Biometrics by country

From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned?

Here at Comparitech, we’ve analyzed 50 different countries to find out where biometrics are being taken, what they’re being taken for, and how they’re being stored. While there is huge scope for biometric data collection, we have taken 5 key areas that apply to most countries (so as to offer a fair country-by-country comparison and to ensure the data is available). Each country has been scored out of 25, with high scores indicating extensive and invasive use of biometrics and/or surveillance and a low score demonstrating better restrictions and regulations regarding biometric use and surveillance.

While China topping the list perhaps doesn’t come as too much of a surprise, residents of (and travelers to) other countries may be surprised and concerned at the extent of biometric information that is being collected on them and what is happening to it afterward.

Key findings

  • Many countries collect travelers’ biometric data, often through visas or biometric checks at airports
  • Every country we studied is using biometrics for bank accounts, e.g. fingerprints to access online app data and/or to confirm identities within the banks themselves
  • Despite many countries recognizing biometric data as sensitive, increased biometric use is widely accepted
  • Facial recognition CCTV is being implemented in a large number of countries, or at least being tested
  • EU countries scored better overall than non-EU countries due to GDPR regulations protecting the use of biometrics in the workplace (to some extent)

Biometric use by country (EU and non-EU)

CountryPassportsIDsNo lawsBanksVoter RegistrationStorageCCTVWorkplaceVisasTotal
EU
Estonia11011523418
France11010422415
Slovakia10010513415
Sweden11010332415
Finland11010323415
Germany11010422415
Hungary11010422415
Italy11010422415
Lithuania11010313414
Bulgaria11010423214
Latvia11010313414
Denmark10010313413
Malta10010313413
Netherlands10010331413
Greece10010313413
Czech Republic10010322413
Poland10010322413
Austria10010313413
Luxembourg10010313413
Belgium10010313413
Spain11010312413
Slovenia10010313413
Cyprus11010312312
UK10010322312
Romania10010323212
Ireland10010322211
Portugal11011012411
Non-EU
China11110555524
Malaysia11110544421
Pakistan11111544321
US10111444420
Taiwan10110444419
Philippines11111424419
India11011443419
Indonesia11111534219
South Africa01010533518
Brazil11011533318
Singapore10010434417
Thailand11011433317
Nigeria11111413417
Argentina11010523316
Canada10110333416
Israel11010452216
Japan10110343316
Russia10010442416
Australia11010332415
Iceland11010313414
New Zealand10110313414
Norway11010312413
Switzerland10010312412

5 Worst Countries

These 5 countries received the highest scores overall, meaning they are showing a concerning lack of regard for the privacy of people’s biometric data. Through the collection, use, and storage of biometric data, these countries use biometrics to a severe and invasive extent.

RankCountryScore
#1China24/25
#2Malaysia21/25
#3Pakistan21/25
#4USA20/25
#5India, Indonesia, The Philippines and Taiwan 19/25

1. China = 24/25

China only managed to scrape back one mark for its lack of a biometric voting system. However, the voting system is very heavily controlled, which perhaps rids the need for biometric voting. It also scored maximum points across all of the other categories for:

  • Using biometrics in passports, ID cards, and bank accounts.
  • Not having a specific law to protect citizens’ biometrics.
  • Its extensive nationwide biometric database is currently being expanded to include DNA.
  • Its widespread and invasive use of facial recognition technology in CCTV cameras. As our previous study, Surveillance States, found, facial recognition cameras are now being used to track and monitor the country’s Muslim minority, Uighurs, among other things. Beijing is also trialing facial recognition technology at security checkpoints on the subway so it can divide travelers into groups, something they’re hoping to expand to include buses, taxis, and other travel services. And, at the time of writing, China has also introduced facial recognition checks for anyone getting a new mobile phone number.
  • Its lack of safeguards for employees in the workplace. Companies have even been permitted to monitor employees’ brain waves for productivity while they’re at work.
  • The majority of countries require a visa to enter China and all of the visas issued contain biometrics. Fingerprints of anyone entering China are also taken.

2. Malaysia = 21/25

Although Malaysia does fair a little better China, it does still score poorly across all categories due to it:

  • Having biometrics in passports, ID cards, and bank accounts.
  • Not having a specific law to protect citizens’ biometrics.
  • Having multiple biometric databases that the police have access to.
  • Using facial recognition in CCTV across many areas. Police also use it in their body cameras.
  • Not having many protections in place regarding biometrics in the workplace, with some extensive use also being seen. This includes collecting biometrics to verify foreign workers’ identities.
  • Many countries require a visa to enter Malaysia and these visas contain biometrics. Foreigners’ biometrics are also collected when they enter the country.

3. Pakistan = 21/25

While Pakistan does have the same score as Malaysia, this isn’t due to heavy scoring across all categories. Rather, Pakistan does better when it comes to visas as not all visas contain biometrics and no fingerprints are taken when someone enters the country. However, it did score highly for:

  • Having biometrics in passports, ID cards, and bank accounts.
  • Having a biometric voting system.
  • Not having a specific law to protect citizens’ biometrics.
  • Using widespread facial recognition as part of its “Safe Cities” project.
  • Having no data protection law in place to safeguard employees’ biometrics.

4. United States = 20/25

The US scores highly in most areas due to:

  • Having biometrics in passports, ID cards, and bank accounts.
  • Having a biometric voting system (optical scan equipment used in a large number of states).
  • Not having a specific law to protect citizens’ biometrics. While there is a handful of state laws that protect state residents’ biometrics (as can be seen in our state privacy study), this does leave many US citizens’ biometrics exposed as there is no federal law in place.
  • Implementing the widespread use of facial recognition cameras with law enforcement pushing for further use in the identification of criminals. For example, the FBI and ICE have recently been criticized due to their use of facial recognition technology to scan drivers’ license photos without gaining the citizens’ consent beforehand. Equally, some city-level bans have been put in place with San Francisco (CA), Oakland (CA), Berkeley (CA), and Somerville (MA) banning government use of facial recognition technology.
  • The growing use of biometrics in the workplace. Many companies use employees’ biometrics for certain actions, e.g. using a fingerprint to gain access to a work computer. Again, some state laws offer a little more protection but this still leaves many employees’ biometrics exposed.
  • Fingerprints being required for most American visas and everyone’s fingerprints being collected upon entry to the country.

5. Taiwan, the Philippines, India, and Indonesia = 19

All four of these countries tie in fifth place with a score of 19 – and all four of these countries are located in Asia.

All of them score highly across most categories except for the Philippines’ CCTV use and Indonesia’s visas.

The Philippines is only talking about the use of facial recognition, but it scores highly in all other areas.

Indonesia lets citizens from a vast number of countries enter the country without a visa. Even when a visa is required, many don’t require biometrics. Nevertheless, Indonesia’s score is brought up by its national database of biometrics, which are taken from ID cards and include fingerprints.

India also has a national biometric database, the largest in the world. This is known as the Aadhaar. However, they avoid a maximum score because law enforcement isn’t permitted to access to the database.

Taiwan’s national database of biometrics includes all citizens’ ID photos and features facial recognition technology, which is used by the police. Due to the absence of fingerprints in the database, however, it avoids an “extreme” score like Indonesia.

5 Best Countries

RankCountryScore
#1Ireland11/25
#2Portugal11/25
#3Cyprus12/25
#4UK12/25
#5Romania12/25

1. Ireland = 11

Joint with Portugal, Ireland succeeds in protecting biometric data by only having a small database that includes criminal profiles, having extra safeguards for employee biometric data (e.g. consent is not always enough, which goes beyond GDPR requirements), and it isn’t part of the Schengen Agreement so doesn’t take biometrics upon entry. As we have already seen, though, there are some doubts over Ireland’s use of facial recognition CCTV cameras, which are being pulled into question.

2. Portugal = 11

Portugal is the lowest-scoring country (along with Ireland).

In Portugal, biometric databases are prohibited. Therefore, this is the only country to earn a clean sheet in the storage section as there isn’t any form of biometric database. Portugal also scores well for its lack of facial recognition CCTV, protection of biometrics in the workplace, and law that helps protect citizens’ biometrics.

3. Cyprus = 12

Cyprus scores well because, as we have seen previously, it isn’t one of the Schengen countries so it won’t be part of the Entry/Exit System. And, unlike many EU-member countries, it won’t be taking part in the large centralized database. Facial recognition is not implemented in public areas and courts have protected employees’ biometrics within the workplace.

4. United Kingdom = 12

On the whole, the United Kingdom does well because it only has small biometric databases, e.g. one for criminals and one for non-UK citizens who enter the country, and it is governed by GDPR rules. Facial recognition CCTV is also something that seems to be governed well. For example, facial recognition technology was being used at King’s Cross Station but without prior notification (and thus consent). It has now been switched off and plans to develop it further have been placed on hold. It is also being tested in other areas but continues to meet ongoing protests.

5. Romania = 12

With the same score as Cyprus, Romania does particularly well due to its lack of facial recognition CCTV and the fact it isn’t yet part of the Schengen Agreement. However, it is worth noting that Romania is in talks to join, which would increase their score by at least 2 points as biometrics would then be collected upon entry to the country.

Despite most countries having areas of concern, these 5 countries appear to be proactively putting measures in place to try and protect certain areas of biometric data. And with the same score of 12, Switzerland should also be considered with our “best countries” section.

Switzerland = 12

Switzerland is the lowest-scoring of our non-EU countries due to it not having biometric ID cards, voting system, or facial recognition cameras in public areas. It has a specific law in place for biometrics, a criminal-only biometric database, and extra safeguards in place for employee biometrics. Switzerland is part of the Schengen Agreement, however, which means it will become part of the Entry/Exit system in 2020.

The European Union

As you will have noticed, no EU countries feature in the top five of this study. And only one scores 18 (Estonia).

Overall, these lower scores are due to the General Data Protection Regulation (GDPR) and its regulation of biometrics, especially in the workplace. No country scores over a 3 for this section as the GDPR law states, “processing biometric data for the purpose of uniquely identifying a natural person […] shall be prohibited.” But this doesn’t apply if “the data subject has given explicit consent” or if it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.”

In some cases, countries do score lower due to how they have interpreted the law, either within their own laws or in specific cases. For example, the Netherlands scores a 1 in this category (the only country to achieve this) as they have introduced even more safeguards. And they also ruled in favor of an employee who refused to provide their fingerprint for new cash registers that required a finger scan for authorization. The court ruled that there were less invasive options available and these should have been trialed first.

All EU countries scored 3 or less when it comes to CCTV. Some countries adopted facial recognition but only in certain areas or for specific events.

However, where most EU countries fall down is in the visa section.

Why?

In 2020, the Entry/Exit System will be implemented within the EU as part of the Schengen Agreement. It creates a vast biometric database spanning 28 countries, and each member countries’ law enforcement will have access to it. This is alongside various other databases shared across Schengen member countries including the Visa Information System (VIS), which already contains over 60 million visa applications and 40 million sets of fingerprints.

Bulgaria, Cyprus, the UK, Romania, and Ireland are not members of the Schengen Agreement, but there are talks in place for Cyprus and Romania to join. Furthermore, the UK’s position may change post-Brexit.

iBorderCtrl testing in Greece, Hungary, and Latvia

The EU has just finished testing iBorderCtrl (Intelligent Portable Control System) across the borders of these three countries. Essentially, it’s a lie detector test.

Travelers had to upload pictures of their visas, passports, and provide evidence of their proof of funds before using a webcam to answer questions from an animated border guard. The EU suggested this “deception detection” would analyze travelers’ micro gestures to ascertain whether or not the interviewee is lying. Any travelers’ who are flagged as high risk have to undergo more detailed checks at the border.

EU officials hoped that this testing phase would allow them to roll the technology out at most EU borders in the near future but we are awaiting confirmation on this.

Estonia = 18

Estonia is the worst-ranked EU country due to its high score across most categories (except CCTV) and its extremely poor 5/5 in the storage section. The latter is due to its nationwide biometric database, which contains a vast amount of information from prescriptions to banking details and education to bus tickets. All of this is accessed with fingerprints and creates a digital national ID card. Despite this database being decentralized and deemed to have some of the most advanced technology protecting it, the database does exist and parts are accessible by law enforcement.

France = 15

In 2016, France said it had plans to create a centralized database, Alicem, that will include biometrics from all passports and IDs. This is currently in the process of being rolled out but has now been altered to use facial recognition technology. (As this is still being implemented at the time of writing, and there is also some debate over its introduction and whether fingerprints will be included, we have held off a point).

The tool will give citizens access to a vast array of online services, e.g. health insurance, vehicle registration, and ID Cards, but to carry these out, facial recognition identification is required.

The French data protection agency, CNIL, has criticized Alicem, suggesting that an alternative to the facial recognition registration (e.g. someone signing up in person) should be offered. CNIL also raised concerns over the fact that connection history data is stored on the server for seven years.

Ireland = 11

Facial recognition cameras have been installed in some cities (for testing purposes) but this is contrary to Irish law. As a result, Ireland’s Data Protection Commissioner now intends to launch an investigation into the operation of these CCTV cameras as it is believed that data is being illegally gathered and held on citizens.

Other key areas for concern

Japan = 16

Japan is currently using facial recognition in a number of different ways (but doesn’t score full marks because it hasn’t been rolled out nationally as of yet). An example is the monitoring of gambling facilities so gambling addicts can be identified upon arrival and refused entry to the establishments. At present, only the gambling addict themselves or a loved one can request for their face to be added to the system.

Brazil = 18

Brazil is currently in the process of implementing a nationwide database (and as this is coming into place next year, this has been taken into consideration with our scoring). The database will include details of more than 200 million people and information “will be shared as widely as possible.” This information includes biometric details, iris, voice, facial format, and gait, which are already collected to form ID documents.

Methodology

To give countries a score out of 25 we created five categories. Higher scores indicate more biometric intrusion than lower ones.

The first category was a simple set of five yes or no questions. Yes answers were allocated one point as they indicated the use of biometrics in a certain area (or lack of protection by law), and no answers were given a zero as no biometrics were being collected (or they were being protected by a specific law).

These questions were:

  1. Are biometrics used in passports? Yes (1) / No (0)
  2. Does the national ID card contain biometrics? Yes (1) / No (0)
  3. Has the country failed to introduce a law to protect biometric data? Yes (1) / No (0)
  4. Are biometrics being used in banks? Yes (1) / No (0) –
  5. Is biometric voter registration being used to a large extent? Yes (1) / No (0)

The next four categories were scored out of 5.

Storage

0 = No biometric database

1 = Very small biometric database (i.e. criminal database) with no police access

2 = Very small biometric database (i.e. criminal database) with police access

3 = Medium-sized biometric database with police access

4 = Most of the nation on a biometric database (no fingerprints) with police access

5 = Most of the nation on a biometric database (including fingerprints) with police access

CCTV

0 = No or very little CCTV in use

1 = Increasing CCTV use with facial recognition perhaps being mentioned

2 = Testing facial recognition CCTV

3 = Starting to implement facial recognition CCTV in multiple places

4 = Most places using facial recognition CCTV and some extreme cases (e.g. being used to monitor certain groups of people)

5 = Nationwide with a number of extreme cases

Workplace

0 = The use of biometrics is banned

1 = Biometrics may be used but only in extreme cases (i.e. for access to ultra-sensitive information)

2 = Biometrics are protected by multiple safeguards and employee consent isn’t enough for employers to use them

3 = Fewer safeguards to protect biometrics (or safeguards that aren’t specific to the workplace) and consent is enough

4 = Very few safeguards and some cases of excessive use

5 = No safeguards and cases of excessive use

Visas

0 = No visa required and no check when entering the country

1 = Few countries require a visa that doesn’t contain biometrics and no biometrics are taken when people enter the country

2 = Some countries (but not all) require a visa which does contain biometrics and there are some biometric checks for people entering the country (this excludes citizens)

3 = Some countries (but not all) require a visa which does contain biometrics and there are some biometric checks for those entering the country

4 = Most countries require a visa which does contain biometrics and there are some biometric checks when entering the country

5 = All countries require a visa which does contain biometrics and/or everyone is biometrically checked when entering the country

While we have tried to cover as many areas of biometrics as possible, there may be some limitations. To ensure a fairer country-by-country comparison we have focused on more common categories/areas where data is more readily available. For example, we haven’t included drones as, at present, many are only in military operations or are still being discussed as a potential test in a small number of countries.

If a law has been passed and is coming into place next year, we have scored the country based on this as it is going to happen and will be enforced. We have scored countries based on national laws so as to account for the majority of people (i.e. we haven’t taken state or city laws into account in the US as these relate to the minority).

For biometric voter registration, biometrics might not be required per se but you will need to use your biometric ID card to vote (in which case, the system is classed as being a biometric one as these are essential for citizens to vote).

Facial recognition may be used in airports but this isn’t scored if it’s just for check-ins.

To find this data, we analyzed a variety of information, including government legislation, news articles, press releases, and government information. For a full list of sources for each country, please see the following documents:

Biometrics by Country (non-EU) – sources and commentary

Biometrics by Country (EU) – sources and commentary

Biometrics Score Sheet