The principle of proportionality applied to biometrics in France: Review of ten years of CNIL's deliberations

The Council of Europe recommends promoting proportionality when dealing with biometric data, notably by “1) limiting their evaluation, processing and storage to cases of clear necessity, namely when the gain in security clearly outweighs a possible interference with human rights and if the use of other, less intrusive techniques does not suffice; 2) providing individuals who are unable or unwilling to provide biometric data with alternative methods of identification and verification; (…)”. France counts as a pioneering Member State in addressing the specific data protection risks raised by the increasing development of biometrics, in particular in the private sector. Since 2004, the French Data Protection Authority, the CNIL, has been empowered to prior check the proportionality of biometric systems deployed in the private sector. It also enforces in practice the articulation between the necessity test and the consent requirement. The present contribution reviews 10 years of CNIL's decisions with respect to biometric systems, then identifies and further discusses the criteria taken into account to apply the necessity test and the consent requirement.