Inter-American Development Bank
facebook
twitter
youtube
linkedin
instagram
Abierto al públicoBeyond BordersCaribbean Development TrendsCiudades SosteniblesEnergía para el FuturoEnfoque EducaciónFactor TrabajoGente SaludableGestión fiscalGobernarteIdeas MatterIdeas que CuentanIdeaçãoImpactoIndustrias CreativasLa Maleta AbiertaMoviliblogMás Allá de las FronterasNegocios SosteniblesPrimeros PasosPuntos sobre la iSeguridad CiudadanaSostenibilidadVolvamos a la fuente¿Y si hablamos de igualdad?Home
Citizen Security and Justice Creative Industries Development Effectiveness Early Childhood Development Education Energy Envirnment. Climate Change and Safeguards Fiscal policy and management Gender and Diversity Health Labor and pensions Open Knowledge Public management Science, Technology and Innovation  Trade and Regional Integration Urban Development and Housing Water and Sanitation
  • Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer

Gobernarte

Mejores Gobiernos para los ciudados de América Latina

  • HOME
  • Authors
  • CATEGORIES
    • Boletín de ICS
    • Editorial Note
    • Gobernarte
    • More Info
    • Public
  • English
    • Spanish
Face ID: is our biometric facial data being safeguarded?

Face ID: Is our biometric facial data being safeguarded?

25 January, 2024 por Fabricio Rodríguez 1 Comment


In a world where facial recognition technology (FRT) is rapidly expanding, its use has been increasingly applied in daily situations such as accessing a bank account through a mobile, registering attendance at the office, or authenticating our identity in airports. Along with this widespread implementation, it also raises significant concerns about the safeguards of the biometric facial data that we provide (or not) to access different services or for other applications. So, if our biometric facial data is increasingly being used, how is it being protected?

Similar to other biometric data like fingerprints, eye retina or iris, finger veins, or even ear canal recognition, facial recognition is a mechanism that can be used to identify a person, and together with fingerprint recognition, it is currently one of the most commonly used mechanisms of identification. Facial recognition has experienced rapid growth in its applications and according to Deloitte, the market value of this technology is expected to increase from US$ 3.8 billion in 2020 to 8.5 billion in 2025.

How is biometric facial data captured?

As part of the process that uses facial recognition to authenticate whether we are who we say we are, there is an onboarding process that includes an enrollment phase. For example, setting up facial identification in your phone. During the initial setup process, it registers your biometrics, capturing in this case your facial data. This data is subsequently used for future authentications, providing access not only to the phone but also to apps that might use this feature.

However, facial recognition is not only based on voluntarily provided data for identification. Years ago, significant controversy arose around a company that collected billions of photos of people based on posts shared on social media to create a database later sold for identification purposes. According to the New York Times, “Dozens of databases of people’s faces are being compiled without their knowledge”, and this data seems to be collected not only from social media and other websites but also from cameras placed in different places, such as restaurants, for example.

Nevertheless, this same technology has become very important in areas like citizen security, being an increasingly used tool not only by police departments but also in the justice sector by public defenders. 

How is biometric facial data stored, and who has access to it?

As mentioned before, facial recognition has become widely popular for accessing and unlocking mobile devices. For instance, the iOS face identification system ensures that “Face ID data — including mathematical representations of your face — is encrypted and protected by the Secure Enclave.” The Secure Enclave is a subsystem integrated into Apple System on chips (SoCs) and is isolated from the main processor to provide an extra layer of security for sensitive data. iOS explicitly states that “Face ID data doesn’t leave your device and is never backed up to iCloud or anywhere else.” Essentially, only the user owner of the phone is supposed to have access and can manage their biometric data use and permits.

However, in other cases where biometric facial data is collected (sometimes without prior knowledge), users may not be able to access information on how their biometrics are being stored and its potential uses.

In 2020, during one of the controversies regarding the sale of facial datasets and its impact on people’s privacy rights, Senator Edward J. Markey from the United States mentioned:

If your password gets breached, you can change your password. If your credit card number gets breached, you can cancel your card. But you can’t change biometric information like your facial characteristics…

Therefore, to protect the personal biometric data of citizens, including their “faceprint” from other images or videos captured with or without their consent, is not only important but absolutely necessary to ensure correct treatment of data and set limits to its use. Protocols must be established to guarantee the appropriate handling of this very sensitive information, which, in the wrong hands, could lead to significant harm.

Is there legislation around biometric facial data protection?

While there is still a lack of legislation in many countries specifically addressing the protection of biometric data, some initiatives do exist aimed at defining rules for the treatment of this kind of data. One of the most important laws in this space is the European Union’s General Data Protection Regulation (GDPR), which establishes a set of rules in this field.

The GDPR classifies biometric information (including facial data) as a “special category” of personal data. Therefore, compliance with Article 9 is required, which, among other things, emphasizes the need for explicit consent from the data subject to process biometric data. In 2023, the European Data Protection Board published the Guidelines on the Use of Facial Recognition Technology in The Area of Law Enforcement as an effort to provide relevant information to lawmakers and Law Enforcement Authorities for the implementation and use of FRT.

On the other hand, given that the United States has no federal law on data protection, the State of Illinois enacted a biometric privacy law in 2008. The Illinois Biometric Information Privacy Act (BIPA) mentions that the subject should be informed in writing that a biometric identifier or biometric information is being collected or stored, and provide authorization. Similarly, other states like Texas and Washington State have developed biometric privacy statutes.

In 2020, the National Biometric Information Privacy Act was presented to the Senate, as a proposal to regulate this field at a national level in the USA. According to the US Congress website, this proposal mentions: “A private entity may not obtain an individual’s biometric data unless (1) the entity requires the data to provide a service or for a valid business purpose, and (2) the entity informs the individual in writing of the collection and its purpose and receives a written release.” In Latin America, various countries have enforced data protection laws, and cases around data protection have arisen. Some of these countries developed their laws based on the European model, including similar characteristics to those determined by the GDPR. For instance, the Data Protection Law from Ecuador, adopted in 2021, establishes biometric data as sensitive data. Therefore, among other rules, it determines that its use and processing are also forbidden without the explicit authorization of the data subject.

What might be done to safeguard people’s rights?

Biometric data, including facial data, will likely continue to expand its applications and use cases. Therefore, it is necessary for countries worldwide to continue working on specific norms to regulate the way this data is captured, processed, and used. Even though acts and specific protocols have already been developed in some countries, authorities need to work on strengthening their institutional capacities to guarantee adequate enforcement of these legal frameworks by promoting specialized guidelines, considering the rapid changes in technology, including artificial intelligence that uses facial biometric data as input.

Furthermore, it might be important for authorities to also consider working on FRT-based systems regulations. This is necessary to prevent bias, discrimination, or other negative effects on citizens as a result of the application of this technology, as seen in various cases around the world.

A robust regulatory framework, coupled with effective enforcement and awareness campaigns, will protect citizens’ biometric data and, eventually, their right to privacy. It will also establish an adequate environment to promote responsible innovation for the use and applications of FRT, as it can become a very powerful tool for the innovation and economic development when used appropriately.


Filed Under: Gobernarte

Fabricio Rodríguez

Fabricio Rodríguez is a consultant in the Digital Government and Data Cluster within the Innovation for Citizen Services Division (ICS) at the IDB (Inter-American Development Bank). Before joining the IDB, he worked across various sectors as a consultant for different projects aimed at strengthening and modernizing the governments of various countries in Latin America and the Caribbean. He holds a degree in economics from the Universidad Central del Ecuador and a Master's in Government from Pompeu Fabra BSM University in Catalonia. He completed the Trade Academy Program 2016-2017 in Stockholm, Sweden, and the National Development Program 2015 in Taipei, Taiwan.

Reader Interactions

Comments

  1. Artificial intelligence (AI) says

    19 April, 2024 at 11:19 am

    thanks for sharing useful content. keep sharing

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Follow Us

Subscribe

Search

Gobernarte

Welcome to the blog of the IDB's Division for Innovation in Citizen Services. This blog is a space to discuss solutions to improve governments in Latin America and the Caribbean in order to strengthen services to citizens and promote greater transparency. Join this conversation!

Recent Posts

  • What makes South Korea a trailblazer in the digital transformation of the public sector?
  • How to promote citizen participation in government audits using international best practices?
  • How to improve human resources management in public administration, according to public servants
  • Nowcasting Poverty: Revolutionizing Estimates in Central America and the Dominican Republic
  • Four Key Lessons for Effective Management of National Statistical Offices

Footer

Banco Interamericano de Desarrollo
facebook
twitter
youtube
youtube
youtube

    Blog posts written by Bank employees:

    Copyright © Inter-American Development Bank ("IDB"). This work is licensed under a Creative Commons IGO 3.0 Attribution-NonCommercial-NoDerivatives. (CC-IGO 3.0 BY-NC-ND) license and may be reproduced with attribution to the IDB and for any non-commercial purpose. No derivative work is allowed. Any dispute related to the use of the works of the IDB that cannot be settled amicably shall be submitted to arbitration pursuant to the UNCITRAL rules. The use of the IDB's name for any purpose other than for attribution, and the use of IDB's logo shall be subject to a separate written license agreement between the IDB and the user and is not authorized as part of this CC- IGO license. Note that link provided above includes additional terms and conditions of the license.


    For blogs written by external parties:

    For questions concerning copyright for authors that are not IADB employees please complete the contact form for this blog.

    The opinions expressed in this blog are those of the authors and do not necessarily reflect the views of the IDB, its Board of Directors, or the countries they represent.

    Attribution: in addition to giving attribution to the respective author and copyright owner, as appropriate, we would appreciate if you could include a link that remits back the IDB Blogs website.



    Privacy Policy

    Derechos de autor © 2025 · Magazine Pro en Genesis Framework · WordPress · Log in

    Banco Interamericano de Desarrollo

    Aviso Legal

    Las opiniones expresadas en estos blogs son las de los autores y no necesariamente reflejan las opiniones del Banco Interamericano de Desarrollo, sus directivas, la Asamblea de Gobernadores o sus países miembros.

    facebook
    twitter
    youtube
    En este sitio web se utilizan cookies para optimizar la funcionalidad y brindar la mejor experiencia posible. Si continúa visitando otras páginas, se instalarán cookies en su navegador.
    Para obtener más información al respecto, haga clic aquí.
    X
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT