THE INTRODUCTION TO BIOMETRIC DATA AND PRIVACY CONCERNS
Biometric data is derived from unique physical or behavioural features, such as fingerprints, facial recognition, iris patterns, and voice recognition. The use of biometric data within areas of law enforcement, immigration, and banking, and even day-to-day smartphone usage, raises issues of privacy and protection at the forefront of contemporary systems of verification.
Biometric data collection and utilisation have numerous advantages in terms of improved security, prevention of fraud, and facilitation of procedures. However, biometric information is sensitive since it is unique to an individual’s identity. Unlike a password or PIN that can be changed in case of a breach of security, biometric data cannot be changed easily; hence, this becomes an attractive target for cyber attackers and those intending to misuse such information. Furthermore, systems that involve biometrics also raise concerns about consent, surveillance, and possible discrimination or biases.
The legal landscape for biometric data is changing very fast, with different jurisdictions attempting to regulate this space differently. This blog discusses the legal considerations of gathering and using biometric data, focussing on the challenges involved in balancing innovation with privacy protection and the possible need for a uniform system of regulation.
LEGAL FRAMEWORK GOVERNING BIOMETRIC DATA
At the international level, there are no specific treaties or conventions that exclusively address biometric data. General data protection principles would, however, apply—specifically those enshrined in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980.[1] It underlines the basics of consent, purpose limitation, and security safeguards about the handling of personal data, directly applicable to biometric information.
Other standards from the International Organization for Standardization relate to the security and privacy of biometric data which provides guidelines on secure management and processing of biometric data. These are set up to minimize risks associated with biometric systems related to unauthorized access, data breaches, and any misuse of information.
THE EUROPEAN UNION: A MODEL ON BIOMETRIC DATA PROTECTION
The European Union has been at the forefront of regulating biometric data with the General Data Protection Regulation that came into force in 2018. According to the GDPR, biometric data is a special category of personal data with strict conditions for processing. Under Article 9 of the GDPR,[2] the processing of biometric data to uniquely identify a natural person is prohibited, except under conditions like explicit consent or necessity for the performance of obligations in the field of employment law.[3]
Under the GDPR, data controllers and processors will be required to apply appropriate technical and organizational measures for the protection of biometric data, in particular, encryption and pseudonymization.[4] Furthermore, the regulation established rights concerning biometric data on behalf of the individual, such as to access, rectify, or erase information about him or her, or to object to its processing.
One of the leading cases related to biometric data within the EU is, of course, the Schrems II case, in which the CJEU struck down the EU-US Privacy Shield due to concerns about the protection of European citizens’ data in the United States, including biometric data.[5] From this case, what came out was that data transferred to third countries has to be guaranteed with the same level of protection.
THE UNITED STATES: A PATCHWORK OF STATE REGULATIONS
In contrast to the EU’s holistic approach, the legal regime governing biometric data in the United States is relatively fragmented, with regulation taking place mostly at the state level. In 2008, the Biometric Information Privacy Act (BIPA)[6] was passed by Illinois, being the first state to do so; this act law prohibits private entities from taking biometric data without prior consent from individuals, disclosing the purpose of its use, the time duration for which it will be used, and protecting it.
BIPA also creates a private right of action, under which individuals can litigate companies for violations. As such, this has led to numerous amount of lawsuits against companies liable for heavy fines and settlements. For example, the Illinois Supreme Court decision in Rosenbach v. Six Flags Entertainment Corp. determined that one does not need to demonstrate actual harm to file suit under BIPA, thereby lowering the threshold to a significant extent to bring claims.[7]
Other states have enacted similar biometric data laws, such as Texas and Washington, but these come with weaker requirements and lack a private right of action. The fact that there is no federal legislation has created a patchwork of different state laws, which may present a challenge to companies operating in multiple jurisdictions.
INDIA: UPCOMING BIOMETRICS DATA REGULATION
The regulation of biometric data in India has been heavily influenced by the country’s Aadhaar program. It is the largest biometric ID system in the world. The Act 2016 of Aadhaar lays down the process of collection, storage, and use of biometric data to issue unique identification numbers to residents.[8] However, the system has had various legal setbacks, especially where issues to do with privacy rights are concerned.
It was ruled in the landmark judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India[9], which dealt with the constitutionality of Aadhaar, that while the scheme was constitutional, it should be put under some very tight restrictions regarding its use. In its judgment, the Court held that Aadhaar can only be used in terms of a few purposes, including welfare benefits, whereas the bio-metric data of individuals has to be securely held and safe from any unauthorized access.
The Personal Data Protection Bill, 2019[10], is pending in the Indian Parliament and contours comprehensive data protection, amongst which are provisions related specifically to biometric data. Under the Bill, biometric data is classified as an element of sensitive personal data that mandates specific consent for processing, along with stringent safeguards for every type of data in that category.
THE DIFFICULTY WITH CONSENT AND INFORMED USE
Probably one of the biggest legal issues concerning the collection and later use of biometric data is the guarantee of informed consent. Unlike traditional forms of personal data, by its very nature, biometric data is sensitive and directly related to the individual. Consequently, the threshold for consent has to be very high.
The concern is that most people would not know what that means and portends in terms of giving out their biometric data, particularly when it is collected for what seems to be very innocuous purposes—merely unlocking a smartphone or gaining access to a secure building. This enhances the concern regarding the mechanisms in place to provide informed consent and for people to be aware of how their data is going to be used, stored, and safeguarded.
Moreover, the expanding use of biometric data in both the public and private sectors also has raised issues of surveillance and the capacity for its probable misuse. For example, the application of facial recognition in law enforcement has heavily caused debate through the need to trade the security-privacy balance without good justification and how it is being utilized.[11]
CONCLUSION: A UNIFIED LEGAL FRAMEWORK
With biometric data being more and more incorporated into everyday life, the associated legal issues ensuing from such gathering and utilization are only going to get more complex. This is even though the EU, in particular, has relatively well-thought-out legal regimes that protect biometric data; other countries, like the United States, have tried to do so in a piecemeal manner, with certain inconsistencies and protection gaps arising.
To counter these, there will be a growing need for a sole legal framework that has clear and consistent standards concerning the collection, use, and protection of biometric data. This should be founded on informed consent, transparency, and security while ensuring that individuals’ rights are properly protected.
This very simply means that the law needs to adapt in light of the changing technologies of biometrics to address new risks and challenges. This transformation brings into light several issues: consent, surveillance, discrimination, and misuse of biometric data, amongst a host of other concerns.
At the same time, businesses and organizations engaged in collecting and utilizing biometric information will have to walk a fine line regarding how they extract value from the technology while protecting the privacy of the individuals concerned. Organizations can build trust with users and reduce legal risks by, for instance, obtaining informed consent, using adequate security measures, and being transparent about data use.
Author(s) Name: Suhani Jain (Faculty of Law, Jagran Lakecity University, Bhopal)
References:
[1] OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1, art 9
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1 (GDPR), art 9
[4] GDPR, art 32
[5] Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd [2020] ECLI:EU:C:2020: 559 (Schrems II)
[6] Biometric Information Privacy Act, 740 ILCS 14 (2008)
[7] Rosenbach v Six Flags Entertainment Corp 2019 IL 123186, 129 NE3d 1197 (Ill)
[8] Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (India)
[9] Justice K.S. Puttaswamy (Retd.) v Union of India (2018) 1 SCC 809
[10] Personal Data Protection Bill, 2019 (India)
[11] Woodrow Hartzog and Evan Selinger, ‘Facial Recognition Is the Perfect Tool for Oppression’ [2018] 9 Boston Globe
