As technology continues to evolve, the collection of biometric data has become increasingly common, used for everything from secure identification to workplace monitoring. Biometric data refers to personal data that could be used to identify an individual, such as a fingerprint, retina, voiceprint, and more depending on the definition outlined by a particular jurisdiction. In response, many countries around the world are adopting laws designed to protect the biometric information of consumers and workers alike.

Key Objectives: 

1. European Union
2. United Kingdom
3. Canada
4. New Zealand 
5. Australia
6. Puerto Rico
   

However, as the global landscape of biometric data regulations remains in flux, the specific provisions of legal frameworks vary from one jurisdiction to another. While many countries are still developing biometric regulations, some already have broad privacy laws in place that cover the collection and use of personal information, including biometric data.

These privacy acts typically set out guidelines on how personal data should be collected, stored, and shared, aiming to safeguard individuals’ right to control their personal information. As biometric data becomes a more integral part of our daily lives, these evolving legal standards highlight the growing recognition of the need for robust protections in an era where our most personal traits are being captured and analyzed like never before.

In this blog, we’ll explore key privacy laws and regulations around biometric data from various countries outside of the United States. Then, we will discuss how your company can ensure compliance with these international laws when handling biometric data.

European Union

• European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018

The GDPR is one of the most comprehensive privacy and security laws in the world, acting as a guide for other countries as they enact similar legislation. The law extends to any processing of personal data of EU citizens, even to companies that are not in the EU but are collecting data of EU residents.

Consent and opt-out: Companies must obtain permission from users before using their personal data. Consent must be informed, explicit, specific, and freely given, meaning that companies cannot require consent to data processing as a condition of using the service. Additionally, it must be easy for data subjects to withdraw consent at any time.

Transparency: Any information or communication relating to the processing of personal data should be easily accessible and easy to understand.

Retention: Companies that process biometric information must not retain that data for longer than the “necessary” time, by which the length is dependent upon the specific purpose of each case of data processing. The chosen duration of retention must be justified, and this decision must be documented in a data retention schedule.

Private Right of Action allowed: Yes.

Penalties: Severe violations of the EU GDPR may be subject to fines up to EUR 20 million or 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.

United Kingdom

• UK General Protection Data Regulation (GDPR) is implemented within the Data Protection Act 2018

The UK GDPR sets stringent rules domestically for handling biometric data, which is carved out in the regulation as a special category of personal information when you process it “for the purpose of uniquely identifying a natural person.” Its core principles are nearly identical to those set out in the EU GDPR, which used to be fully implemented into UK law until the end of 2020, when it was replaced by the UK GDPR following Brexit.

In contrast to the extraterritorial reach of the EU GDPR, these data protections are specific to the UK in their application. Modifications for the UK version were generally made to fit the legal principles of the UK in a domestic context, replacing references to entities such as the European Parliament and the European Council with UK institutions. All mentions of the Surveillance Authority in the EU GDPR were replaced with the Information Commissioner’s Office (ICO).

• Information Commissioner’s Office (ICO) published Biometric Data Guidance in March 2024

The UK’s data privacy regulator issued new guidance for companies to comply with when collecting and use biometrics in the workplace. Building upon existing biometric law in the UK, the guidance details actions it expects businesses to take to properly meet these legal requirements as well as recommended best practices. These actions include:

1. Adopting a protection-by-design approach through encryption of biometric data used, determining whether biometric data usage is necessary, and more.
2. Completing a Data Protection Impact Assessment (DPIA) prior to using biometric recognition It must remain under review and be updated throughout the lifecycle of the system.
3. Ensuring “specified and informed” consent is received from the users. Consent must be separate from the terms and conditions document users may sign elsewhere, though it is not subject to a written medium. Workers must be able to easily withdraw their consent at any time without detriment.
4. Offering alternatives to biometric recognition systems to workers. For example, a choice between biometric recognition and a PIN/password system for access

These requirements of the guidance are legally binding, while its other implications are only highly recommended. In addition to this new guidance, the ICO announced enforcement action against Serco, a major UK employer, for unlawfully using fingerprint scans to track worker attendance. In a related statement, the ICO warned businesses that biometric technology must be used responsibly, demonstrating their tough stance on unauthorized employment monitoring.

Canada

• Privacy Act of 1985

Canada’s Privacy Act is a federal legislation that protects the personal information of Canadians in the hands of the Canadian government. Under this federal Privacy Act, biometrics must only be collected directly from the individual to whom it relates and used solely for the intended purposes established with few exceptions.

• Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA sets the ground rules for how private-sector organizations collect, use, and disclose personal information during for-profit commercial activities across Canada. It applies to the personal information of workers of federally regulated businesses.

Businesses subject to the Act must follow these ten fair information principles to protect personal information:

1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure, and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Challenging compliance

Consent and opt-out: Organizations are generally required to obtain meaningful consent for the collection, use, and disclosure of personal information. Consent can only be required for collections, uses or disclosures that are necessary to fulfil an explicitly specified and legitimate purpose. For non-integral collections, uses and disclosures, individuals must be given a choice. Individuals must be able to withdraw consent at any time.

Transparency: Organizations must make information relating to their data handling policies and practices available. Public policies should be easy to access and understand. Affected individuals must be made aware of these policies and practices.

Retention: Organizations must keep personal information only as long as it is needed to serve the identified purposes for which it was collected.

Private Right of Action allowed: No.

Penalties: Organizations can face fines up to CAD 100,000 for each violation.

• Draft Guidance for Processing Biometrics

In October 2023, the Office of the Privacy Commissioner of Canada (OPC) initiated a public consultation on new draft guidance regarding biometric technologies. This draft aligns with the core principles of the Personal Information Protection and Electronic Documents Act (PIPEDA), including consent, limiting data collection and use, ensuring necessity of purpose, and other privacy safeguards. It goes a step further to detail clearer steps for organizations to follow in protecting biometric data. While the official enactment of these guidelines is yet to occur, the draft signals the government's growing recognition of the need for further legislation.

• Quebec’s Law 25 went into effect September 2023

Amended to Quebec’s Information Technology Act, Law 25 modernized Quebec’s data privacy framework and aligned it with more stringent global standards like the General Data Protection Regulation (GDPR) in the European Union.

Consent and opt-out: Organizations need explicit and informed consent from individuals before deploying any technology that tracks personal information, including cookies. Individuals have a right to withdraw their consent at any time.

Transparency: Companies are required to provide clear and easily accessible information on how they collect and use personal data, as well as inform individuals of their rights regarding the data.

Retention: The law emphasizes the importance of collecting only the essential data for the intended purpose. Organizations must avoid excessive data collection and retain only relevant information.

Private Right of Action allowed: Yes.

Penalties: Organizations that violate this law may be subject to penalties ranging from CAD 5,000 to CAD 50,000 for natural persons. In all other cases, fines may range from CAD 15,000 to CAD 25,000,000 or 4% of the previous year's global turnover, whichever is greater.

Furthermore, organizations will be required to disclose any process involving biometric information to the Commission d’accès à l’information du Québec (CAI) no later than 60 days before it is put into use. Organizations also are required to assess the privacy-related factors with a Privacy Impact Assessment (PIA) of any project involving the collection, use, communication, keeping or destruction of personal information.

New Zealand

• A Draft of a Biometrics Code was released in April 2024

The Privacy Commissioner recognizes a need for specific rules for biometrics to protect people’s special biometric information, guard against risks, and ensure it is used safely. In April 2024, the Commissioner developed an exposure draft of a biometrics code of practice followed by a broad public consultation to allow feedback. It included three new rules: a proportionality requirement, additional notification and transparency requirements, and fair processing limits that restrict some uses of biometric classification.

Following the submission of feedback from the public, the Privacy Commissioner announced in December 2024 his intention to issue a Biometric Code.

Australia

• Australia’s Privacy Act of 1988

Under Australia’s Privacy Act, biometric data is sensitive information that requires initial consent and a high level of privacy protection if the Act covers the organization or agency collecting it. However, Australian law still maintains the ‘small business’ exemption, exempting many Australian businesses from its provisions. Encapsulating possible shortcomings of Australian legislation regarding biometric data, the need to mitigate the wide scope of biometrics’ subsequent risks is not wholly addressed by the Privacy Act of 1988.

In response, the Attorney General released a Privacy Act Review Report on February 16, 2023 noting that a technologically advancing atmosphere has posed greater questions of how data collection relates to other sectors of society. Australia is in the process of reforming its Commonwealth data privacy law to apply more precisely to current development of biometric data.

Puerto Rico

Puerto Rico has not passed any laws relating to biometric data and privacy protections specifically. However, as a US territory, Puerto Rico is subject to federal US laws that may intersect with biometric data.

To learn more about biometric data regulations in the United States, check out our blog post U.S. Biometric Data Law. 

Final Thoughts

Some of the most common uses of biometric data in the workplace include:

1. Physical Access Control: Using fingerprints, facial recognition, or iris scans to grant access to restricted areas like server rooms or secure facilities.
2. Time and Attendance Tracking: Utilizing biometric scanners to accurately record employee hours, eliminating errors and preventing issues like ‘buddy punching.’
3. System Logins: Using biometric authentication, such as facial recognition or fingerprints, to access work computers and systems instead of traditional passwords.
4. Worker Identification Verification: Confirming employee identities for purposes like payroll and security checks.

Determining whether your company can implement technologies that process biometric data depends on the geographic scope of the individuals whose data will be collected, used, and stored. While regulations vary by region, common principles remain consistent worldwide, emphasizing the importance of consent, transparency, data retention, risk assessment, and thorough documentation.

Companies must ensure compliance with these regulations to avoid potential legal issues. Navigating the intricacies of these legal requirements, however, can be complex and time- consuming. Laws vary by jurisdiction, and keeping up with the latest updates can be overwhelming.

At TCWGlobal, as a global Employer of Record (EOR), we understand the complexities of data privacy internationally and can help you remain up to date on biometric data laws as you grow your contingent workforce. Whether it’s ensuring compliance with consent protocols, security standards, or retention policies, we stay informed on the specifics so that you don’t have to tread the tricky terrain on your own.

With the increasing use of biometric data in the workplace, it’s more important than ever to ensure that your organization is handling it responsibly and securely. TCWGlobal is here to help.