Biometric data: 50 countries ranked by how they’re collecting it and what they’re doing with it

From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned?

Here at Comparitech, we’ve updated our biometric data study to include 96 countries. We’ve found out where biometrics are being taken, what they’re being taken for, and how they’re being stored, while also exploring the latest biometric updates amid the ongoing pandemic.

There is huge scope for biometric data collection, so we have identified eight key areas that apply to most countries (so as to offer a fair country-by-country comparison and to ensure the data is available). Each country has been scored out of 31, with low scores indicating extensive and invasive use of biometrics and/or surveillance and a high score demonstrating better restrictions and regulations regarding biometric use and surveillance. Then, to see how current biometric use for COVID-19 purposes affects a country’s score, we’ve deducted a point for each area biometrics have been introduced as an emergency control measure (six areas in total).

While China topping the list perhaps doesn’t come as too much of a surprise, residents of (and travelers to) other countries may be surprised and concerned at the extent of biometric information that is being collected on them and what is happening to it afterward.

Key findings

• Many countries collect travelers’ biometric data, often through visas or biometric checks at airports
• The vast majority of countries we studied use biometrics for bank accounts, e.g. fingerprints to access online app data and/or to confirm identities within the banks themselves
• Despite many countries recognizing biometric data as sensitive, increased biometric use is widely accepted
• Facial recognition CCTV is being implemented in a large number of countries or at least being tested
• EU countries scored better overall than non-EU countries due to GDPR regulations protecting the use of biometrics in the workplace (to some extent)
• Many of the top-scoring countries don’t necessarily receive their high scores for “best practices” but because they are developing nations that haven’t moved toward technology-based solutions in certain areas

Top 5 worst countries for biometric data collection and use

These countries received the lowest scores overall, meaning they are showing a concerning lack of regard for the privacy of people’s biometric data. Through the collection, use, and storage of biometric data, these countries use biometrics to a severe and invasive extent.

1. China = 2/31

China only managed to score two points – one for its lack of a biometric voting system and one for its allowance of passport holders from Singapore, Brunei, and Japan to enter the country visa-free for up to 15 days. Its score for not having a biometric voting system also comes with a little irony as the voting system is very heavily controlled, which perhaps rids the need for biometric voting.

Some key areas for concern in China are:

• Its extensive nationwide biometric database is being expanded to include DNA.
• Its widespread and invasive use of facial recognition technology in CCTV cameras. As our previous study, Surveillance States, found, facial recognition cameras are now being used to track and monitor the country’s Muslim minority, Uighurs, among other things.
• Its lack of safeguards for employees in the workplace. Companies have even been permitted to monitor employees’ brain waves for productivity while they’re at work.
• Fingerprints of anyone entering China are taken.

Some may have hoped that China’s draft personal information protection law would help improve its biometric use. But genetic and biometric data is excluded from the definitions and from within the law.

2. Costa Rica = 3/31

Costa Rica only receives 3 points as it is only just beginning to implement facial recognition within the country and it allows a small number of countries to enter visa-free.

Particularly concerning is Costa Rica’s two new national biometric databases. One will include every Costa Rican over the age of 12 and the other every foreigner that enters the country. Police also have full access and both will help facilitate the upcoming facial recognition systems.

At present, the data protection law in Costa Rica doesn’t protect biometric use or recognize biometrics as sensitive data.

3. Iran = 5/31

With widespread use of facial recognition, which is also linked to a biometric database and is accessible by the police, Iran’s use of biometrics is extensive and invasive. It also lacks adequate protections for the use of biometrics and the collection of traveler biometrics is on a large-scale, too.

4. USA, Saudi Arabia, United Arab Emirates, Bangladesh, the Philippines and Uganda = 6/31

The biggest shock in the bottom 5 is the United States, which ranks as one of the fourth-worst countries for biometric data collection and use. This year, it remains fourth-worst, despite a further 45 countries being included in the study this time.

Most concerning is its lack of a specific law to protect citizens’ biometrics. While there is a handful of state laws that protect state residents’ biometrics (as can be seen in our state privacy study), this does leave many US citizens’ biometrics exposed as there is no federal law in place. And this is despite the widespread and growing use of facial recognition in public places, biometrics within the workplace, and fingerprints for visas.

It’s a similar picture in all of the other fourth-worst countries, with large biometric databases with police access, inadequate or no legislation to safeguard biometric use, and growing/extensive facial recognition use.

5. Iraq and Malaysia = 7/31

Both of these countries have biometrics within their passports, ID cards, and a large biometric database with police access. Neither have a data protection law that considers the use of biometrics and facial recognition CCTV is also largely implemented in these countries.

Top 5 countries for protecting biometric data (to some extent)

While no country provides unwavering protection for its citizens’ biometric data, there are some countries that either haven’t introduced invasive biometric collections or have some safeguards in place. These are:

1. Turkmenistan = 25/31

While Turkmenistan’s appearance at the top of our study may be a surprise, this is likely due to lack of development within the country. For example, no known biometric database exists and the use of CCTV with facial recognition isn’t known. These are two heavy-scoring areas which help boost Turkmenistan’s score. However, we shouldn’t let this detract from the fact that Turkmenistan, unlike many other countries, has a data protection law in place which recognizes biometric data as sensitive data. This helps safeguard citizens’, travelers’, and employees’ data from abuse.

2. Ethiopia = 22/31

Similar to Turkmenistan, Ethiopia’s score comes from its lack of biometric use across many sectors. Facial recognition CCTV isn’t known to be in use and while there is a biometric database this is limited to refugees and isn’t used for law enforcement purposes. Nevertheless, Ethiopia does lack adequate legislative protection for biometrics, so if biometric use were to grow in the country, data protection laws would need introducing to safeguard these.

3. Azerbaijan and Bahrain = 20/31

Neither of these countries have biometric databases and Azerbaijan isn’t implementing widespread use of facial recognition CCTV. Both have legislation which safeguards the use of biometrics. However, Azerbaijan requires biometrics for visa applicants and Bahrain continues to implement widespread use of facial recognition cameras.

4. Portugal and Ireland = 21/31

Both Portugal and Ireland have laws in place to protect biometrics, with Portuguese law also forbidding the implementation of a biometric database. Portuguese citizens’ biometric data may be taken for ID cards but these biometrics are destroyed straight afterward. Only citizens of some countries require visas to enter these counties but these visas may require biometrics (Portugal is part of the Schengen area, for example).

5. Guatemala, Luxembourg, Paraguay, Poland, Romania, Tunisia, and the United Kingdom = 17/31

A large number of countries tie in fifth place. This is primarily due to few (if any) biometric requirements upon entering the country, no national biometric databases, and no extensive use of CCTV with facial recognition. That said, there are areas of concern. These include the growing use of facial recognition CCTV in Tunisia, and a lack of protective legislation in Guatemala, Paraguay, and Tunisia.

Biometric data use for COVID-19 control

Another hugely concerning trend is the use of biometric data under the guise of COVID-19 control. To see how each country’s score would change, we looked at how they’re using biometrics to control the spread of COVID-19.

Interestingly, the rankings don’t change too much as the countries found to have the worst biometric data practices tend to have implemented (or are looking to implement) the most biometric controls for the pandemic.

For example, China is using drones with facial recognition to monitor people outside their homes during lockdowns, has installed tablets at the front of buses to take peoples’ temperatures and a photo of their forehead, and is looking at facial recognition technology that works without a mask.

With the same number of biometric introductions as China (3), the United States is running a trial in Seattle for palm-scanning payments through Amazon’s One scanner, is looking at fever detection cameras, and is developing facial recognition technology that will work with masks in airports.

The country with the worst number of facial recognition technologies in use/being developed for the pandemic is the United Kingdom. Its rank drops from 16 to 12 if we consider its four possible facial recognition developments. These are the possible introduction of facial recognition in “quarantine hotels” to make sure people remain in isolation, the use of health passports to create digital certificate/immunity passports, the development of high-resolution cameras that can detect fevers and carry out profiling, and the potential use of biometrics (DNA/fingerprints) upon entry into the country and the extension of their retainment.

Methodology

Our research focused on the top 100 countries by GDP. Macau, Nepal, Puerto Rico, and Qatar were removed due to lack of data.

To give countries a score out of 31 we created 8 categories. Lower scores indicate more biometric intrusion than higher ones (please note: this is a change on 2019’s study which had these scores in reverse. This has been altered for more clarity).

The first category was a simple set of five yes or no questions. Yes answers were allocated one point as they indicated the use of biometrics in a certain area (or lack of protection by law), and no answers were given a zero as no biometrics were being collected (or they were being protected by a specific law).

These questions were:

1. Are biometrics used in passports? Yes (0) / No (1)
2. Does the national ID card contain biometrics? Yes (0) / No (1)
3. Has the country failed to introduce a law to protect biometric data? Yes (0) / No (1) – If biometric data is covered in personal data protection legislation, this is classed as “no.” But if a law partially covers biometric data (e.g. an industry-specific or digital-only law), this is classed as “yes.”
4. Are biometrics being used in banks (inc. trials)? Yes (0) / No (1)
5. Is biometric voter registration being used to a large extent? Yes (0) / No (1)

The next few categories were assigned various scores depending on the severity of biometric use/collection/access.

Storage

4 = No biometric database

3 = Very small biometric database (i.e. criminal database)

2 = Medium-sized biometric database

1 = Large or growing biometric database (or widespread database but with no fingerprints/iris scans – just photos)

0 = Most of the nation on a biometric database (including fingerprints, irises)

Police Access

3 = No access (or no database to access)

2 = Only allowed access under strict conditions

1 = Some access but some restrictions (i.e.. only a criminal database available)

0 = Full police access to database

CCTV

5 = None or very little CCTV in use

4 = Increasing CCTV use with facial recognition perhaps being mentioned

3 = Testing facial recognition CCTV

2 = Starting to implement facial recognition CCTV in multiple places

1 = Most places using facial recognition CCTV and some extreme cases (e.g. being used to monitor certain groups of people)

0 = Nationwide with a number of extreme cases

Workplace

5 = The use of biometrics is banned

4 = Biometrics may be used but only in extreme cases (i.e. for access to ultra-sensitive information)

3 = Biometrics are protected by multiple safeguards and employee consent isn’t enough for employers to use them

2 = Fewer safeguards to protect biometrics (or safeguards that aren’t specific to the workplace) and consent is enough

1 = Very few safeguards/cases of excessive use

0 = No safeguards

Visa Entry to Country

4 = No visa required

3 = Few countries require a visa

2 = Some countries require a visa

1 = Most countries require a visa

0 = All countries require a visa (or with one or two exceptions)

Biometrics in Visa

2 = No biometrics in visas

1 = Some visas require biometrics

0 = All visas require biometrics (or only 1 or 2 countries excluded)

Biometric Checks Upon Entry

3 = No biometrics are taken when people enter the country

2 = Some biometric checks for people entering the country (this excludes citizens or is for citizens only and includes upcoming biometric checks, i.e. for Schengen areas)

1 = Some biometric checks when entering the country (inc. citizens)

0 = Everyone is biometrically checked when entering the country

COVID-19 Biometric Developments

To see how a country’s score would change when we take into account new measures implemented to try and control COVID-19 breakouts, we looked at how biometrics are being used across several different areas. A point was deducted for every category introduced/proposed. These scores were not included in the main study but a separate total score and ranking was given to show how a country’s score/rank changes with these measures.

The categories are:

• To enforce lockdown rules – Yes (-1), No (0)
• For medical usage – Yes (-1), No (0)
• For contactless payments – Yes (-1), No (0)
• Facial recognition to track people – Yes (-1), No (0) – further point deducted if it works without a mask (-1)
• For border control – Yes (-1), No (0)
• To introduce new technologies (robots with integrated facial recognition technology) – Yes (-1), No (0)

While we have tried to cover as many areas of biometrics as possible, there may be some limitations. To ensure a fairer country-by-country comparison we have focused on more common categories/areas where data is more readily available. For example, we haven’t included drones as, at present, many are only in military operations or are still being discussed as a potential test in a small number of countries.

If a law has been passed and is coming into place next year, we have scored the country based on this as it is going to happen and will be enforced. We have scored countries based on national laws so as to account for the majority of people (i.e. we haven’t taken state or city laws into account in the US as these relate to the minority).

For biometric voter registration, biometrics might not be required per se but you will need to use your biometric ID card to vote (in which case, the system is classed as being a biometric one as these are essential for citizens to vote).

Facial recognition may be used in airports but this isn’t scored if it’s just for check-ins.

To find this data, we analyzed a variety of information, including government legislation, news articles, press releases, and government information. For a full list of sources for each country, please see the following documents:

For the full list of sources, see here: https://docs.google.com/spreadsheets/d/1eUk-ECPY5iwCMknugoDvjwNj2RaeTxb0C_pvfDZCRRY/edit?usp=sharing