02/06/2023
Unified Biometric System: New rules for processing biometrics
From 1 June 2023, a prohibition on processing specific biometric personal data outside the Unified Biometric System (the “UBS”) will come into force. This will affect the ability of commercial organisations to process certain types of biometric data.The UBS was created pursuant to Federal Law No. 572* dated 29 December 2022, which also regulates the procedures of identification and authentication of individuals by means of biometric personal data (the “Law”).What is the Unified Biometric System?The UBS is a state information system under which biometric personal data of individuals is collected and stored for subsequent identification and authentication.The UBS currently includes the following types of biometric personal data: (a) an image of a person; and (b) a record of a person’s voice (“Biometric Data”). This list may be extended after 1 September 2024.The Law stipulates that Biometric Data for identification purposes (i.e. establishing a person’s identity through their Biometric Data) and for authentication purposes (i.e. confirming that the person who provided Biometric Data is who they claim to be) can only be stored in the UBS.Identification based on Biometric Data can only be carried out by the operator of the UBS, JSC “Centre of Biometric Technologies”.Authentication using the data contained in the UBS can be carried out either by the operator of the UBS or by specially accredited organisations.Companies are not allowed to independently carry out identification or authentication using Biometric Data.What should companies do?By 30 September 2023, all organisations that have been storing Biometric Data used for identification or authentication must transfer it to the UBS, having notified the relevant individuals 30 days before the transfer. Afterwards, the data must be deleted.Companies can subsequently authenticate individuals based on Biometric Data only through the UBS or accredited organisations, but only in the event that the individuals in question have given their voluntary consent.For example, a visitor access control system that is based on automated image reading or voice authentication can only be implemented through integration with the UBS or a tool used by an accredited organisation. Such authentication may not be performed independently.If authenticated through the UBS, the person’s identity is deemed to be established, and companies need not collect any additional data to confirm the individual’s identity.The UBS need not be used when:an authorised officer manually identifies or authenticates a person based on Biometric Data. For example, access control by comparing a photo with the visitor who is presenting it; andother biometric personal data (i.e. not images or voices) are used. Companies may use other biometric data (i.e. data characterising biological and physiological features) without restriction provided they comply with the Personal Data Law*.LiabilityNo specific liability for breach of the Law has been established to date; however, a bill* has recently been submitted to the State Duma which would establish fines for offences involving the use of Biometric Data. The bill could be adopted during this spring session.It is proposed to amend part 2 of article 13.11 of the Russian Code on Administrative Offences to establish the penalties for using Biometric Data in violation of the requirements established by Russian legislation in the sphere of personal data.For legal entities, fines can range from RUB 300,000 to RUB 700,000 (from EUR 3,468 to EUR 8,091) (for repeated violation from RUB 1m to RUB 1.5m (from EUR 11,559 to EUR 17,339)).RecommendationsGiven the forthcoming entry into force of the Law’s provisions prohibiting the processing of Biometric Data outside the UBS, we recommend that companies:check whether they currently use any processes to identify and authenticate individuals based on Biometric Data or plan to implement any such systems; andeither adjust the processes so as to exclude the application of the Law or implement identification/authentication through the UBS in existing and planned business processes.* In Russian