Application of state biometric data privacy laws for companies, feds debated
Differences between how biometrics use is treated in state and federal laws in the United States are behind motions to dismiss a biometric data privacy lawsuit, and a letter from a state Attorney General to federal agencies.
Microsoft and Amazon have filed motions in federal court to dismiss claims against them under Illinois’ Biometric Information Privacy Act (BIPA), stating that the law does not apply to the situation, MediaPost reports. Amazon says the evidence clearly shows any relevant activity took place outside of the state, while Microsoft separately argues that it did not collect any biometrics in Illinois.
The suit is over the Tech Giants’ use of IBM’s Diversity in Faces dataset, with the plaintiffs alleging their biometric data was collected without consent.
Microsoft and Amazon have previously argued that the suit should be dismissed due to a lack of jurisdiction over activities outside the state. District Court Judge James Robart declined to dismiss the suit, but indicated that the court may return to the question in the future.
Each company now claims that evidence revealed since that March hearing shows any potential actions in violation of BIPA occurred outside of Illinois. Researchers for the companies in Washington and Georgia downloaded or accessed the biometric database, and neither firm ended up using it.
Because Congress is the only entity with jurisdiction over interstate commerce, the companies say, Illinois law cannot be applied to their actions in this case.
Vermont Attorney General seeks answers from DHS
Meanwhile in Vermont, Attorney General TJ Donovan has written Customs and Border Protection (CBP) and the Department of Homeland Security (DHS) to enquire about the use of Clearview AI by the agencies within the state.
Vermont’s Consumer Protection Act and Data Broker law place a range of restrictions on the use of biometrics, and Donovan has already brought legal action against Clearview under them. The suit survived a motion of dismissal last year, though the court struck down a two claims, one that the company had violated the Data Broker Law.
In a letter dated December 13, Donovan writes that CBP’s final agency action on proposed Remote Video Surveillance Towers neglects privacy issues he raised in a previous letter.
Donovan asks the agencies to confirm and describe how they are using Clearview’s facial recognition in the state, and all current and planned uses that could affect Vermonters.
Clearview is also facing further pressure from a trio of provincial data protection authorities in Canada, which have ordered the company to comply with the recommendations of a joint investigation along with the national Privacy Commissioner which concluded earlier this year.
The authorities of Quebec, British Columbia and Alberta are demanding Clearview cease offering its technology in the three provinces, “stop collecting, using and disclosing images” from the provinces, and delete its images and biometric data collected from their residents.
The Privacy Commissioner of Canada does not have order-making powers under the country’s Personal Information Protection and Electronic Documents Act (PIPEDA), but the provincial authorities can issue legally binding provincial orders. Recent changes in Quebec, along with proposals in BC and Ontario, increase the penalties and other mechanisms at the disposal of privacy protection authorities.