Think tank argues biometrics best regulated with risk-based approach

Biometrics regulation that protects against current and future risks without imposing unnecessary limitations is possible, with the right approach, a new report from the Centre for Information Policy Leadership contends.

CIPL is a U.S.-based global policy think tank within law firm Hunton Andrews Kurth LLP. Its members and participants include many of the world’s largest companies, particularly from digital technology sectors.

The 50-page “Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations” sets out the organization’s position on what legislators, regulators and other policy-makers can do to get biometrics regulation right.

The report makes five key recommendations for policy-makers. Regulation of biometrics should be based on risk, and should “include strong accountability and data governance measures.” Risk and impact assessments, purpose limitation, effective redress and transparency mechanisms and data security practices contribute to that accountability and governance. Consistent definitions for biometric data and systems should be sought across jurisdictions, and tools like sandboxes should be offered to support responsible development and deployment. CIPL also offers a three-pronged approach to biometrics regulation, consisting of base laws on risk and proportionality, responsibilities for organizations to demonstrate their accountability, and responsive, constructive engagement with industry on regulation.

Stakeholder education is a key theme throughout the document.

CIPL reviews how biometrics work and the risks and concerns that go along with deployments of the technology. The legal landscape is reviewed, with a focus on the U.S., EU and UK, and challenges in the regulatory realm.

The most consequential legal and regulatory change of the past few years is legislation not specific to biometrics, but rather the EU’s AI Act. More regulation may be necessary to win broad public support for many applications of biometrics, however.

The differences in the current definitions, as well as in biometrics’ scope and technology across jurisdictions are a significant challenge, CIPL says. Applying an appropriate legal basis for biometrics use if a key consideration for regulators, and at the same time, the technology is changing quickly, posing additional and potentially unforeseen challenges.

The last section before the conclusion delves into CIPL’s three-pronged, risk-based approach.

CIPL concludes that the appropriate role for biometrics regulation is not to allow or prohibit the technology’s use, but to allow the benefits, risks and risk mitigation measures to be compared to assess whether the technology is justified for the application.

“(A)ny regulatory framework for biometric technology should enable and require organizations to locate their specific use cases on a risk-benefits matrix and implement necessary and appropriate mitigations.”

This approach, CIPL writes, can guard against both over- and under-regulation of biometrics.

Article Topics

biometric data  |  biometrics  |  CIPL  |  data protection  |  regulation  |  research and development