Like the old handwritten letters that carried promises and secrets only their recipients could truly understand, some principles never go out of fashion. Biometrics shares that spirit. It is a unique language that identifies us and, without care and privacy, it loses meaning. Speaking about biometrics without privacy by design (PbD) would be like sending an unsealed letter, open to anyone’s gaze.
What is privacy by design in biometrics?
The idea gained international recognition in 2009 at “Privacy by Design: The Definitive Workshop” and in 2010 at the Jerusalem Conference of Data Protection and Privacy Commissioners with the adoption of the Resolution on Privacy by Design. From that point, PbD moved from aspiration to global reference.
Within EU privacy law, the decisive step came with the GDPR, which in Article 25 requires controllers to implement appropriate technical and organisational measures by design and by default. This mandate connects directly with the GDPR’s core principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Applied to biometrics, PbD means:
- Putting people first, ensuring a secure and non-intrusive experience.
- Collecting only what is strictly necessary, avoiding unnecessary data accumulation.
- Offering user control, with transparency, easy revocation and deletion.
- Protecting every data point as a critical asset, with encryption, anonymisation and robust safeguards.
- Integrating privacy across the entire lifecycle.
The essential principles of PbD
Ann Cavoukian’s seven principles still guide responsible technology design:
- Proactivity, anticipating and preventing risks rather than reacting late.
- Privacy by default, protection enabled from the start without user tweaking.
- Privacy embedded into design, part of the core, not an add-on.
- Security and usability in balance, complementary rather than mutually exclusive.
- End-to-end protection, safeguards across the entire data lifecycle.
- Visibility and transparency, processes that are clear, and auditable.
- Respect for the user, informed choices.
The legal and technical framework that sustains privacy by design
That evolution has crystallised into a framework that makes PbD a real requirement. Regulations, standards and independent evaluations set out how biometric systems should be designed and deployed to ensure privacy and trust from the outset.
| Reference | Implications for biometrics and privacy |
|---|---|
| GDPR (Article 25) | Establishes data protection by design and by default. Each biometric processing activity must limit collection, reduce retention and restrict access to what is strictly necessary. |
| AI Act | Requires conformity assessments, risk management and transparency. |
| eIDAS 2 (2024/1183) | Strengthens user control over digital identity through certified wallets, enabling selective disclosure of attributes (e.g., proving age) without oversharing. |
| ISO/IEC 30107-3 | Presentation Attack Detection (PAD) ensures photos, videos or masks cannot fool the system. |
| ISO/IEC 24745 | Biometric template protection principles, ensuring irreversibility, unlinkability and renewability. |
| NIST FRVT | Independent evaluations of facial recognition accuracy and bias, a practical check on performance and fairness. |
Privacy as a technical backbone of biometrics
Compliance matters, but technology makes privacy by design in biometrics tangible. Over the past fifteen years, research has delivered privacy-preserving mechanisms without set apart usability. Biometric template protection avoids storing raw faces or voices, replacing them with irreversible mathematical references. Advanced cryptography, such as homomorphic encryption, enables verification without exposing the originals. Renewable Biometric References (RBRs) allow new templates to be generated from the same features in the event of exposure. Multimodal biometrics combines features to strengthen security without multiplying risk. And beyond techniques, PbD demands responsible, verifiable governance with ongoing oversight, audits and bias assessments, so protections and fairness do not erode over time.
Trust, the new luxury
PdB does not end with principles, laws or techniques. Everything points in one direction, building trust. That trust determines whether biometrics is seen as a safeguard or as a threat.
Trust is scarce. It cannot be bought or imposed, it is built step by step. When biometrics feels intrusive, it creates distance. When it is born from privacy, it creates closeness. What makes the difference is how principles are applied, with transparent use, control in the hands of the individual and assurances that endure. The real value of a biometric solution is not only accuracy, it is the certainty that a person’s identity remains theirs. That is the test of whether a company’s biometrics serves people or works against them.
How Mobbeel looks after users’ information
At Mobbeel we prefer coherence over slogans. Every decision starts from the same premise, protect identity and sustain trust.
That is how we understand privacy by design in biometrics, not as a label, but as a lived commitment that runs through our solutions and is felt in every interaction.
Text us if you are interested in digital identity verification solutions built with privacy by design in biometrics, from day one.
I am a curious mind with knowledge of laws, marketing, and business. A words alchemist, deeply in love with neuromarketing and copywriting, who helps Mobbeel to keep growing.
