/ Due Care of Biometric Data

January 6, 2020

Chile needs a personal data protection law updated to the current situation. The management of biometric data demands an adequate legislation that establishes basic requirements which guarantee the proper care and responsibility of the parties responsible for said management.


Biometry is an identification technology based on the recognition of physical characteristics, such as fingerprints, face, retina, voice, keystroke recognition and gait recognition, among others. As this information pertains to a natural and identifiable person, it is considered personal data and is specifically contemplated within the bill which modifies Law 19.628 on the protection of private life.

In the last weeks we have heard and read of some authorities who intend to create a database of facial biometrics. The objective would be to identify those who participate in criminal acts of looting and vandalism in social manifestations, while other business enterprises intend to use the technology to identify habitual criminals.

It is common these days for the public to use their biometric data. This happens for example when using certain time control systems which companies must implement by law, and which utilize fingerprint, voice or retina recognition. Banking security systems can use keystroke recognition, recognizing the way a person writes. When buying a “bono” from a private health insurer a fingerprint is required. Also, when unblocking a cellphone, accessing different mobile apps, carrying out a banking transaction, or being captured by security cameras on entering a mall, these are a few of the situations where biometric data is employed.

The importance of the safekeeping of this information lies in its irreplaceability. Thus, companies must take great care in the treatment of this data. It is not the same when credit card details are leaked, which can be annulled and replaced, as it is when this happens to a fingerprint.

A year ago, the Supreme Court of Illinois ruled on the class action filed by Rosenbach against Six Flags Entertainment Corp, based on the violation of the Illinois Biometric Information Privacy Act (BIPA). Rosenbach’s son was required to scan his fingerprints in order to use a season ticket at the Six Flags rollercoaster park. It was never informed that fingerprints were required nor the policies regarding the treatment of this information. Under United States law it is not required for an inconsistency to have caused actual damage before filing a lawsuit against the parties responsible for the infraction, considering the grave consequences that a possible breach would have given the fact that biometric data is irreplaceable.

Macarena Gatica

Senior associate – Alessandri