As digital technologies and artificial intelligence advance rapidly, biometric data has become a central element in identification and authentication systems. Biometric identifiers, such as fingerprints, iris scans, and DNA, represent unique biological characteristics that cannot be replicated. These identifiers are widely used across healthcare, finance, and government systems.
The irreplaceable nature of biometric data and its use for accessing sensitive systems make its protection paramount.
However, increased reliance on biometric data also raises risks of commercial exploitation and misuse, particularly in today’s digital and AI-driven environment. A notable case in Indonesia involved Worldcoin’s collection and sale of retina data in Bekasi, West Java, which sparked public concern over privacy and personal data security. Many individuals were unaware that retina data constitutes sensitive personal identity information. Misuse of such data can lead not only to privacy violations but also identity theft and unauthorized access to critical services.
What Constitutes Biometric Data?
According to According to the Indonesian Personal Data Protection Portal, biometric data is defined as personal information derived from physical, physiological, or behavioral characteristics that allow unique identification of an individual. The European Union’s GDPR similarly defines biometric data as:
“Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as a facial images or dactyloscopic data.”
Unlike ordinary personal data (e.g., name or address), biometric data is permanent and non-replicable. Once captured, it cannot be changed like a password or PIN. Common types of biometric data include:i:
- Fingerprint: Unique patterns at the fingertips, used in security and authentication.
- Iris and retina scans: Microscopic patterns in the eye used in high-security systems.
- DNA: Comprehensive genetic information representing an individual’s biological identity.
- Facial recognition: Used to unlock devices or access services.
- Voice and speech patterns: Utilized for voice verification in banking and virtual assistants.
The core characteristic of biometric data is its uniqueness. Even identical twins have different iris and fingerprint patterns. Its immutable nature makes it highly valuable but vulnerable to misuse.
Why Iris and Retina Data Must Be Protected
Iris and retina data are considered high-risk biometric data. Iris scanning technology is used for airport security, banking authentication, and sensitive identification systems. However, the benefits also carry significant risks if misused.
In May 2025, residents in Bekasi, West Java, were offered financial compensation in exchange for providing their iris and retina data to Worldcoin and World ID, a blockchain-based global digital identity project founded by the CEO of OpenAI. The Indonesian Ministry of Communication and Digital Affairs temporarily suspended the service due to privacy concerns and potential misuse of biometric data.
Key characteristics of iris and retina data include::
- Unique and non-replicable: Iris patterns are lifelong and one-of-a-kind.
- Used in high-security systems: The military, banking, and hospital patient identification.
- Cannot be changed: Unlike passwords, leaked data cannot be “reset.”
- Vulnerable to tracking and surveillance: Iris recognition can enable real-time monitoring without consent.
Misuse of biometric data threatens privacy, enables identity theft, facilitates medical discrimination, and may violate human rights.
Also read: Deepfake Crimes in Indonesia: Legal Challenges and Criminal Liability in the AI Era
Legal Framework for Biometric Data Protection in Indonesia
Indonesia’s Personal Data Protection Law (UU No. 27 of 2022 – UU PDP) provides the legal foundation for safeguarding personal and biometric data. Under Article 4 paragraph 2 point b UU PDP, biometric data is classified as specific personal data:
“Data related to physical, physiological, or behavioral characteristics of an individual that enable unique identification, such as facial images or dactyloscopic data. This includes but is not limited to fingerprints, retina scans, and DNA samples.”
Because biometric data is sensitive and unique, processing it requires stricter safeguards than general personal data.
Article 20 paragraph 2 of UU PDP mandates explicit consent from data subjects before processing specific personal data, including biometric data.
Article 21 of UU PDP requires that data subjects receive comprehensive information regarding:;
- Legality of data processing;
- Purpose of processing
- Types and relevance of personal data collected;
- Data retention period;
- Details of information collected;
- Duration of processing;
- Rights of data subjects;
The unique, irreplaceable nature of biometric data, combined with its use in vital systems, underscores the need for robust legal protection and ethical management. Misuse risks include identity theft, unauthorized tracking, and commercial exploitation.
The UU PDP establishes a legal framework ensuring transparent, consent-based processing of biometric data. Protection involves not only regulatory compliance but also public digital literacy and industry accountability. Educating individuals about biometric data’s value and risks, while requiring ethical collection and usage by service providers, helps safeguard every individual’s biological identity in the digital era.
Collaboration between law, technology, and public awareness is key to ensuring that biometric identities remain secure, respected, and fully protected..***
Regulations:
- Undang-Undang Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi (“UU PDP”)
References:
- Data Biometrik. Gerbang Perlindungan Data Pribadi. (Diakses pada 6 September 2025 pukul 13.02 WIB).
- Apa Itu Worldcoin? Proyek Kripto yang Dibekukan Sementara oleh Komdigi. Katadata. (Diakses pada 6 September 2025 pukul 13.17 WIB).
- Jadi Data Biometrik, Pahami Bahaya Jual-Beli Informasi Iris dan Retina Mata. Kontan. (Diakses pada 6 September 2025 pukul 14.08 WIB).