Central storage of biometric information

Centralized storage of biometric data under the GDPR is considered particularly sensitive and presents several challenges and obligations for organizations. Due to this sensitive nature, The European General Data Protection Regulation (GDPR), as well as the Norwegian Personal Data Act (section 12), emphasize the importance of strict safety measures in processing and storing biometric data.

The SALT solution has two different implementations concepts based on whether it considers end-user devices as trusted or untrusted:

• “Trusted devices” would enable local processing and local storage of biometric data
• “Untrusted devices” deems it necessary to distribute processing and storing biometric data across local devices and central systems

A primary justification for the centralized storage and processing of biometric data is that Mobai does not regard personal user devices as reliably "trusted" within their use case. This report focuses specifically on the concept of central storage and processing. However, it will also discuss the underlying rationale for centralized handling and the associated risks.

It is important to differentiate between two different types of storage of biometric data:

• Central storage, where a large amount of biometric data is aggregated in a database
• And decentralized, or local, storage, that usually happens on a users’ personal device, for example a mobile phone, PC or smartcard/hardware key.

Decentralized storage only encompasses the users’ own biometric data, captured locally and thus under physical control of the user, unless the platforms/device/service-provider also incorporate backup routines to also store the data externally. Such devices usually store local data in specially protected hardware components, like a TPM (Trusted Platform Module), or TEE (Trusted Execution Environment), which is offered in modern devices. Such solutions are already often used as an alternative for PIN codes for mobile phone screen locks.

There are many use cases for decentralized storage. One use case that many citizens already use, are different types of local device authentication or verification where a user authenticates themselves using the mobile phone’s own face verification system.

Key considerations with central storage of biometric data

Centralized storage of biometric data has several risks:

• Increased consequence of breaches: Centralizing biometric data means aggregating sensitive information in a central location or system. This creates a larger target and increased consequences from cyberattacks or unauthorized access. If a breach occurs, it could expose the biometric data of large number of individuals at once, leading to significant privacy violations.
• Illegitimate repurposing: Centralized storage makes it easier for biometric data to be used for unintended purposes. For example, if data is stored centrally without strict controls, it could be used for purposes beyond those originally intended or authorized by the data subjects.
• Loss of control by data subjects: Centralized storage can make it difficult for individuals to control their biometric data. If data is aggregated and stored centrally, individuals may find it challenging to exercise their GDPR rights, such as the right to access, rectify, or delete their data.

There are variations on storing biometric data centralized such as for instance distributing the database content across multiple databases or splitting parts of each data entry into multiple pieces for storage that can be distributed. These are mitigations that can reduce risk and consequences of central storage.

Locally stored biometric data is potentially also exposed to different types of attacks, however an important benefit of locally storing personal biometric data on user’s personal devices is that it represents a lower risk for large scale confidentiality breach. It also makes it harder to systematically collect and repurpose biometric data at scale to be used for 1:n (one to many) identification purposes.

Thus, security requirements for centralized storage are comprehensive. Below, we outline the requirements associated with the various approaches:

• Encryption: Biometric data stored centrally must be encrypted both at rest (when stored), in transport and in use. This ensures that even if some types of unauthorized access occur, the data is not readable or usable. This requires proper and effective management of encryption keys. It also requires usage of efficient and secure encryption algorithms and key lengths.
• Access controls: Strict access controls must be in place to ensure that only authorized personnel can access the centralized biometric data. This includes multifactor authentication, role-based access, and regular audits of access logs.
• Pseudonymization: Where possible, biometric data should be pseudonymized before being stored centrally. Pseudonymization involves altering the data so it cannot be attributed to a specific individual without additional information.
• Data Minimization and Deletion: Organizations should collect and retain only the biometric data strictly necessary to fulfil the intended purpose. This principle mandates actively preventing the collection and storage of excessive data. Additionally, all data no longer required for the specified purpose must be promptly and properly deleted—including from backup storage—in accordance with policy guidelines grounded in the principles of necessity and proportionality.
• Regular security audits and demonstrating compliance: Organizations must regularly audit their security practices and infrastructure to ensure that the centralized storage of biometric data remains secure. This includes reviewing encryption methods, access controls, deletions procedures and any changes in the threat landscape.

Key concerns expressed with central storage of biometric data

There is considerable debate within the EU on the question of central storage of biometric data. The main questions of debate are whether it should be allowed at all, and, if yes, which specific actors should be allowed. There is no formally established consensus on these questions.

The European Data Protection Board (EDPB) has issued guidance stressing the importance of minimizing risks related to biometric data processing. While the EDPB does not outright ban the central storage of biometric data, it emphasizes strict conditions and often suggests decentralized approaches as a safer alternative. The EDPB advocates that biometric data should only be processed and stored in ways that are strictly necessary and proportionate to the purpose of the processing. Centralized storage is often seen as a last resort; only justifiable when no less risky alternatives are available.

The French national data protection authority (CNIL –Commission Nationale de l'Informatique et des Libertés) has been particularly vocal in warning against the central storage of biometric data. It advises that storing such data in a decentralized manner, or on individual devices, can significantly reduce privacy risks. Several German regional DPAs have taken a strong stance against the central storage of biometric data, particularly in the context of public administration and law enforcement. They argue that decentralized storage, combined with strong encryption and local processing (on devices), provides better protection against unauthorized access and misuse.

Certain members of the European Parliament (MEPs) and committees, particularly those focusing on civil liberties, have raised concerns about the central storage of biometric data, particularly in relation to state surveillance and mass data collection. There have been calls for stricter regulations or outright bans on central storage, especially when it comes to government databases. Civil Liberties Groups such as the European Digital Rights (EDRi) network advocate against the central storage of biometric data, arguing that it inherently creates vulnerabilities and risks that are difficult to mitigate. They push for decentralized, privacy-preserving alternatives, emphasizing the principles of data minimization and user control.

The European Court of Human Rights (ECHR) has influence on EU policies. In some cases, it has ruled against practices that involve centralized storage of sensitive personal data, including biometric data, particularly when such storage is not justified by a compelling public interest or lacks adequate safeguards.

While there is no absolute ban on the central storage of biometric data within the EU, there is a strong preference for decentralized approaches among many legal bodies, DPAs, and privacy advocates. These entities argue that centralized storage poses significant risks and that, where possible, biometric data should be stored in a way that minimizes these risks, such as on personal devices or in encrypted, decentralized systems.

Mobai’s arguments for central storage of biometric information

The EU's technical specifications for eIDs prioritize multi-factor authentication, which emphasizes the importance of secure, controlled environments for biometric processing. This is outlined in standards like ETSI TS 119 461.

Mobai argues that performing biometric processing solely on devices (such as personal computers or mobile phones) presents security challenges. Arguably, although modern devices incorporate advanced security features, they are still susceptible to vulnerabilities and tampering, necessitating – in Mobai’s view – trusted central environments for secure storage and processing.

Achieving a high security level thus requires combining device-specific safeguards with external processing, adding a protective layer that complicates unauthorized access for potential attackers. Increasing incidents of social manipulation, where users unknowingly disclose possession-based and knowledge-based credentials, pose substantial risks, particularly for banking accounts, eIDs, and other digital services. Effective biometric verification depends on user-specific biometric references that are stored and processed securely.

An important challenge is how to ensure the biometric reference’s integrity throughout the comparison process. Many devices, including laptops and mobile phones, may be susceptible to tampering or unauthorized access. Smartphones store biometric data in secure containers protected by encryption and isolated environments, yet access to these containers is also platform-controlled (e.g., by Google, Apple, Microsoft, etc).

Mobai’s solution aims to enhance protection for biometric data during both storage and processing by employing their own additional security mitigations, including homomorphic encryption. The Protected Biometric Template (PBT) provides privacy features beyond those found in standard IDs or smartphone biometrics. And by leveraging homomorphic encryption, Mobai supports properties like revocability, irreversibility, and unlinkability as per the requirements in ISO/IEC 24745:2022. Given the computational demands of homomorphic encryption, Mobai considers centralized processing the viable way to ensure trustworthy face matching results.

The PBT storage can be either centralized or decentralized. However, in Mobai’s view, centralized storage offers significant security advantages, including faster updates and improved threat detection. The centralized approach also incorporates quantum-resistant encryption through SALT, whereas decentralized systems would rely on conventional encryption (meaning the need to decrypt data for pattern matching).

In summary, Mobai asserts that their implementation of centralized storage affords providers greater control of security, including key management, and of privacy using novel encryption methods. In contrast, a decentralized approach would leave service providers, like BankID, reliant on platform owners' security measures, with less direct control over PBT storage integrity, security and privacy.

The Norwegian Data Protection Authority’s assessment of the possibility for central storage

In this report, we have addressed key concerns with central storage of biometric data and presented Mobai’s arguments for central storage. As we have pointed out, there is no absolute ban on central storage of biometric data and there is a path going forward for companies that aim to do this. What The Norwegian Data Protection Authority have pointed to in this report, is that a company must evaluate if it is necessary and proportional to store biometric data centrally and to thoroughly document the reasoning for this, including proper risk assessments of the specific protective mitigations.

In light of Mobai’s solution, The Norwegian Data Protection Authority assess that they might enable the implementation of central biometric data storage and processing in cases where it was previously not considered secure enough to address the significant concerns associated with central storage.