Privacy professionals are familiar with the terms of biometric data, genetic data, technical and organizational measures, pseudonymisation. Biometric data under GDPR means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images. But what about Liveness? There is no mention of Liveness in the regulation, while it plays a crucial part in data safety. Let’s get deeper into the issue.
What is Liveness?
In biometrics, Liveness Detection is an AI computer system’s ability to determine that it is interfacing with a physically present human being and not an inanimate spoof artifact. Note: It’s not called “Liveliness”. Don’t make that rookie mistake!
Are pseudonymisation and Liveness the same?
No, they are not. Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. In other words, pseudonymisation is a technical method of data processing to ensure safety, contrary to Liveness which is the system’s feature to identify a human being.
How Liveness Detection Protects Us?
The conventional understanding in Privacy Law is that biometric data is sensitive and processing thereof associated with high risks. If we lose such data we cannot replace our inherent features easily (famous example, consider these two cases: loss of a debit card vs. a loss of a facial biometric data, which one can you replace?). I concur with this concept however it is old fashioned understanding. We are more exposed to lose biometric data than we expected. High-quality pictures of us can be accessible on Facebook, LinkedIn, and Instagram. Those pictures comprise biometric data, so anyone with access to pictures can extract them. Are we vulnerable now? Not if our accounts are secured with certified Liveness detection, because mere photos won't fool the AI. Nor will a video, a copy of our driver license, passport, fingerprint, or iris. We must be physically present to access our accounts, so we need not worry about keeping our biometric data "secret".
Read more at Liveness.com
Why GDPR excludes Liveness term?
If Liveness is so important for the safety of biometric data processing, why it is missing in the GDPR? The answer is very trivial, science and technology are step forward of regulations. However, it won’t take much time when we see Liveness term in the regulation alongside pseudonymisation and encryption.