From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned?
Here at Comparitech, we’ve updated our biometric data study to include 100 countries. We’ve found out where biometrics are being taken, what they’re being taken for, and how they’re being stored.
There is huge scope for biometric data collection, so we have identified eight key areas that apply to most countries (to offer a fair country-by-country comparison and to ensure the data is available). Each country has been scored out of 28, with low scores indicating extensive and invasive use of biometrics and/or surveillance and a high score demonstrating better restrictions and regulations regarding biometric use and surveillance.
While Iran and China topping the list perhaps doesn’t come as too much of a surprise, residents of (and travelers to) may be surprised and concerned to find out just how much biometric data is collected on them and what is happening to it afterward.
- Many countries collect travelers’ biometric data, often through visas or biometric checks at airports
- The vast majority of countries we studied use biometrics for bank accounts, e.g. fingerprints to access online app data and/or to confirm identities within the banks themselves
- Despite many countries recognizing biometric data as sensitive, increased biometric use is widely accepted
- Facial recognition CCTV is being implemented in a large number of countries or at least being tested
- EU countries scored better overall than non-EU countries due to GDPR regulations protecting the use of biometrics in the workplace (to some extent)
- Many of the top-scoring countries don’t necessarily receive their high scores for “best practices” but because they are developing nations that haven’t moved toward technology-based solutions in certain areas
The worst countries for biometric data collection and use
These countries received the lowest scores overall, meaning they are showing a concerning lack of regard for the privacy of people’s biometric data. Through the collection, use, and storage of biometric data, these countries use biometrics to a severe and invasive extent.
Iran = 2/28
The worst-ranked country for biometric use is Iran, which only managed to score two points–one for not having a biometric voter registration system and the other for allowing 12 countries visa-free access to the country.
Some key areas for concern in Iran include:
- Its extensive centralized biometric database in which citizens’ IDs (featuring 10 fingerprints and a photograph) are interconnected with numerous agencies for a variety of activities, including banking.
- Its lack of a data protection law, which was still under review at the time of writing. Also, there is no mention of biometrics in workplace protection laws and often cameras are used without specific privacy protection mechanisms.
- Its use of Chinese surveillance technology, which features facial recognition and is reported to be widely in use within the military, police, and Revolutionary Guard.
- Its smart biometric border system at the southern border of Khurasan. Although its primary use is to monitor goods that enter and leave the country, it also enables the tracking of people.
China = 3/28
This year, China scraped back one point to take it off the “top” spot, thanks to its introduction of a data protection law. Its other two points come from providing some (if minimal) safeguards in the workplace for biometrics and its lack of a biometric voter system.
These scores are met with some irony, as the voting system is very heavily controlled, which perhaps rids the need for biometric voting. Likewise, companies have been permitted to monitor employees’ brain waves for productivity whilst they work, showing the lack of protection available.
CCTV surveillance with facial recognition is extensive with 16 of the world’s most surveilled cities being located in China. These cameras have even been used to shame people who go outside wearing their pajamas. China also collects biometrics for all visas and fingerprints are taken upon arrival into the country.
One positive to take from China is the long-overdue introduction of a data protection act, which came into force on 1st September 2021. This is a step forward in protecting individuals’ privacy, with facial biometrics only being allowed if used for specific purposes and only when sufficiently necessary.
Pakistan = 5/28
Pakistan follows closely behind China and Iran with a score of five points. Biometrics are not required when entering the country and are not needed to obtain a visa, which is where most of these points come from.
Otherwise, the country has quite an invasive use of biometrics, including a large national database that holds citizens’ ID cards that are necessary for various services, including SIM-card registration. The database is also accessed by police to cross-check with criminals’ data and fingerprints. A lack of data protection in the country increases the risk of abuse.
Biometrics are used heavily in schools and for government agencies to track attendance, and while consent is required, there are very few safeguards available, especially without a data protection law. Lastly, 191 countries require a tourist visa to enter Pakistan, which is much higher than most countries in our study.
Uganda = 5.5/28
Uganda scores just half a point more than Pakistan (the half for biometric data being included as “identity data” within the data protection act (PDF)). The other five points were for, allowing around 30 countries visa-free entry into the country, for having some use of facial recognition CCTV but not extensive use, and for having some biometric checks upon arrival into the country, but not explicitly for all arrivals.
All Ugandans must present their biometric ID card to open a bank account, get a SIM card, get a passport, and even obtain a student loan. The country also uses a biometric voter registration system.
Bangladesh, Bolivia, India, Kuwait, Nigeria, Saudi Arabia = 6/28
Saudi Arabia is the only country out of this selection that has recently introduced a data protection law, all other countries lack any safeguards.
All of the countries bar Bolivia are using biometrics for more than just online banking with Nigeria using fingerprinting at ATMs, Kuwait adding biometric fingerprints to Mastercard for secure access, and India’s largest bank in the country having illegally demanded customer details and biometrics during the pandemic.
All six countries have large biometric databases that collect numerous types of biometric data, all of which are accessed by law enforcement without clear procedures and oversight. Facial recognition is advancing in most countries listed above with only Kuwait and Nigeria showing little to no use.
The United States, the United Arab Emirates, Qatar, Guatemala, Ghana, and the Dominican Republic = 7/28
For the third year running, the US continues to be within the worst-scoring countries for biometric data collection.
Most concerning is its lack of a specific law to protect citizens’ biometrics. While there are a handful of state laws that protect state residents’ biometrics (as can be seen in our state privacy study), many US citizens’ biometrics are left exposed as there is no federal law in place. And this is despite the widespread and growing use of facial recognition in public places, biometrics within the workplace, and fingerprints for visas.
Among the other five countries that scored seven points, the United Arab Emirates is the only one to have recently introduced a data protection law that categorizes biometric data as sensitive data. All are using large biometric databases with police access (often without warrants), have growing and extensive use of facial recognition CCTV, and enable employee surveillance through biometrics.
Top countries for protecting biometric data (to some extent)
While no country provides unwavering protection for its citizens’ biometric data, there are some countries that either haven’t introduced invasive biometric collections or have some safeguards in place. These are:
Turkmenistan = 20/28
Turkmenistan has remained top spot for the second year in a row. While this may be a surprise, this is likely due to a lack of development within the country. For example, no known biometric database exists and the prevalence of CCTV with facial recognition isn’t known. These are two heavy-scoring areas that help boost Turkmenistan’s score. However, we shouldn’t let this detract from the fact that Turkmenistan, unlike many other countries, has a data protection law in place which recognizes biometric data as confidential. The country also doesn’t have any biometrics in its national ID, banks, or voter registration system.
Portugal, Luxembourg, Azerbaijan = 17/28
To begin with, all three of these countries provide a data protection policy, Portugal and Luxembourg base theirs on GDPR laws while Azerbaijan provides its own definition of biometrics. As for biometric databases, Portugal bans their use, Azerbaijan hasn’t introduced such a database, and Luxembourg has one of the lowest percentages of the population who are part of Europe’s DNA database (for criminals).
Luxembourg explicitly states that it will not use facial recognition software, while Azerbaijan is only in the early stages of testing and implementing the technology. Portugal has some evidence of use, but it’s not extensive.
Tunisia, Romania, and Ireland = 16/28
Much like Turkmenistan at the top, Tunisia perhaps performs well due to its lack of development. This could change in our next update, however, as while the country is not currently in possession of a biometric database, it is trying to implement one.
Tunisia does allow almost 100 countries to enter visa-free without the need to provide biometrics on arrival and without needing biometrics for visas if one was needed.
Elsewhere, Romania and Ireland benefit from good data protection for both biometrics in general and around their use in the workplace, and neither have large biometric databases (just criminal databases)
Lithuania = 15/28
Lithuania scores well for using a biometric database that only collects data from criminals (fingerprints and DNA). And while some police access is possible, plenty of provisions and procedures are in place to protect data. Police in the country have failed to say whether they’re using facial recognition, but it has been suggested that some use is likely.
Spain, Slovenia, Slovakia, Serbia, Norway, and Austria = 14/28
Each of these countries has an adequate data protection law that offers some protection for biometric data. However, all five European countries are part of the Schengen Area and therefore require non-Schengen countries to provide fingerprints upon arrival. Serbia doesn’t require biometrics for either its visa or upon entry to the country.
Slovakia stands out for having no mention of facial recognition being used, while Norway and Spain have minimal use/only for certain situations.
Our research focused on the top 100 countries by GDP.
To give countries a score out of 28, we created eight categories. Lower scores indicate more biometric intrusion than higher ones.
The first category was a simple set of five yes or no questions. “Yes” answers were allocated one point (or, in the case of banking, two) as they indicated the use of biometrics in a certain area (or lack of protection by law), and “no” answers were given a zero as no biometrics were being collected (or they were being protected by a specific law).
These questions were:
- Are biometrics used in passports? Yes (0) / No (1) – countries where biometric passports are in the process of being introduced also scored zero
- Does the national ID card contain biometrics? Yes (0) / No (1) – countries where biometric ID cards are in the process of being introduced also scored zero
- Has the country failed to introduce a law to protect biometric data? Yes (0) / No (1) – If biometric data is covered in personal data protection legislation, this is classed as “no.” But if a law partially covers biometric data (e.g. an industry-specific or digital-only law), this is classed as “yes.” Where the data protection law may offer some protection (e.g. for sensitive data, genetic data, or health data but doesn’t specifically mention biometrics), countries may receive a score of 0.5.
- Are biometrics being used in banks (inc. trials)? Yes – for payments, ATMs, to register for an account, and/or in branches (0), Yes – for online banking (1), No (2)
- Is biometric voter registration being used to a large extent? Yes (0) / No (1)
The next few categories were assigned various scores depending on the severity of biometric use/collection/access.
4 = No biometric database
3 = Very small biometric database (i.e. criminal database) or plans for national database but not yet implemented
2 = Medium-sized biometric database
1 = Large or growing biometric database (or widespread database but with no fingerprints/iris scans – just photos)
0 = Most of the nation on a biometric database (including fingerprints, irises)
2 = No access (or no database to access)
1 = Some access but some restrictions (i.e.. only a criminal database available)
0 = Real-time, unwarranted police access to the database
4 = No mention of facial recognition technology
3 = Increasing CCTV use with facial recognition perhaps being mentioned
2 = Testing facial recognition CCTV or some minimal evidence of use
1 = Evidence of facial recognition CCTV in multiple places
0 = Nationwide with a number of extreme cases
4 = The use of biometrics is banned
3 = Biometrics are protected by multiple safeguards and employee consent isn’t enough for employers to use them
2 = Fewer safeguards to protect biometrics (or safeguards that aren’t specific to the workplace) and consent is enough
1 = Very few safeguards/cases of excessive use
0 = No safeguards
Visa Entry to Country
4 = No visa required
3 = Few countries require a visa (less than 100)
2 = A large majority of countries require a visa (over 100)
1 = Most countries require a visa (only less than 20 don’t)
0 = All countries require a visa (or with one or two exceptions)
Biometrics in Visa
2 = No biometrics in visas
1 = Some visas require biometrics
0 = All visas require biometrics (or only 1 or 2 countries excluded)
Biometric Checks Upon Entry
2 = No biometrics are taken when people enter the country
1 = Some biometric checks when entering the country (e.g. visa applicants or citizens)
0 = Everyone is biometrically checked when entering the country
While we have tried to cover as many areas of biometrics as possible, there may be some limitations. To ensure a fairer country-by-country comparison we have focused on more common categories/areas where data is more readily available. For example, we haven’t included drones as, at present, many are only in military operations or are still being discussed as a potential test in a small number of countries.
If a law has been passed and is coming into place next year, we have scored the country based on this as it is going to happen and will be enforced. We have scored countries based on national laws so as to account for the majority of people (i.e. we haven’t taken state or city laws into account in the US as these relate to the minority).
For biometric voter registration, biometrics might not be required per se but you will need to use your biometric ID card to vote (in which case, the system is classed as being a biometric one as these are essential for citizens to vote).
Facial recognition may be used in airports but this isn’t scored if it’s just for check-ins.
To find this data, we analyzed a variety of information, including government legislation, news articles, press releases, and government information. For a full list of sources for each country, please see the following documents:
For the full list of sources, please request access here.
Data researchers: Charlotte Bond, Rebecca Moody