Ecosystems approach to biometrics can plug regulatory gaps, WPF argues

The regulatory holes and risks that accompany today’s laws for biometric technology will require a holistic ecosystem perspective with a framework using the chemical safety model that can properly address the technology, says a paper in the March 2022 issue of Turkish Policy Quarterly.

The article, titled, ‘Regulating and harmonizing biometric ecosystems: Addressing the full spectrum of risks using global safety models and controls,’ is authored by Pam Dixon, the executive director of the World Privacy Forum.

Dixon notes the speed at which biometric technology is advancing past policy remedies, with risks from algorithms and hardware, and controversies over racial, gender, and age bias being no longer theoretical, but tangibly felt. Rather than ascribe these problems to individual failures of a modality, Dixon argues that it is critical to contextualize the field as a “complete ecosystem of multiple biometrics.” As biometric systems tend to collate various types of biometrics into one system (e.g., iris and fingerprint), focusing on a single modality leads to incomplete and fragmented regulatory frameworks to address these concerns.

Analyzing the more than 145 jurisdictions that have passed some form of national-level data governance and protection frameworks regulation, Dixon notes the prevalence of generalized language for biometric data protection. For example, the EU’s General Data Protection Regulation (GDPR) does not specify a specific biometric like face recognition and does not address multi-modal concerns. On the other hand, other jurisdictions lack a “mature legislative model” as they focus on the modality of face recognition, iris, fingerprint, or DNA.

Another key problem she points to is how policy tools are incomplete. Principles for responsible use, the utilization of consent mechanisms as a control, and bans or moratoriums are specified as important, but not sufficient on their own. U.S. regulations often concentrate on single biometric modalities and use consent as a “primary tool utilized for protection.” But, as Dixon states, consent without procedural or administrative controls offers “quite poor protections” against biometrics risks. The lack of sophistication in regulation will lead to regulatory havoc and gaps in protections, she concludes, and unsustainable policy strategies for biometrics.

Dixon also discussed how a loophole in the U.S. is moving biometric data collected in schools outside of consent rules in a 2020 interview with Biometric Update.

Presented in contrast with the current state of biometric regulation as both sufficiently broad and specific, Dixon recommends the chemical safety model as a blueprint for the biometrics industry to adopt. As the chemical industry is built “according to a common framework, use the same definitions, are fit for each jurisdiction, and are also harmonized globally while respecting jurisdictional contexts,” Dixon argues it is an ideal model to borrow from.

“The rich, adaptable, comprehensive, and yet granular chemical safety models in use today provide a pathway to move biometric regulation away from the fragmented and ineffective current practices that rely on consent, bans, and single-modality regulations,” she says.

Chemical safety regulation models can offer procedural and administrative controls while being flexible enough to recognize individual cases, she says. Looking at how lead and arsenic are regulated, Dixon finds that the toxic elements are regulated under the same framework but with differing protections and cut-off points, given their toxicological differences. Chemical safety is overseen by the World Health Organization and the United Nations, two multilateral organizations that can harmonize with national-level frameworks. The UN offers a program called the Globally Harmonized System of Classification and Labelling of Chemicals (GHS) that standardizes chemical safety across all jurisdictions, which helps orchestrate risk mitigation strategies and labelling internationally as well.

Dixon envisions an umbrella for biometric modalities to be subjected to administrative and procedural controls. This would entail biometric products being assessed for pre-market safety, quality, and other risks. With facial recognition systems, this means the product would have to pass rigorous testing to ensure it does not discriminate for age, gender, and race biases. Then the biometric product would be registered, labelled, and required to submit documentation to regulators, which would avail regulators of audits, a post-implementation market surveillance and documentation program. Safety certificates, proactive proof of compliance, an ongoing review of biometric products, consumer and end-user feedback, as well as formal complaint mechanisms, would be enforced.

Dixon lists specific chemical safety regulatory models that are in use that showcase how a biometric regulatory regime would function. The EU’s Regulation on Registration, Evaluation, Authorization and Restriction of Chemicals (REACH) applies to every chemical product manufactured, imported, or sold within the EU. The law requires manufacturers and importers to register all substances produced above a set yearly volume, identify risks associated with the substances they produce, demonstrate compliance in mitigating the risks, and establish safe use guidelines for the product so that the use of the substance does not pose a health threat.

Other laws to draw influence from include the Chemical Safety for the 21st Century Act, a U.S. federal statute; India’s National Action Plan for Chemicals; and various regulations in African nations like Algeria, Cameroon, and Ethiopia.

“It is essential that complex biometric ecosystems are regulated consistently, comprehensively, and in a manner that is harmonized across jurisdictions so that biometrics are not subject to fragmentation that results in inconsistent or weak data governance, security, and privacy protections,” Dixon concludes. “Biometrics, as a technology of concern, merits high levels of attention to administrative and procedural controls, as well as a focus on harmonization on key aspects of regulation, such as agreement on definitions.”

Article Topics

biometrics  |  data protection  |  legislation  |  privacy  |  regulation  |  standards  |  World Privacy Forum