The compliance of facial processing in France with the article 9 paragraph 2 (a) (g) of (EU) general data protection regulation

However, the study agrees with the CNIL position that alternative identification measures should be provided if biometric recognition is not desired. Biometric technology should safely and accurately identify a person who owns a personal e-cabinet of digitised identity. The study believes that a person's consent should not be based on whether they agree to facial recognition but rather on whether they want to use it as a protective measure for their digitised legal identity. Refusing facial recognition will lead to the rejection of a pass to the electronic service and one's digitized identity. However, biometric identification is considered a protective measure of digitised legal identity. In that case, it should be optional, and a person should have the freedom to choose whether they want it or not. This approach confirms that the goal of securing a digitised identity is committed and directly proportional to the purpose and interests concerned.

Conclusions

For the effective functioning of digitised legal identity in the context of legalised identification, it is necessary to have reliable legal mechanisms to ensure biometric protection. The Member-States must implement appropriate technical and organizational measures to safeguard the identity ecosystem effectively, especially when determining facial data. Under the Alicem case, the purpose of the unique identification is to offer the issuance of electronic titles, allowing users to identify a personality in digital means and to authenticate themselves by employing terminal equipment fitted with a contactable reading device of a static and dynamic facial recognition system. Constantly peering on a French stipulation on employing facial recognition as a tendency to maintain admittance to digitized legal identity consecutive by application Alicem, the manuscript ascertained that the government's Decree n° 2019-452 prominently commissioned the invention of unique automatic identification. Based on that, France reconsidered how to prove a person's credentials by fulfilling legal identity through facial recognition, which is authorised because the processing is necessary for a substantial public interest, which is commensurate to drive disposition of the right to data conserving, and delivers expedient and thorough dimensions to fend this fundamental right and the interests of the data subject under GDPR Article 9 para ^{2 (a) (}g⁾.

The study identified five key elements of Alicem's practice in France:

1. Satisfaction of the public interests: The biometric data processing by Alicem is for the public, which means it is intended to supply a service that is in the public interest. In this case, the service is the issuance of electronic titles, which enables users to identify themselves digitally and authenticate themselves by operating a terminal supply equipped with a contactable reading device of a static and dynamic facial recognition system.

2. Free consent: A person gives a license for processing biometric data. This means that users are not required to use Alicem, and they can choose whether to agree or not to provide their biometric data for the service. This approach is consistent with the GDPR's requirement that consent must be freely given, specific, informed, and unambiguous.

3. Respect for human dignity: The study found that Alicem respects human dignity because of the minimum reliability and accuracy of the algorithm used. This denotes that the technology is designed to minimize the risk of errors or false identifications, potentially harming an individual's reputation or dignity.

4. User control: Alicem is recorded on the user's mobile equipment using the ANTS leading technology-driven integrated programmatic advertising platform, allowing a person exclusive storage control. This indicates that users have complete control over their biometric data and can delete it anytime.

5. Necessity and proportionality: The study found that biometric data processing by Alicem is necessary and proportionate to the purpose of the service. The purpose of the service is to enable French and foreign nationals to identify themselves electronically, which is a legitimate public interest. The study concludes that facial distinction is a proportionate means of achieving this purpose.

Recommendations for national law of EU Member-States. Biometric data differs from access codes because it cannot be changed once disclosed and uniquely identifies a person. As a result, someone could be recalled without their knowledge based solely on their biometric characteristics. This poses a significant risk to data protection because biometric data is repeatedly used to authenticate online activities, such as accessing applications or services. Moreover, if someone's biometric data is disclosed, they could lose control over their identity, leading to negative consequences. Therefore, France has taken a case-bycase regulation approach to anticipate and address these risks. The examination suggests that authenticating the user's identity via unique facial characteristics offers distinct guaranteed security and reliability system levels to achieve a reliable digital legal identity. Therefore, the processing of biometric data authorized by the contested Decree n° 2019-452 must be seen as being given with consent, as it is necessary for the digital ecosystem and maintained for the intended purpose of proving who the user is.

The manuscript concludes that the French government has established a trustworthy official national approach to perpetrating digital identity by implementing regulatory measures for processing techniques. France has taken steps to implement provisions concerning the processing of exceptional personal data, explicitly stressing facial recognition technology. The technology has been beneficial in providing secure and efficient access to e-services, but France must guarantee compliance with legal requirements and the protection of individuals' unique data through necessary technical and organizational measures. The study identifies several conditions that must be met for the responsible use of biometric data processing. First, there must be an assessment of the necessity for biometric data processing while considering the principle of proportionality, particularly concerning biometrics. Second, national legislation should further restrict the processing of biometric characteristics due to their impact on human dignity. Third, national regulations should prohibit commercialising human body elements, as biometric technology can be exploited for financial gain. Finally, biometric technology for identification should only be used as a last resort when other identification methods are ineffective.

Recommendations for organisational and technical experts. When people use a phone with a biometric tool, they process their unique attributes to ensure their safety through strong-willed decisions. This approach is called user-centric or human-centric in the European Union, where the person feels in control of their data. To minimise the data collected in biometrics, the study suggests using a two-fold math-substantiated description of the unique data based on an investigation of the minutiae, which habitually ends and produces bifurcations of elevations. To complete the storage limitation prerequisites, the template cannot be backside masterminded into a design concerning a fingerprint, and the hardware-based perception conformity is used where the details are deposited on a definite theme of the tool and run with the held device to admit the data without caching the data approaching single device itself. This grants the attached rejoinder throughout user authentication since the biometric templates remain to be stored sectional, and thus the recognition scheme does not demand unspecified outer response. A portable token system uses a fob or a smart card to store biometric data. Ashish Dabas, Shalini Bhadola, and Kirti Bhatia, “Storage of Biometric Data in Database,” International Journal of Trend in Scientific Research and Development 3, no. 3 (2019): 1001, http:// dx.doi.org/10.31142/ijtsrd23146. The person's data is seized and stored inside the token for future need.

To comply with GDPR Article 9 para 2 (a) (g) when processing facial data, it is advised to operate biometric templates that cannot stand reverseengineered into a hardware perception. This confirms reliable user authentication since the biometric templates are stored separately. A portable token system, such as a fob or a thoughtful card, can store biometric data that was one-time captured, eliminating the need to convey the data over a network. This method reduces the risks of networkrelated vulnerabilities. To attest to the user, biometric data is presented as a two-step authentication process commonly used on smartphones. The biometric data is stored on-device through a chip separate from the device's shape. This approach guarantees user biometric data protection, privacy, and security while complying with GDPR.

Recommendations for law practitioners. The use of biometric data for processing must be lawful and under the user's control. However, the current conditions of biometric services often involve data collection and intensive use, which goes against GDPR Article 9(1). The user should be the main element in determining the lawfulness of the treatment of their data. It is disingenuous to force users to accept the processing of their biometric data by default, as it violates their right to privacy and security. Users should have the ability to configure their settings and reject unwanted advertising. This is essential for protecting a person's liberty and right to be secure in a digital environment encircled by the GDPR's framework for automatic processing. The manuscript argues that there is a risk of confusion when it comes to a person's rights regarding biometrically digitized tools. Specifically, the GDPR Article 9(1) does not apply to the protection of a person using a personal device with biometric functionality for two reasons. Firstly, when people exercise their rights under Article 6, Charter of the Fundamental Rights of the European Union, they make decisions related to purely personal activity. Secondly, a biometric is not involved in processing such a device. Therefore, the legal regime applicable to biometric identification is confined by the mode of storage used.

The research identifies two different legal protections that may apply depending on the storage of the device where biometric data is processed. Firstly, suppose the biometric tool is integrated into a smartphone and operates autonomously in an enclave that is not accessible from the outside. In that case, it may fall outside the scope of the GDPR as it applies to the automated processing of personal data. However, for this exemption to apply, the biometric data must remain in the control of the person concerned and meet certain criteria, such as being used for private purposes, being encrypted, and transmitted to indicate the success or failure of biometric authentication. Secondly, suppose the biometric device of the smartphone interacts with remote servers where the biometric template is stored. In that case, authorization from the CNIL or else body respectively is necessary to set up this type of device. This type of biometric device does not benefit from the exemption since the control of the biometric template is delegated to a third party. As the risks for the data subject are higher, authorization from the CNIL or another body is also necessary to ensure appropriate technical measures are taken to protect the confidentiality of the biometric templates. However, it is important to document that both types of biometric devices in smartphones present significant risks to the privacy of the persons concerned, as biometric data is not immune to hacking, whether it is stowed on a smartphone or a remote server.

Acknowledgement. The authors would like to express their deepest gratitude for the fact that the related to this manuscript research on “The Case Study about Facial ALICEM Identification under GDPR Article 9(2, g)” was presented for the 9^th International Ph.D. and Young Researchers Conference “Everything You Always Wanted to Know About Law (But Afraid to Ask)” at Vilnius University, Faculty of Law, Vilnius, Lithuania, 2-3 June 2022.

Bibliography

1. European Parliament and the Council. “Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the processing of Personal Data and On the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).” Official Journal of the European Union. Law 119/1 (4 May 2016).

2. France. Council of State. Decree n° 2019-452 of 13 May 2019, authorizing the creation of electronic identification means

3. Amankwaa, Aaron Opoku. “Trends in Forensic DNA Database: Transnational Exchange of DNA Data.” Forensic Sciences Research 5, no. 1 (2020): 8-14. https://doi.org/10.1080/209617 90.2019.1565651.

4. Dabas, Ashish, Shalini Bhadola, and Kirti Bhatia. “Storage of Biometric Data in Database.” International Journal of Trend in Scientific Research and Development 3, no. 3 (2019): 1001-4. https://doi.org/10.31142/ijtsrd23146.

5. Hermstruwer, Yoan. “Contracting around Privacy: The (Behavioral) Law and Economics of Consent and Big Data.” Journal of Intellectual Property, Information Technology and Electronic Commerce Law 8 (2017): 9-26. https://www.jipitec.eu/issues/ jipitec-8-1-2017/4529/JIPITEC_8_1_2017_Hermstruewer.pdf.

6. Hildebrandt, Mireille. “Law as Information in the Era of DataDriven Agency: Law as Information.”Modern Law Review 79, no. 1 (2016): 1-30. https://doi.org/10.1111/1468-2230.12165.

7. Kamarinou, Dimitra, Christopher Millard, and Jatinder Singh. “Machine Learning with Personal Data.” Queen Mary School of Law Legal Studies Research Paper 247/2016, November 7, 2016.

8. Krausova, Alzbeta. “Online Behavior Recognition: Can We Consider It Biometric Data Under GDPR?” Masaryk University Journal of Law and Technology 12, no. 2 (2018): 161-78. https://doi.org/10.5817/MUJLT2018-2-3. called “Certified online authentication on mobile.” Authenticated Official Electronic Journal 0113 (16 May 2019).

9. France. Council of State. 10th - 9th chambers combined, Case No. 432656; ECLI:FR:CECHR:2020:432656.20201104, 4 November 2020.

10. France. National Commission for Informatics and Liberty. Deliberation n° 2018-342 of 18 October 2018. Authenticated Electronic Official Journal 0113 (16 May 2019).

11. Krivogin, Maxim. “Peculiarities of Legal Regulating Biometric Personal Data.” Law. Journal of the Higher School of Economics no. 2 (2017): 80-89.

12. Macenaite, Milda. “The `Riskification' of European Data Protection Law through a Two-Fold Shift.” European Journal of Risk Regulation 8, no. 3 (2017): 506-40. https://doi.oig10.1017/err.2017.40.

13. Milaj, Jonida. “Privacy, Surveillance, and the Proportionality Principle: The Need for a Method of Assessing Privacy Implications of Technologies Used for Surveillance.” International Review of Law, Computers & Technology 30, no. 3 (2016): 115-30. https://doi.org/ 10.1080/13600869.2015.1076993.

14. Schneider, Giulia. “Health Data Pools under European Policy and Data Protection Law: Research as a New Efficiency Defence?” Journal of Intellectual Property, Information Technology, and Electronic Commerce Law 11 (2020): 49-67.

15. Wang Han, Sarah, and Abu Bakar Munir. “Practitioner's Corner * Information Security Technology - Personal Information Security Specification: China's Version of the GDPR?” European Data Protection Law Review 4, no. 4 (2018): 535-41. https://doi.org/ 10.21552/edpl/2018/4/19.

16. Zhao, Bo, and Jeanne Mifsud Bonnici. “Protecting EU Citizens' Personal Data in China: a Reality or a Fantasy?” International Journal of Law and Information Technology 24, no. 2 (2016): 128-50. https://doi.org/10.1093/ijlit/eaw001.

Размещено на Allbest.ru