An independent legal review of the laws and regulations concerning technologies used to recognise and identify biometric data has concluded that the current system is ‘not fit for purpose’ and identified an ‘urgent need’ to update existing legislation. The review (available to view here), commissioned by the Ada Lovelace Institute and led by Matthew Ryder QC, found that the lack of a ‘single overarching legal framework for the management of biometric data’, combined with the ‘overlapping and fragmented nature of oversight’, has resulted in ‘substantial invasions’ of the right to privacy across public and private sector institutions.
‘The protection of our fundamental rights in relation to biometric data is a complex area which lawmakers and regulators must not delegate to others, or allow public or private authorities to avoid merely by relying on purported public consent,’ argued Ryder in the foreword to his report. ‘Now more than ever, they have a responsibility to step up to protect the public from the harms and risks that the public themselves may not fully appreciate or even be aware of.’
Biometric data generally refers to personal information that can be uniquely identified based on a person’s body or behaviour, including characteristics relating to an individual’s face, fingerprints, walking style, tone of voice and other bodily measurements. Whilst the storing and processing of this data is often conducted for law enforcement purposes, the independent review noted that ‘further work is necessary on the topic of private-sector use of biometrics’.
The report cited two opinions relating to the use of live facial recognition in law enforcement and non-law-enforcement contexts published by the Information Commissioner’s Office, the data protection and freedom of information watchdog. It found that ‘a key issue raised, but not entirely resolved’ in the latter opinion was the question of who should be liable ‘for the use of badly designed biometric technology, and what burden is there on the user of that technology to make detailed enquiry of the vendor/manufacturer.’
‘If people are to have trust and confidence in the legitimate use of biometric technologies, the accountability framework needs to be comprehensive, consistent and coherent,’ said Professor Fraser Sampson from Sheffield Hallam University. Sampson currently serves as the Biometrics and Surveillance Camera Commissioner and is responsible for reviewing and advising the government on the retention and use of this data. ‘If we’re going to rely on the public’s implied consent, that framework will have to be much clearer.’
The duty on data controllers to manage biometric data in a reasonable, proportionate and non-discriminatory manner and in compliance with human rights and data protection obligations was identified by the review as being fundamental to the proposed new legal framework. ‘Many of the principles that we consider should form the basis of a new legislation find their origin in human rights and data protection law.’ ‘The most important existing duties are: (1) the obligation on public authorities not to violate rights protected by the Human Rights Act; (2) the obligation not to discriminate, directly or indirectly, and (for public authorities) to comply with the public sector equality duty; and (3) data processing obligations.’
‘When we talk about biometric technologies, we’re not talking about distant dystopias or science fiction. Biometric technologies are being used right now in all sorts of contexts and for all sorts of purposes,’ said the Director of the Ada Lovelace Institute Carly Kind. ‘This presents real ethical and legal risks, but the regulations simply haven’t kept pace with the technologies or public attitudes.’
‘Our three-year programme of research demonstrates that the public support stronger safeguards and the existing legal landscape is inadequate. The Government must take on this important issue and bring forward new primary legislation on biometrics.’