Consent or Coercion? A Comparative Legal Analysis of Biometric Data Practices in Digital Banking Systems

Abstract

The digital revolution in the financial sector has accelerated the adoption of biometric technology as an authentication method, offering greater security and efficiency compared to traditional password or PIN-based systems. Biometric technology leverages unique physical or behavioral characteristics—such as fingerprints, facial patterns, and voice recognition—making it highly resistant to forgery. However, the use of biometrics introduces a fundamental paradox between enhanced security and the risk to personal privacy, as biometric data is immutable and, if compromised, the consequences are permanent and irreversible.

Indonesia has addressed these challenges through the enactment of Law No. 27 of 2022 on Personal Data Protection (PDP Law), which classifies biometric data as specific personal data requiring explicit, written, and revocable consent. Despite this legal framework, implementation remains challenging due to the lack of sector-specific regulations and limited regulatory oversight. Comparatively, the European Union’s GDPR sets a high standard for biometric data protection, emphasizing explicit consent, data minimization, and strong enforcement. The United States adopts a sectoral approach, with state laws such as Illinois’ BIPA imposing strict requirements and significant liabilities.

A central concern is whether consent obtained from consumers in banking truly meets legal standards, given the power imbalance between institutions and users. This study employs a normative juridical and comparative approach to analyze regulatory frameworks in Indonesia, the EU, and the US, identifying best practices and recommending improvements for biometric data protection in banking.