Legal issues around facial biometrics use examined in U.S., Canada, and UK
The use of biometrics, and facial recognition in particular, will be discussed by representatives of several U.S. government departments at a hearing on the privacy, civil rights and civil liberties by the House Homeland Security Committee on Thursday, February 6.
Officials from the Department of Commerce, Customs and Border Protection (CBP), and its parent agency the Department of Homeland Services (DHS) will address the committee as part of a hearing it calls “About Face: Examining the Department of Homeland Security’s Use of Facial Recognition and Other Biometric Technologies, Part II.”
Agencies in government elsewhere in the U.S. and around the world are considering or resisting changes to the legal frameworks facial recognition operates in.
Canadian provinces address biometrics use
The government of Canadian province Prince Edward’s Island says it will attempt to increase transparency around its use of the technology, after privacy commissioners from all four Atlantic Canadian provinces, including P.E.I., expressed concern about the use of facial recognition for driver’s license applications, the CBC reports.
P.E.I.’s Department of Transportation says it does not share biometric data with other provinces, but applicants for the photo ID are scanned to catch attempts at identity theft and by suspended drivers to obtain new licenses, and the four provinces switched to a central system for license issuing in 2017. The biometric checks are only made against the same province’s own database.
The Transportation Minister for the province Steven Myers said on Twitter that facial recognition has been used since 2007, and P.E.I.’s Privacy Commissioner said the government should have informed residents about its use. Myers said the technology has caught some attempts at driver’s license fraud.
Amendments to the island province’s Highway Traffic Act to make the biometrics use clear is expected in the spring.
Scottish opposition proposes image retention limit
Liberal Democrats in Scotland are calling for all images of innocent people held in police’s facial biometric database to be purged from the system, Planet Radio reports.
A freedom of information request from the party led to the discovery of 375,305 images supplied to the national database since 2014. The party introduced an amendment to the proposed Scottish Biometrics Commissioner Bill to mandate that photos of innocent people be deleted after three years. That duration would line up facial recognition rules with those for DNA and fingerprints.
The amendment was proposed by Liam McArthur, who says the volume of images being sent to the database shows how important the technology is to police, but is also startling, and innocent people’s data should not be held permanently. Police Scotland Detective Chief Superintendent Sean Scott told a Holyrood Justice Committee meeting that a presumption of deletion is “absolutely right,” according to Planet Radio. Another police representative noted that the rules for facial recognition are not as clear as for other biometrics, and clarity would be welcomed.
South Carolina law proposal includes private right of action
A bill has been introduced in South Carolina’s General Assembly proposing a take middle ground among existing biometric privacy laws, according to the Security, Privacy and the Law blog from law firm Foley Hoag.
The South Carolina Biometric Data Privacy Act contains less stringent requirements than those of Illinois’ Biometric Information Privacy Act (BIPA), only requiring companies to delete biometric information at the request of the data subject, rather than at the earlier conclusion of two specified periods, and only barring the sale of biometric information at the request of the subject.
A private right of action, which may be the most contentious provision in BIPA, and different from regulations in Texas and Washington, are included in the South Carolina bill. The South Carolina bill also proposes a broad definition of biometric data, which includes keystroke dynamics and other behavioral measures.
A number of other states have proposed legislation specific to biometric data, but none of enacted such laws so far.
The bill, which would add a chapter to existing privacy law, is currently with the House Judiciary Committee.
Former NYPD Commissioner slams proposal
Former NYPD Commissioner Bill Bratton went to bat against the proposal in the state legislature to ban the use of facial recognition by the department on a recent talk show, calling it “insane,” according to the NY Post.
“Being quite frank with you, I don’t think they know much about facial recognition or the current state of it,” Bratton said, claiming the technology keeps innocent people out of jail by providing a check against unreliable eyewitness testimony.
Bratton also said law enforcement is willing to support regulation, in principle.
“Let’s talk about it, let’s discuss it, debate it,” Bratton said. “Facial recognition is exploding in the private sector, whether or not the Senate wants to ban it for police, which is asinine in my perspective, the private sector is going to develop and use it. It’s here and it’s going to expand and that’s the reality of it.”
Bratton’s comments largely echo those of current Commissioner Dermot Shae, when he spoke recently at the Police Foundation breakfast. Shae also acknowledged some issues with how the technology is perceived and communicated about.
“Some technology scares people and I think we can’t be blind to that,” he said. “It’s about transparency and telling people our intentions and our policy. When you invoke facial recognition and 100 different people will have 100 different images in their mind of what that means.”
UK Minister says legal changes unnecessary
UK policing minister Kit Malthouse does not see any imminent need to change the legal framework supporting police’s use of facial recognition, PublicTechnology.net reports.
London’s Metropolitan Police Service is planning to launch facial recognition to operational use at several locations around the city following a series of trials.
Labour MP Kevan Jones asked whether new laws would be needed to regulate the technology with the UK leaving the EU, and was told by Malthouse that a recent decision by Wales’ high court shows the legal framework in England and Wales is “clear and sufficient.”
“This framework, which includes the common law powers available to a constable for the purpose of preventing or detecting crime, Part 3 of the Data Protection Act 2018, the Human Rights Act and the Surveillance Camera Code, will not change as a result of the UK leaving the EU,” Malthouse says.
The decision to move forward with the technology under the existing framework was challenged by the country’s Information and Biometrics Commissioners, who pointed out the Wales court’s decision was narrowly applied to the instance challenged in the suit.
Malthouse also says the use of live facial recognition technology by private sector organizations is governed by the Data Protection Act 2018 and the General Data Protection Regulation, which impose strict obligations.