During the month of June 2024, a press release from the Côte d’Ivoire Personal Data Protection Authority (ARTCI) highlighted a growing problem: the use of biometrics as a means of controlling employee access and presence in the public and private sectors. Through this press release, ARTCI points out that this practice must comply with Law no. 2013-450 of June 19, 2013 on the protection of personal data, which aims to protect citizens’ freedoms and privacy.
ARTCI’s main argument is that the use of biometrics is often disproportionate to the objectives pursued by companies and institutions. The collection and processing of biometric data, which includes highly sensitive information such as fingerprints, retinal scans or facial recognition, must be justified by a compelling and proportionate need.
To understand the scope of this press release, which serves as a warning and formal notice, it is useful to analyze the legal regime governing sensitive data, and in particular biometrics, and to consider the best practices to be implemented by Ivorian employerss.
Biometrics in Ivorian regulations on the protection of personal data
Biometrics is the process of verifying an individual’s identity and authenticating his or her identity, using unique characteristics inherent in the person (face, gait, fingerprint, voice, etc.). Because it involves very personal, even intimate, information about individuals, this process is generally included in the list of sensitive data, namely:
- Racial or ethnic origins;
- Political opinions;
- Religious or philosophical beliefs;
- Union membership;
- Genetic and biometric data used to uniquely identify a person;
- Data concerning health;
- Data concerning a person’s sex life or sexual orientation.
These data may only be processed or collected within the very restrictive framework laid down by law.
Thus, Article 7 of the Ivorian Law no. 2013-450 of June 19, 2013 on the protection of personal data stipulates in particular that the processing of personal data including biometric data must be subject to prior authorization before any implementation.
Indeed, according to Ivorian regulations, the use of biometrics must be authorized in advance by the Ivorian Data Protection Authority (ARTCI), and when this is the case, must comply with the principles intrinsic to all processing of personal data, namely the principles of lawfulness, transparency, proportionality, limitation of storage, integrity and confidentiality, responsibility and respect for the rights of the person concerned.
So it comes as no surprise that the Ivorian Data Protection Authority has reiterated that the use of biometrics without prior authorization is prohibited, and warned that its use to gain access to the workplace and/or to monitor attendance was disproportionate to its purpose.
The Ivorian Protection Authority’s stance is perfectly understandable insofar as employers resorting to this process do not justify the imperative nature of using Biometrics in this specific case, when there are other, less invasive means of controlling access to the workplace.
Use of Biometrics: Best Practices and International Examples
ARTCI’s press release on the use of biometrics to gain access to the workplace and/or monitor attendance time has prompted reflection on the question of good practice in this area, and on the role of the Protection Authority, which is to draw up rules of conduct relating to the processing and protection of personal data (see Article 47 of Ivorian law).
The recommended best practices, which take account of the local context, are of a regulatory and operational nature, as follows:
- Companies should assess the proportionality of the use of biometrics, comparing the benefits of this technology with the potential risks to privacy.
- Employers should obtain explicit consent from their employees for the use of biometrics, providing clear and detailed information on the purpose of the collection, the duration of data retention, the security measures in place, and the rights of individuals. This consent process must be well documented, and employees must be able to withdraw their consent at any time without suffering negative consequences.
- The employer must justify the implementation of robust technical and organizational security measures to protect this data, and the regular auditing of biometric data processing systems.
- Companies should limit the collection of biometric data to cases where it is absolutely necessary, and explore less invasive alternatives. For example, biometrics could bereserved for areas requiring enhanced security, while other simpler authentication methods could be used elsewhere.
- In addition, as alternative measures, data controllers could use the following non-exhaustive alternatives:
- Use digicodes
- Keeping biometric data under the exclusive control of the data subject for purposes other than monitoring working hours
- Badge systems (with QR codes or bar codes)
- Digital Access Controls (Passwords and PIN Codes).
As a consequence, in the light of the few alternative measures mentioned, the use of biometrics for time & attendance purposes alone is inappropriate, or even outlawed.
In Europe, several countries have implemented best practices for the use of biometrics in compliance with the GDPR:
CNIL, the French data protection authority, like BfDI in Germany, impose strict guidelines on the use of biometrics, strictly limited to protect employees’ rights, requiring rigorous justification and prohibiting its use for attendance control except in cases of proven necessity and after consultation with the authority.
In France, for example, the CNIL has drawn up a Model Regulation on Biometrics.
On the American continent, without having a single federal legislation on data protection equivalent to the Ivorian law or the RGPD, sector-specific laws exist in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA) for health data and the Genetic Information Nondiscrimination Act (GINA) for genetic data. These laws impose strict obligations on the processing of sensitive data.
These examples show that biometrics can be used securely and legally, but only when it is proportionate, justified and backed up by maximum protection measures.
Some African countries, such as Senegal, Morocco and Kenya, are striving to put in place a legal framework to protect biometric data. In fact, they began with a gradual approach, notably by securing identity documents, before moving on to examine in greater depth the issue of the use of biometrics outside national identity documents.
Our advice:
ARTCI’s Press Release is an important reminder of the risks associated with the use of biometrics without proper regulation. By adopting RGPD-inspired practices such as data minimization, explicit consent, proportionality, and enhanced security.
Ivorian companies can not only comply with local legislation, but also guarantee the protection of their employees’ rights and the confidentiality of their personal data.
ARTCI, for its part, could consider providing more detailed guidelines, such as a model regulation along the lines of the CNIL for Biometrics or other personal data processing, and promoting regular audits to ensure compliance with the law. As its press release serves as a warning and formal notice, it is not impossible that sanctions will be imposed following an inspection by the Ivorian Data Protection Authority.