Biometric authentication is widely used today in various fields for verification of identity and its use has heightened to an unimaginable extent. Though the identification process of biometric security systems provides accuracy, it also acquires sensitive data that is vulnerable and can be misused. The usage of biometric data is not new but the uses have broadened over the years. Police have been using biometric data like fingerprinting, DNA tests, etc., for decades now. What is new is the usage of fingerprint to unlock gadgets, using the same for workplace management to keep a track of workers’ time log, etc,. Biometric Databases come along with disadvantages that are in par with its advantages. Biometric information which is categorised as personal information has to be protected and stringent regulations are required for the same as databases can be hacked and sensitive data can be mishandled. This is a significant issue as it is related to privacy, consent and other areas of importance.
Biometric Data
Biometric data captures a person’s physical or behavioural attributes to verify the person’s identity. It may include fingerprints, iris, facial patterns, voice, typing style, DNA, etc. These are the commonly used verification methods to allow a person to access devices and digital information. Biometric Data is considered to be accurate as the attributes of every person are unique and are less likely to change over a period of time.
Biometric Data is defined under Article 4 of General Data Protection Regulation (GDPR) as, means personal data ensued from technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.[1]
Regulation Of Biometric Data In India
Biometric information is included as Sensitive Personal data or information of a person according to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The said Rules lay out conditions regarding the regulation of Personal information and Sensitive data or information which includes biometric data. The rules state that “personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Conditions laid down in India are that a body corporate requires written consent regarding collection and usage of biometric data and the entity cannot retain data collected once the purpose for it is fulfilled. Biometric data cannot be transferred without prior consent unless it is necessary for performance of a lawful contract between the entity and individual. Similarly for disclosure of data to a third party, the permission of the data subject is essential.
As per Section 2(g) of the Aadhaar (Targeted Delivery of Financial And Other Subsidies, Benefits and Services) Act, 2016 “biometric information” means photograph, finger print, iris scan, or such other biological attributes of an individual as may be specified by regulations. ‘Personal Data Protection Bill, 2018’ was proposed to replace the existing Information Technology Act, 2000 which introduces a Data Protection Authority that is required to give approval for cross-border data transfers.
Regulation Of Biometric Data In Other Countries
Around the world legislations regarding biometric information are either specifically devoted to deal with biometric information and its regulation or it is included under personal data to be interpreted with the existing laws. It has to be noted that countries use biometric information in various ways. Chinese police use sunglasses with built-in facial recognition.[2] Similarly, it is also used to detect drowsy drivers, to prevent theft, etc. The use of biometric data in places like Utah, California and Colorado are far from the rest as it requires driver license applicants to provide fingerprints.
United States
The prime regulation of use of biometric data for identification or authentication of a person in the United States is the guidelines furnished by the Federal Trade Commission (FTC) and the Department of Commerce National Telecommunications and Information Administration (NTIA).
The FTC overlooks the privacy and data security practices of companies in the United States and has issued general guidance about collection and use of biometric information for facial recognition technologies which is based on Fair Information Practice Principles.[3] For collection and analysis of biometric data, notice is a mandatory requirement and express consent is also needed prior to identifying an individual based on the biometric information alone (matching face geometry scan to tie the scan to another known person). It provides guidelines based on sensitivity of how information can be collected and used.
NTIA’s best practice recommendations issued by June 2016, includes transparency, management of data, restrictions of use, data quality and security and problem resolution.[4] The recommendation talks about how and why information can be collected and used and about sharing of information (only exception of sharing with unaffiliated third parties), but does not require notice or consent.
Illinois and Texas, two US states have specific conditions imposed on the collection, use, disclosure and security of biometric information. Illinois’ Biometric Privacy Act (BIPA)[5] requires prior notice, written consent, reasonable standard of care for protection of such information and retention & disclosure restrictions. It defines biometric information as ” based on an individual’s biometric identifier used to identify an individual.” Illinois’ law prohibits the collection of biometric data from students without parental consent and does not allow companies profiting from collection, use and sharing of biometric Data. The Act has stern restrictions on disclosure of data as it allows it only to a limited extent and also provides individuals with private right of action if they are harmed by violators of BIPA. The Texas law has similar limitations but does not require written consent.
European Union
As per European Union law biometric information falls under personal information and certain types of biometric data used to identify individuals are specified as sensitive personal data. The EU Data Protection Directive addresses the processing of personal data although it does not explicitly mention biometric data. It defines personal data as ‘any information relating to an identified or identifiable natural person.
Based on this definition, Article 29 Working Party(WP29) issues an opinion that biometric data is considered personal data as it can be used to identify a specific individual. It has to be taken into account that the consolidated identity register also contains biometric data. In accordance with Article 9 of Regulation 2016/679 and Articles 10 of Directive EU 2016/680 and of regulation 45/2001, the processing of biometric data for the purpose of uniquely identifying a natural person qualifies as processing of special categories of data and is only allowed under certain additional conditions.[6]
The opinion also further states that “biometric systems are tightly linked to a person because they can use a certain unique property of an individual for identification and/or authentication. Biometric data, by their very nature, are directly linked to an individual.”
However GDPR replaced this directive in 2018 and additional protections and restrictions are provided. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. As per the regulation, ‘Personal data’ constitutes any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[7] The regulation was put into effect on May 28, 2018. It has principles relating to processing of personal data and special categories of personal data, lawfulness of processing, conditions of consent, etc. Some data are considered particularly sensitive, including genetic and biometric data used for the purpose of uniquely identifying an individual and the GDPR prohibits the collection or use of such data, unless, in particular, the data subject has given his/her express consent (active, explicit and preferably written consent, which must be free, specific and informed).
https://lawaddiction.com/arogya-setu-right-to-health-v-right-to-privacy/
France
The biometric data law in France is similar to few other countries that make it a part of personal information. CNIL, Commission Nationale Informatique & Libertés, the French Data Protection Agency had amended its framework regarding authorization of biometric systems in the business sector recently. According to Article 9(4) of GDPR, CNIL had power to issue “standard regulations to ensure the security of personal data processing systems and to regulate the processing of , genetic data, biometric data and health data” and the French Data Protection Act, 1978 (FDPA) was thereby revised.[8]
Japan
In Japan, the Japanese Personal Data Protection Act is the law providing regulations and limitations on use and share of personal data.[9] The Act defines personal information to include “individual identification codes” (commonly referred by news articles to have biometric data such as facial recognition and fingerprints included) post expansion of the definitions under the Act. It was also determined by an expert panel that the definition of personal information has a wide interpretation that will allow the inclusion of information regarding an individual’s genome to be considered as personal information. The law limits the use and sharing of genomic information, which prevents disclosure of information about diseases though it could affect medica research and innovations.
Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA), is the law governing data protection and privacy concerns. Section 2(1) of the Personal Information Protection and Electronic Documents Act, 2000, states that “personal information” means “information about an identifiable individual.” The definition of personal information is given a wide interpretation. It was also clarified that ‘Information need not be recorded for it to constitute personal information. It is sufficient if the information is about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance.[10] Examples of personal information in the technological context include different forms of biometric information, such as fingerprints[11] and voiceprints.[12] It was also made clear that a photograph of a person’s home may constitute the personal information of that person.[13] Video surveillance capturing an individual’s physical image or movement[14] might also be considered as his or her personal information although it is not taped[15] since according to the definition of personal information in PIPEDA it is not necessary that information must be recorded.
Conclusion
The laws regarding Biometric Data or Information is often categorised as personal information and the collection, use, disclosure and transfer of the same is highly protected around the world. Biometric data is sensitive and unauthorised use of such data can put the privacy of individuals in stake. The growing use of biometric information is enormous and cannot be neglected as it seems to be the most accurate passcode and its uses can nearly outweigh its disadvantages. The need for stringent laws regarding biometric data is unavoidable in the present scenario.
References:
[1] The General Data Protection Regulation, 2016, art. 4 (14).
[2] Melissa Zhu, “What is facial recognition, and why is it more relevant than ever during the coronavirus pandemic?”, South China Morning Post, November 18, 2020 , available at: https://amp.scmp.com/tech/policy/article/3108742/what-facial-recognition-and-why-more-relevant-ever-during-covid-19 (last visited on 12th December, 2020).
[3] Federal Trade Commission, “FTC recommends best practices for companies that use facial recognition” October 22, 2012. available at:
https://www.ftc.gov/news-events/press-releases/2012/10/ftc-recommends-best-practices-companies-use-facial-recognition (last visited on 12th December, 2020).
[4] National Telecommunications and Information Administration, “NITA Seeks Comment on New Approach to Consumer Data Privacy”, September 25, 2018, available at: https://www.ntia.doc.gov/press-release/2018/ntia-seeks-comment-new-approach-consumer-data-privacy (last visited on 12th December, 2020).
[5] The Illinois’ Biometric Privacy Act, 2008, ss 10, 15, 20.
[6] Data Protection Directive, “Opinion on Commission proposals on establishing a framework for interoperability”April 23, 2018, available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=624198 (last visited on 12th December, 2020).
[7] Supra note 1 at 1.
[8] Commission Nationale Informatique & Libertés, the French Data Protection Act. 2018, available at: https://www.cnil.fr/en/home (last visited on 12th December, 2020).
[9] The Japanese Personal Data Protection Act, 2017.
[10] Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421.
[11] Law School Admission Council Investigation,”Privacy Commissioner’s Report of Findings”, May 29, 2008, available at: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_02/ (last visited on 12th December, 2020).
[12] Wansink v. TELUS Communications Inc. (F.C.A.), (2007 FCA 21).
[13] Office of the Privacy Commissioner of Canada, “Photographing of tenants’ apartments without consent for insurance purposes” available at: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2006/pipeda-2006-349/ (last visited on 12th December, 2020).
[14] Office of the Privacy Commissioner of Canada, “Bank erroneously e-mails employees’ personal information to client” available at:
https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2006/pipeda-2006-360/ (last visited on 12th December, 2020).
[15] Office of the Privacy Commissioner of Canada, “Video surveillance activities in a public place” available at:
https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2001/pipeda-2001-001/ (last visited on 12th December, 2020).
BY- AMRITHA BALAJI | SCHOOL OF LAW, SASTRA DEEMED TO BE UNIVERSITY