Alain Bensoussan

The CNIL has given its green light to a multimodal biometric system. Striking the right balance between security and the protection of privacy and personal data, the French data protection watchdog decided that the security measures taken satisfactorily protected personal data and that the multimodal biometric system was “adapted and proportionate to the purpose pursued”. This is the first time that a multimodal biometric system is authorized in France.
Purposes of biometric recognition systems
On May 12, 2011, the French data protection authority, the CNIL, authorized for the first time a company to deploy a multimodal biometric system combining finger vein and fingerprint recognition to control access to its workplace premises (CNIL Deliberation No. 2011-141 of May 12, 2011, in French).

Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization. 

A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.

Analytic synthesis of the CNIL’s decision

The CNIL first analyzed the functioning of the device. It noted that it was made of one single reader allowing to read — virtually at the same time— the vein pattern and the fingerprint of both fingers. These two biometric data are recorded in the templates stored in the terminal. 

How does the system work exactly? An individual who wants to access the premises of the company has to put his finger on a biometric reader. A comparison is then made between (i) the fingerprint, (ii) the vein pattern of the individual’s finder and (iii) the templates registered in the reader’s database. 

The CNIL found that the combination of the two biometric techniques enabled an effective (the vein pattern guarantees that the fingerprint is in fact the one belonging to the individual placing his hand) and quick identification of the individual. This led the CNIL to conclude that the system was adapted to the purpose of the processing, i.e., control access. 

The French data protection watchdog further noted that the security measures were satisfactory and limited the risk of scattering the biometric data for a number of reasons: the data are stored on the terminal and not on a server; only the vein pattern templates and the fingerprints are kept; the templates are stored in a proprietary format and encrypted by using strong cryptographic algorithms and there are specific encryption keys for each terminal. 

Lastly, the CNIL considered that the data retention period did not exceed the time period necessary for the purposes of the processing, to the extent that the identification data of the individual and the templates were kept for the period during which the individual was authorized to enter the premises and the access history was retained for three months.