+7 (495) 147 11 03
email
telegram
  EN
email
email
telegram

Biometric Personal Data Regulation in Russia: A Comparative Analysis with International Standards

 

December 3, 2023

BRACE Law Firm ©

 

Due to the development of digital technologies, the use of biometric data (distinctive physical characteristics of a person) for identification purposes is becoming increasingly widespread.

Many smartphone and laptop users are familiar with facial or fingerprint recognition. Various companies (referred to in Russian legislation as "Personal Data Operators") actively use photographic images and voice data: banks use them when issuing loans and bank cards; fitness clubs use them for memberships; educational institutions use them for issuing passes, etc.

In this article, we examine what is understood by biometric personal data within the context of Russian and European regulation, and the conditions under which it can be processed.

What is Biometric Personal Data?

According to Article 3 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law", the "Law", or "Law No. 152-FZ"), personal data refers to any information relating to a directly or indirectly identified or identifiable natural person (the "Personal Data Subject").

The Personal Data Law distinguishes several categories of personal data:

  • general;
  • special;

Biometric personal data refers to information that characterizes the physiological and biological characteristics of a person, based on which their identity can be established (Part 1 of Article 11 of Law No. 152-FZ). Based on the provided definition, personal data constitutes biometric data if it:

  • characterizes the physiological and biological characteristics of a person;
  • is used by the operator to establish the identity of the personal data subject.

These characteristics must be present in aggregate. Thus, to determine whether personal data is biometric and what the conditions for its processing are, an operator should assess whether the data characterizes the physiological and biological characteristics of a person, and whether it is used for human identification.

Types of Biometric Personal Data

Law No. 152-FZ does not provide specific types of biometric data. In practice, these include photographic and video images of a person, dactyloscopic data, information about the iris of the eye, DNA analysis results, and voice data. However, such information is not recognized as personal data in all cases. Let us consider them in more detail through the prism of legislation and the positions of regulatory authorities.

1. Photographic and video images of a person.

In the opinion of Roskomnadzor, [1] photographic images used to provide single and/or multiple entry to a protected territory and to establish the identity of a citizen relate to biometric personal data. In turn, a photograph stored in an employee's personal file, or video filming on a protected territory or in public places, does not constitute biometric data, since it is not used for identification purposes.

To illustrate this with an example from judicial practice: the St. Petersburg City Court considered that the plaintiff's image, placed on cosmetic products, did not constitute biometric personal data, since it could not identify his identity. [2]

Also, according to Roskomnadzor clarifications, X-ray or fluorographic images located in a patient's medical record are not biometric personal data, since the medical institution uses them for the patient's treatment, rather than for establishing identity. Despite the fact that these clarifications are currently revoked, one can fully agree with them. [3]

2. Dactyloscopic information (data on the characteristics of the structure of papillary patterns of a person's fingers and/or palms).

Federal Law No. 128-FZ dated July 25, 1998, On State Dactyloscopic Registration in the Russian Federation (the "Law No. 128-FZ"), directly classifies fingerprints and palm prints of a person as biometric personal data. Authorized executive bodies and federal state institutions carry out their processing, and they are used in the following cases:

  • searching for missing persons;
  • identifying an unidentified body;
  • establishing the identity of persons who, due to their state of health or age, are unable to provide data about their identity or do not have identity documents;
  • confirming the identity of citizens of the Russian Federation, foreign citizens, and stateless persons;
  • preventing, detecting, and investigating crimes, as well as preventing and detecting administrative offenses.

According to the regulatory body, the use of dactyloscopic information by other personal data operators — including for the implementation of single/multiple entry to a territory — carries signs of an administrative offense provided for by Part 1 of Article 13.11 of the CAO RF, Processing personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data.

3. Genomic information.

Genomic information has similar legal regulation. In accordance with Article 1 of Federal Law No. 242-FZ dated December 3, 2008, On State Genomic Registration in the Russian Federation, genomic information refers to biometric personal data, including coded information about certain DNA fragments of a natural person or an unidentified body.

The following are subject to mandatory state genomic registration:

  • persons convicted of and serving a sentence of imprisonment for committing crimes;
  • unidentified persons whose biological material was seized during investigative actions;
  • persons suspected of committing crimes, or accused of committing crimes;
  • unidentified bodies.

We note that, despite the large number of clarifications from authorized bodies, a uniform position regarding the classification of certain information as biometric data is absent, which causes disputes in each specific case and is resolved differently in court.

Conditions for Processing Biometric Personal Data

Only one article, Article 11 of the Personal Data Law, is dedicated to the legal regulation of biometric personal data processing.

1. As a general rule, processing of biometric data is permitted with the consent of the personal data subject.

The consent must be expressed in writing and must include the following mandatory information:

  • the surname, name, patronymic, and address of the personal data subject, the number of the main document certifying his identity, information about the date of issue of the specified document and the body that issued it;
  • the surname, name, patronymic, and address of the representative of the personal data subject, the number of the main document certifying his identity, information about the date of issue of the specified document and the body that issued it, details of the power of attorney or other document confirming the powers of this representative (when obtaining consent from a representative of the personal data subject);
  • the name or surname, name, patronymic, and address of the operator receiving the consent of the personal data subject;
  • the purpose of processing the personal data;
  • a list of personal data for the processing of which the personal data subject provides consent;
  • the name or surname, name, patronymic, and address of the person carrying out the processing of personal data on behalf of the operator, if processing is delegated to such a person;
  • a list of actions with personal data for the performance of which consent is given, and a general description of the methods of processing personal data used by the operator;
  • the term during which the consent of the personal data subject is valid, as well as the method of its withdrawal;
  • the signature of the personal data subject.

Consent in the form of an electronic document signed with an electronic signature is recognized as equivalent to consent on paper.

From March 1, 2021, it is necessary to draw up a separate consent for the dissemination of personal data, including biometric data. The requirements for the content of such consent for dissemination were approved by Roskomnadzor Order No. 18 dated February 24, 2021. [4]

We note that a personal data operator is not entitled to refuse service in the event of a refusal to provide biometric data or to give consent to the processing of personal data, if obtaining such consent is not mandatory in accordance with the law.

2. Without obtaining the consent of the personal data subject, processing of biometric personal data is permitted in the following cases:

  • in connection with the implementation of international readmission treaties ("readmission" is the consent of a state to the return of its citizens who are subject to deportation from another state);
  • in connection with the administration of justice and the execution of judicial acts;
  • in connection with the conduct of mandatory state dactyloscopic registration and state genomic registration;
  • in cases provided for by the legislation of the Russian Federation on defense, security, anti-terrorism, transport security, anti-corruption, operational-investigative activities, state service, the notary system, criminal-executive legislation, legislation on the procedure for exit from and entry into the Russian Federation, and on citizenship of the Russian Federation.

Thus, before starting work with biometric personal data, an operator must assess whether it has legal grounds for its processing.

Identification and Authentication Using Biometric Personal Data

On December 29, 2022, Federal Law No. 572-FZ, On the Implementation of Identification and (or) Authentication of Natural Persons Using Biometric Personal Data (the "Law No. 572-FZ"), was adopted. This Law introduced the concept of the "Unified Biometric System" (the "EBS"). This is a state information system that allows for the authentication and identification of a person by face and (or) voice.

The following are placed and processed in the Unified Biometric System:

  • biometric personal data (the image of a person obtained using photo/video devices, and the recording of a person's voice obtained using a sound-recording device);
  • vectors of the unified biometric system (personal data obtained as a result of the mathematical transformation of the biometric personal data of a natural person). We note that the provisions of Law No. 152-FZ on the procedure for processing and protecting personal data do not apply to vectors.

Let us consider the main rules for working with biometric personal data established by Law No. 572-FZ.

1. Since June 1, 2023, it is prohibited to collect biometric personal data outside the Unified Biometric System. An operator that wants to process the biometric personal data of clients and employees must undergo accreditation and connect to the EBS. A fee will be charged for the use of data placed in the EBS.

We clarify that the Personal Data Law refers only to the processing of biometric data by automated systems. If biometric personal data is processed by a non-automatic method — for example, used on a pass for entry into a territory — it is not transferred to the EBS.

2. Until September 30, 2023, personal data operators that collected biometric data were obliged to transfer it to the Unified Biometric System and notify the personal data subject.

No later than 30 days before the planned placement of data in the EBS, the operator is obliged to notify the personal data subject of such placement in any form that allows for confirming the fact of receipt of the notification. If objections are received before the expiration of the specified period, placement is not carried out. After placing the data in the EBS, the Operator is obliged to destroy the biometric data stored in its information systems within 30 days.

3. Placement of biometric personal data in the EBS is carried out with the consent of the personal data subject.

A personal data subject can place his biometric personal data in the EBS:

  • at banks and MFCs in the event of personal presence after identity identification;
  • through the special "Gosuslugi Biometriya" mobile application.

The transfer of biometric personal data is carried out after signing a consent for the placement and processing of biometric personal data.

A refusal by a natural person to undergo identification and (or) authentication using his biometric personal data cannot serve as a ground for refusing to provide state, municipal, or other services, performing state or municipal functions, selling goods, performing work, or refusing to accept for service (Part 13 of Article 3 of Law No. 572-FZ).

Furthermore, at any time, a personal data subject is entitled to provide a refusal from the collection and placement of his biometric personal data in the EBS, as well as to withdraw in writing a previously submitted refusal. A refusal from the collection of biometric personal data and the withdrawal of such a refusal are submitted to a multifunctional center personally by the personal data subject or by the legal representative of a minor or an incapacitated citizen. The refusal is drawn up in writing on paper and must be signed by the natural person in his own hand. The MFC is obliged to issue a written confirmation of receipt of such a refusal. After its receipt, the personal data is deleted.

In the development of the norms of Law No. 572-FZ, a significant number of sub-legislative acts have already been adopted, regulating the rules for processing biometric data in the EBS. In particular, executive bodies have regulated:

  • requirements for conducting identification of a natural person by banks and multifunctional centers carrying out the placement of data in the EBS; [5]
  • cases and terms for the use of biometric personal data placed by their owner through a mobile application; [6]
  • rules for submitting a refusal from the collection and placement of biometric personal data, the withdrawal of such a refusal, as well as forms of the specified refusal, withdrawal of refusal, and written confirmation of their submission; [7]
  • the procedure for processing biometric personal data in the EBS, [8] and many others.

Unfortunately, the format of this article does not allow for their more detailed consideration. Undoubtedly, biometric identification and authentication have obvious pros. This includes convenience and the speed with which one can obtain necessary services or perform certain actions, as well as the implementation of centralized storage of this data. At the same time, one cannot but note that the risks of illegal access and the use of biometric personal data are also increasing.

International Legal Regulation of Biometric Personal Data Processing

Let us compare how the institution of biometric personal data is regulated in EU countries.

On May 25, 2018, the General Data Protection Regulation (the "GDPR" or the "Regulation") entered into force in the European Union. This Regulation is mandatory for application by all persons carrying out the processing of personal data of EU citizens, regardless of whether it is carried out on the territory of the EU or outside its borders.

Article 4 of the GDPR gives the following definition for biometric personal data. Biometric personal data is recognized as personal data obtained as a result of special technical processing, which relates to the physical, physiological, or behavioral traits of a natural person, and also allows for or confirms the unique identification of that natural person. We note that the Regulation does not include genetic data in this category. However, they are distinguished as a special category of protected personal data along with biometric data.

Article 9(1) of the GDPR establishes a prohibition on the processing of biometric personal data. Exceptions are provided for by this same norm.

Firstly, processing is permitted with the explicit consent of the personal data subject. Explicit consent is understood as a "freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

We agree with the opinion of researchers on this topic, [9] that if the GDPR imposes certain requirements on consent in writing, then in relation to a "clear affirmative action", such requirements are not established, which gives rise to a number of questions. For example, in what way can a personal data operator demonstrate that the data subject gave consent for processing?

Secondly, the GDPR permits the processing of biometric data without the consent of their owner in the following cases:

  • if processing is necessary for the purposes of carrying out obligations and specific rights of the operator or the personal data subject in the field of employment law, social security law, and social protection;
  • to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • if processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for reasons of substantial public interest, which must be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to protect (at the same time, the GDPR does not explain what is included in the concept of substantial public interest);
  • if processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, or the provision of health or social care;
  • processing is necessary for archiving, scientific, historical research purposes, or statistical purposes.

Thus, European regulation establishes grounds for the processing of biometric data in which public interests have a priority to a large extent.

Liability for Violations in the Processing of Biometric Personal Data

For violation of the conditions for processing biometric personal data, administrative liability may be imposed:

  • Under Part 1 of Article 13.11 of the CAO RF, Processing personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or processing personal data incompatible with the purposes of collecting personal data. The fine on officials is a fine from 10,000 to 20,000 rubles; on legal entities, from 60,000 to 100,000 rubles.
  • Under Part 2 of Article 13.11 of the CAO RF, Processing personal data without consent in writing from the personal data subject or with a violation of requirements for the consent. The fine for officials is a fine from 20,000 to 40,000 rubles; for legal entities, from 30,000 to 150,000 rubles.

For repeated violations, the fines under the two specified articles are increased.

We note the absence of uniform approaches when considering cases of administrative offenses. Thus, in one of the cases that reached the court, F. performed video filming of students in a classroom without the permission of their legal representatives. F. confirmed the fact of filming on a personal phone and the transfer of the video to third parties. The court pointed out that according to Article 11 of Law No. 152-FZ, the processing of biometric personal data of students without consent in writing from their legal representatives is not permitted. By the resolution of the justice of the peace, F. was found guilty of committing an administrative offense provided for by Part 1 of Article 13.11 of the CAO RF. At the same time, the question of the purpose for which the video recording was made was not investigated by the court. [10]

In another case, the prosecutor's office conducted a check on compliance with legislation in the field of processing personal data of minors in educational institutions. During the check, it was established that the Gymnasium had implemented the "Ladoshki" system for collecting biometric personal data of minors, which reads the characteristics of students' palms. The system establishes the identity of the student for the organization of meals and its cashless payment. Written consents from parents for the processing of biometric data of students were obtained. An administrative offense case provided for by Part 1 of Article 13.11 of the CAO RF was initiated by the prosecutor's office against the director of the Gymnasium. When considering the case, the prosecutor insisted that the "Ladoshki" system did not meet the requirements of Law No. 572-FZ, and consents for the processing of biometric data should be given independently by students who have reached the age of 14. The court decided that the Personal Data Law does not contain a prohibition on the use of biometric identification systems in general educational institutions, and obtaining the consent of the legal representative of a minor is the only possibility to ensure the fulfillment of the requirements of the Personal Data Law. By the resolution of the justice of the peace, the production on the case of the administrative offense against the director of the Gymnasium was terminated for the absence of the composition of an administrative offense. [11]

At the time of preparation of this article, Bill No. 353266-8, establishing administrative liability for violations when placing biometric personal data in the EBS, was adopted by the State Duma in its third reading. For such violations, a fine on officials is provided from 100,000 to 300,000 rubles; on legal entities, from 500,000 to 1,000,000 rubles. Furthermore, the bill proposes to increase the already existing liability for processing personal data without the consent of the personal data subject or with a violation of requirements for its content.

As for liability for non-compliance with the requirements of the GDPR when processing biometric personal data of EU citizens, a fine in the amount of up to 20,000,000 Euros or up to 4% of the annual turnover can be imposed on the operator (Article 83 of the GDPR). Its size varies depending on the severity of the violation, its duration, and the consequences.

Thus, one of the Dutch companies was fined 725,000 Euros by the regulatory body for a violation of the rules for processing the biometric data of employees. As was established, it required that its employees scan their fingerprints for attendance registration. However, it could not provide the consents of the workers for such processing, and this case did not fall under the exceptions permitting data processing without consent. [12]

Summing up, we say that in the conditions of the constant expansion of the spheres and volumes of biometric personal data processing, the existing legal regulation is clearly not enough. Furthermore, a tendency is observed toward the transfer of regulation to the level of sub-legislative acts, which does not correspond to the value of this information. More detailed legislative regulation of this institution is necessary, including the paramount task of leveling the risks of illegal access, loss, or theft of biometric personal data.

______________________________

References

  1. Roskomnadzor Letter No. 08AP-6782 dated February 10, 2020, On Directing Information According to the Protocol of the Meeting.
  2. Appellate Ruling of the St. Petersburg City Court No. 33-22976/2016 dated November 15, 2016, in case No. 2-2932/2015.
  3. Roskomnadzor Clarifications dated September 2, 2013, On Issues of Classifying Photographic and Video Images, Dactyloscopic Data, and Other Information as Biometric Personal Data and Features of Their Processing.
  4. Roskomnadzor Order No. 18 dated February 24, 2021, On Approving Requirements for the Content of Consent to the Processing of Personal Data Permitted by the Personal Data Subject for Dissemination.
  5. Decree of the Government of the Russian Federation No. 820 dated July 14, 2018, On Establishing Requirements for Conducting Identification of a Natural Person by Banks, Multifunctional Centers for the Provision of State and Municipal Services, and Other Organizations in Cases Determined by Federal Laws, Carrying Out Placement in Electronic Form in the Unified Identification and Authentication System of Information Necessary for Registering a Natural Person in the Specified System, and Other Information Provided for by Federal Laws, as well as Placing Information in the Unified Biometric System.
  6. Decree of the Government of the Russian Federation No. 1067 dated June 15, 2022, On Cases and Terms of Use of Biometric Personal Data Placed by Natural Persons in the Unified Biometric System Using the Unified Biometric System Mobile Application.
  7. Decree of the Government of the Russian Federation No. 478 dated March 27, 2023, On Approving Rules for Submitting a Refusal by a Natural Person from the Collection and Placement of Biometric Personal Data for the Purpose of Conducting Identification and (or) Authentication, the Withdrawal of Such a Refusal, and Written Confirmation by a Multifunctional Center for the Provision of State and Municipal Services of the Submission by a Natural Person of the Specified Refusal and Withdrawal of Refusal, as well as Forms of the Specified Refusal, Withdrawal of Refusal, and Written Confirmation of Their Submission.
  8. Order of the Ministry of Digital Development of Russia No. 453 dated May 12, 2023, On the Procedure for Processing Biometric Personal Data and Vectors of the Unified Biometric System in the Unified Biometric System and in Information Systems of Accredited State Bodies, the Central Bank of the Russian Federation in the Event of It Passing Accreditation, and Organizations Carrying Out Authentication Based on the Biometric Personal Data of Natural Persons.
  9. Smirnova Ya.V., "Problems of Ensuring the Right to the Protection of Private Life During the Processing of Biometric Data in the European Union", Actual Problems of Russian Law, 2022, No. 10.
  10. Decision of the Vakhitovsky District Court of the City of Kazan No. 12-1143/2023 dated May 11, 2023.
  11. Decision of the Sterlitamak City Court of the Republic of Bashkortostan dated April 26, 2023, in case No. 12-390/2023.
  12. "Autoriteitpersoonsgegevens" website.
E-mail
info@brace-lf.com

Send us a request with a detailed description of the issue.

Our phone
+7 (495) 147-11-03

Contact us by phone.

Clients & Partners

65.png
68.png
69.png
73.png
75.png
fitera.jpg
imko.png
logo.png
Logo_RED_RGB_Rus.png
logo_SK_2.png
Яндекс.Метрика