Lacking or weak biometric data policies concern authorities and advocates in Europe, Australia
Concerns about the privacy and security of biometric data have prompted consultations between the European Commission and regional data protection authorities.
News that Clearview AI has scraped biometric data from social media platforms with global user bases, and that it plans to extend its services to nine European countries has recently come to light, and EURACTIV reports that the company is not a member of the 2016 EU-US Privacy Shield. If Clearview harvested the data of European citizens, it may be in violation of the continent’s General Data Protection Rule (GDPR), which covers biometric data processing in Article 4 (14).
An EU executive spokesperson told EURACTIV that the matter is under investigation.
“These technologies don’t operate in a legal vacuum. The use of personal data falls under strict GDPR rules requiring well-defined legal basis and legitimate purposes, that the data subject is aware of the process and has means of redress and verification,” the official states, adding that the Commission is nearing completion of its proposals for a regulatory framework covering artificial intelligence, which may include “specific requirements for facial recognition.”
A European Data Protection Board official told EURACTIV that the board has not yet been engaged to investigate Clearview.
Ireland police and social protection department biometrics data policies controversial
A man in Ireland has won a lengthy legal battle with the Police Service of Northern Ireland (PSNI) over the force’s indefinite storage of his DNA, photo and fingerprints, BBC reports.
The European Court of Human Rights ruled that the storage of convict’s ID data violates human rights, and says a lack of safeguards in PSNI’s data policy was a decisive factor.
The complaint was brought by a man convicted of impaired driving in 2008. The court agreed with his claim that the indefinite data storage violated his right to privacy and was not proportionate to the offence. The court also noted that the UK is one of only a few jurisdictions in the Council of Europe that permits indefinite storage of DNA data.
PSNI are only permitted by policy to delete biometric data in exceptional circumstances, the court found.
The Northern Ireland Human Rights Commission welcomed the ruling, and says it has “engaged extensively and productively with the Police Service of Northern Ireland towards publishing a clear and public policy on the retention of biometric material, including provision for review.”
Biometrics are also being used by Ireland’s Department of Social Protection to identify cases of welfare fraud, raising concern among data protection experts, The Irish Times reports.
The controversial public services card (PSC) program includes facial recognition to match photographic images from different cards, according to an update of the program’s privacy statement.
The technology has been used to detect 220 cases of fraud, saving the government €4.74 million (US$5.14 million) since 2013, but experts question whether saving this amount is worth setting up a national biometric database.
IT also reports that Minister for Social Protection Regina Doherty has previously claimed the department does not hold biometric data, but only photographs. The department says that its position on biometric data processing has not changed, and that biometric templates are produced from PSC photos and used for internal processes.
Tasmanian biometric data transfer criticized
Private businesses will be able to access facial biometric data of Tasmanian people with the transfer of State drivers’ license data to Australia’s National Driver Licence Facial Recognition Solution (NDLFRS), The Advocate reports.
The transfer has been made through the Identity Matching Services operated by the Federal government, which says its face verification service may be used in the future by private sector organizations, with the consent of the individual. The face verification and face identification biometric services are yet to go live, as only Tasmania, Victoria, and South Australia have provided data so far.
Member of the Tasmanian House of Assembly for the Greens Cassy O’Connor said the government handed over the drivers’ license data without knowing how it will be used, and called on the government to delete it. A group of more than 1,000 people in the state made a group request to have their data removed, and Civil Liberties Australia state director Richard Griggs suggested that having not consented to the data transfer, their request is on solid legal ground.
The state’s Minister for Infrastructure, Michael Ferguson, said businesses do not have access to the data, and will be granted access only with a legislative basis.
The Federal government’s Identity-matching Services Bill 2019 was sent back to be redrafted by the Joint Committee on Intelligence and Security last October.