Revolut is currently facing a class action lawsuit in Illinois, US alleging that the company unlawfully collected, used, and stored
customers’ biometric data.
In the current age of instant payments and increasing consumer demands, biometric data has become increasingly significant in facilitating authentication and verification during the payments process.
The biometrics industry is booming as more and more payment companies are implementing biometric technology to enhance security and create a more seamless customer service journey. However, due to the personal nature of biometric data, that records users’
faces, fingerprints, and voices, there is a need for heightened security to hold the data and ensure that users are protected.
In light of the
recent charges facing Revolut, it’s necessary for consumers and companies be aware of the data privacy regulation in place to protect user data from being exploited and to keep payment companies in check when they are handling sensitive information.
Biometric data regulation in the UK, EU, and USA
In the UK, the General Data Protection Regulation (GDPR) does not address biometric data and does not currently have any solid regulatory restrictions for financial institutions in the handling of biometric data. However, UK Data Protection Bill outlines
that companies must receive direct consent to store and process user information.
In the EU, there is references to the use of biometric data-related concerns in
the Artificial Intelligence (AI) Act, the European Commission has biometrics as a “high-risk” AI system and the European Parliament has banned biometric AI systems with certain exceptions. The Council of the EU does not categorise biometrics as high-risk,
but does impose obligations on biometric systems. However, when it comes to fraud prevention and the use of biometrics for financial services organisations, the European Parliament does not include biometric AI fraud prevention systems on its high-risk list.
In the US, regulation of biometric data is not federal, but depends on state laws. California, Illinois, New York, Texas, Virgina, and Washington have passed legislation on biometric privacy. In 2018, the California Consumer Privacy Act (CCPA) was enacted,
and in 2020 the California Privacy Rights Act (CPRA) passed, which made amendments to the CCPA. The CCPA outlined consumer privacy requirements, preventing companies from sharing private information. The CPRA adds to the privacy law, banning companies from
collecting children’s personal information, accessing and controlling sensitive personal data, and holds businesses accountable for failing to meet security precautions when it comes to consumer data privacy.
Biometric privacy laws in India and China
In India, the Aadhaar system verifies identity using biometrics for its residents and is used throughout government and civil facilities. India’s
Digital Personal Data Protection Act (DPDP) states that citizens have the right to privacy and demands that commercial organisations offer a compelling purpose to use biometric data. The Act requires explicit consent from users, ensuring their protection
and holding businesses accountable.
China similarly has explicit cybersecurity and data protection legislation in place designed to protect consumers from commercial entities that would take advantage of and share personal data. The
Personal Information Protection Law was enacted in 2021, which requires consent and purpose to use biometric technology. There is also a plan to limit the usage of facial recognition technology in public spaces to protect citizens’ identities.
Financial services must keep ahead of biometrics privacy regulation
Following the lawsuit on Revolut, which was preceded by a similar charge levelled at Facebook in Illinois, where the
company paid users $650 million for misusing biometric data, it is essential that the financial sector must pick up the pace for biometric data regulation.
If the financial services industry goes unchecked, there are serious security risks to user privacy and the threat of sensitive data leaking out. Therefore, companies that are implementing biometric technologies to improve customer experience must do so
with transparency and explicit consent from the user to ensure protection and compliance.