Turkish Law Blog
1. What is the Biometric Signature?
A biometric signature basically is defined as a method for the signing of electronic documents based on the handwritten signature using a tablet, computer screen, or similar electronic devices. Following handwriting, the signature transforms to a simple PDF document and your biometric signature is ready! Besides, it is possible to add any evidence of signing such as biometric signature data, timestamp, location, IP information, photo, ID picture, handwriting.
During the verification/signing process of the biometric signature, the software and the pencil used for handwriting signature analyze the shape, speed, blow, pencil printing, timing. As a result of this analysis, the program creates a unique PDF document which is your biometric signature. After the handwritten signing process, the document is stamped in itself. This method ensures security and proves that the signature has not been changed.
2. Where can We Use Biometric Signatures?
With technological developments and increasing digitalization, the use of biometric signatures become more preferable. Currently, the popular using areas of biometric signatures are as follows;
- Banking and Insurance Sector (i.e. account opening, bank loan approvals, sale of insurance products, credit card applications, all kinds of cancellation transactions.)
- Hospital Sector (i.e. patient acceptance or discharge approvals, work permits of patients or relatives)
- Rental Sector (i.e. car rental home rental, device rental, hotel services, travel agencies)
- Service Sector (i.e. water, electricity, natural gas subscriptions)
3. How We Ensure Biometric Signature Security?
The owner of a biometric signature can be determined clearly with the analysis of the document. Contrary to wet signatures, there is no need for long and complex examinations as we familiar with criminal investigations.
The international standards of biometric signature established with ISO / IEC 19794-7: 2014. Chapter 7 of ISO / IEC 19794 regulates that the biometric signature parameters and its safe storage. However, methods for the storage of encrypted biometric signatures are still at the discretion of local regulations. Below are some methods commonly used under local regulations for security measures.
As a simplified definition, logging is the recording of electronic transactions. At the signing process, the logs should be kept as a record of the biometric signatures systematically for possible future disputes.
3.2. Time Stamp
The timing of the biometric signature can be precisely determined by a time stamp attached to the biometric signature. Contrary to the "age determination of ink” for timing determination of wet signatures, it bears much clearer conclusions.
In order to ensure the confidentiality, security, and integrity of the biometric signature, it is also recommended that appropriate encryption technology be used when storing the document of biometric signature like for the storage of any kind of electronic data.
3.4. Access Authority
It is necessary to determine the persons who will be authorized to access the environments, where a biometric signature is kept, and the scope of that persons' access authorization. Within this scope, it is important to keep a timestamped record of each access made to information systems.
4. What is the Status of Biometric Signatures under Turkish Law?
The legal status of biometric signatures has not regulated clearly under Turkish legislation. Therefore, the other legislations and provisions regarding signatures is the advisor for the validity and status of biometric signatures.
With the Electronic Signature Law (“EIK”) No. 5070 dated 2004, a number of issues based on signatures have been clarified and, also secure electronic signature has entered our lives. Article 5 of EIK titled Legal Result and Application Area of Secure Electronic Signature regulates that the electronic signature bears the same legal consequences with the handwritten signature.
Article 6 / 1 of Turkish Personal Data Protection Law no.6698 (“KVKK”), which is the only regulation under Turkish law regarding biometric data, accepts biometric data of a real person as “sensitive personal data”. However, biometric data is not defined in the definitions section of KVKK despite this acceptance.
5. What is the Status of Biometric Signature under European Law?
Unlike KVKK, the Article 4/14 of General Data Protection Regulation (“GDPR”) of the European Union defines the biometric data as follows:
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”
Electronic signatures have been identified and classified by the European Union Electronic Identity and Trust Services (“eIDAS”) No. 910/2014. This regulation classifies electronic signatures as follows;
5. a. Simple Electronic Signature
This is the most basic electronic signature type. Scanned signature icons, such as “I accept”, can be given as an example for Simple Electronic Signatures.
5. b. Advanced Electronic Signature
This requires a unique link between the signature and the signer. Biometric signatures are also an example of an advanced electronic signature group.
5. c. Qualified Electronic Signature
This is a type of signature which is accepted as “Secure Electronic Signature” under Turkish legislation. Qualified electronic signatures are the only type of electronic signature that is legally equivalent to a wet signature, which is government bonded and provided with certificates.
Relating to the matter, Article 25 of eIDAS titled Legal Qualification states that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. In other words, an electronic signature is considered as absolute evidence regardless of its type, but it is not accepted as a qualified signature only according to eIDAS.
Biometric signatures have an increasing popularity and usage day by day due to the digitalization of transactions. The strong link between the signer and biometric signature provides clarification to the possible disputes. However, as also must for in any electronic transaction, biometric signatures should be made more secure with the measures stated above.
Unfortunately, a biometric signature is a gray area currently under Turkish Law. It is still expecting a specific regulation in the foreseeable future.