to provide their biometric data if they do not want to.
The reports of the AEPD’s legal office set the criteria that the agency will follow in case of conflict. In other words, it is a warning to navigators that if there is a complaint on this particular issue, the affected entity will have the upper hand.
The arguments put forward by the AEPD are similar to those set forth in the Constitutional Court ruling that overturned the regulations that allowed political parties to create ideological profiles of citizens. “The Constitutional Court has already said that although there is a general prohibition to process biometric data, in case there was an essential public interest it could be done. But the assumptions, the organizational measures to protect the data, the guarantees, etc., would have to be set very clearly by law ”, underlines Borja Adsuara, an expert in Digital Law and one of the promoters of the aforementioned appeal before the Constitutional Court. The appeal was won: the sentence took only two months to be published and overturned the regulations unanimously by the magistrates.
The AEPD report also cites the case of Mercadona. Last year, the supermarket chain launched a network of surveillance cameras equipped with a facial recognition system in 40 establishments in Mallorca, Valencia and Zaragoza. Its objective, as revealed by the company, was to identify registered criminals. The Provincial Court of Barcelona ruled in February of this year that “the level of intrusion into the lives of those concerned” was disproportionate. The company was urged to retire the system. “The same people who filed the appeal before the Constitutional Court for the political parties said that Mercadona seemed excessive to us: to identify four thieves it is not necessary to take the biometric data of all the clients. That smelled bad. And they have proved us right, ”says Adsuara.
Facial identification and fingerprint
Bank mobile applications are steadily stealing more prominence from bank branches. Almost everything can be done today from mobile. To streamline procedures and save customers from memorizing passwords, some entities today offer the option of entering their respective apps with your fingerprint or with your face recognition. Both methods are possible thanks to the sensors that the latest generation smartphones incorporate and their use is increasing, both in the banking sector and in others.
BBVA became the first bank in June to allow face deals to be signed. Other entities, such as Banco Santander, incorporate fingerprint recognition as an additional security measure to carry out some operations, including validating purchases on-line. All this may continue to be done on a voluntary basis: what the AEPD report specifies is that customers cannot be forced to provide biometric data.