*Image credit: The Verge. Copyright © 2022 The Verge.
Over time, calls for the regulation of FRTs have intensified due to growing concerns around their potential misuse by public and private actors, which threaten the enjoyment of fundamental civil liberties. Thus far, there has been a diversity of approaches to regulating FRTs worldwide. For example, in such jurisdictions as the United States of America (USA) and the European Union (EU), the regulation of FRTs has been pursued primarily through legislative instruments, whereas in countries like China, judicial intervention has been the principal means of regulating FRTs. What follows is a concise snapshot of the varied regulatory approaches taken in the jurisdictions mentioned above.
The United States of America
Across the USA, the deployment of FRTs has been banned in sixteen (16) cities. Between 2019 and 2020, various bills were introduced but never passed, including the Commercial Facial Recognition Privacy Act, the Ethical Use of Facial Recognition Act, and the Facial Recognition, and the Biometric Technology Act. Since October 2021, there has been mounting pressure on Congress (i.e., the legislative branch of the US federal government) to implement legislation to comprehensively the deployment of FRTs. To date, Congress has taken no action on the issue.
In the absence of congressional action, a “patchwork” of legislative acts has been leveraged to regulate the deployment of FRTs. The Biometric Information Privacy Act (BIPA) is one such example. The BIPA requires that private entities notify seeking to use consumers’ biometric information first inform them that their data has been collected. Additionally, the BIPA prohibits the disclosure of collected biometric data in the absence of consent. Companies are also prohibited from selling or otherwise profiting from the sale of consumers’ biometric data, and consumers have a right of action against non-compliant companies. Another example is the “biometric identifier information” law that was passed in New York. That law effectively requires businesses to disclose their FRT use to customers with “clear and conspicuous” signage, “prohibits the sale of biometric identifier information,” and grants consumers a private right of action in respect of its disclosure requirement.
The final example is the California Consumer Privacy Act (CCPA) -- a data privacy law regulating businesses’ use of personal information. Under the CCPA, “personal information” includes biometric data, and, quite significantly in the context of the present discussion, it guarantees consumers a bundle of rights concerning the processing of biometric data. In particular, it empowers consumers to request access to their data, opt out of the sale of their data, and also request that their data be deleted. The CCPA applies specifically to businesses with annual revenues of over $25 million, receive the personal information of 50,000 or more consumers annually, or collect more than 137 people’s personal information daily. Accordingly, such businesses must inform consumers if they are collecting biometric information and provide them with that information where they request access. In addition, businesses selling biometric data must provide a mechanism for consumers to opt-out of the sale of their personal information, including biometric data.
The European Union
Except for Belgium and Luxembourg, where the deployment of FRTs is banned, remote biometric identification systems--including facial recognition-- in publicly accessible spaces are prevalent across the EU. In those EU member states where FRTs are utilized, legislative instruments are the primary means of regulating them. The GDPR offers opportunities, albeit limited, for the regulation of FRTs through Article 9(1), which imposes a general prohibition against the processing of personal data that “reveals biometric data for the purpose of uniquely identifying a natural person.” However, a particularly significant exception to the operation of that provision is outlined in Article 9(2), which excludes the operation of Article 9(1) where “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law…” It is therefore conceivable that this exception would be invoked as a justificatory basis for processing biometric data using FRTs.
While it is yet to be passed, the Artificial Intelligence Act (AIA) proposes to regulate the utilization of FRTs. Article 5(1)(d) of the proposed legislation effectively prohibits the use of “real-time” biometric identification systems in publicly accessible spaces for law enforcement purposes. However, the AIA has been criticized on several grounds. One such ground is that it provides too many exceptions that can be used as “loopholes” thereby undermining its efficacy.
More recently, the European Data Protection Supervisor (EDPS) issued a statement calling for “a moratorium on the use of remote biometric identification systems--including facial recognition-- in publicly accessible spaces…” He stated further that ‘[t]he EDPS will continue to advocate for stricter approach to automated recognition in public spaces of human features--such as of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals--whether these are used in a commercial or administrative context, or for law enforcement purposes’.
China
In China, the regulation of FRTs has primarily been pursued through judicial intervention. The first case to essentially challenge the legality of FRT use in China was filed by Guo Bing against the Hangzhou Safari Park Zoo after it replaced its finger-print-based admission system with a facial recognition system that collected and processed biometric data. Among other things, he argued that there was no legal basis for the zoo to collect visitors’ biometric data and that it had failed to put adequate measures in place to protect the biometric data it collected from visitors. The trial and appellate courts agreed that Mr. Bing deserved compensation and ordered the zoo to delete the biometric data it had collected from him. However, their respective decisions were premised on an apparent breach of contract resulting from the zoo’s decision to change its admission policy without prior notice to its customers.
More recently, China’s Supreme People’s Court published the “Provisions on Relevant Issues on the Application of Laws in Hearing Civil Cases Related to the Application of Facial Recognition Technology in Processing Personal Information” on July 27, 2021. The regulations empower consumers to reject the use of FRTs to verify their identity in order to gain access to a building or service, and mandate the provision of reasonable alternatives. The regulations also require businesses to seek and receive “explicit and independent” consent from customers to collect their biometric data for processing by FRTs. Once consent is obtained, a “purpose limitation” requirement will apply, and entities utilizing FRTs must implement effective data protection measures.
Regulation of FRTs in the Jamaican Context
In May, a local newspaper reported that the regulations required to operationalize the Data Protection Act (DPA) completely would be finalized by September. This is a significant development. Once finalized, the DPA regulations could be leveraged to regulate the FRTs reportedly being deployed locally. Guidance as to the most suitable means to achieve this ambitious but necessary objective can be gleaned from cross-jurisdictional approaches to regulating FRTs.
However, at a minimum, any mechanism established to regulate FRTs should impose certain transparency and accountability-oriented operational requirements.
To that end, the following minimum requirements should guide the operations of those actors reportedly deploying FRTs (including surveillance cameras equipped with facial recognition software) locally: 1. notice requirements- data subjects should be apprised of whether a commercial or other establishment is utilizing FRTs, and equally, whether consent to the collection of biometric data is a prerequisite for entry into the establishment; 2. consent requirements- clear, unequivocal and informed consent should be sought and obtained from data subjects before their biometric data is collected, stored, and ultimately processed by FRTs. Where such consent is obtained, data subjects should be made aware of the specific purpose(s) for which their biometric data are being and/or will be used. Additionally, reliance on bundled consent should be prohibited, and an appropriate opt-out mechanism should be provided to data subjects; 3. data minimization- biometric data collected from data subjects should not be used for any purpose which is incompatible with the original purpose(s) for which they were collected; 4. data protection safeguards- data protection safeguards should be implemented and continuously improved, particularly in light of the very sensitive nature of the personal data that would be collected, processed and stored by FRTs; and 5. prohibit the sale of biometric data- the sale of biometric data, particularly to law enforcement and commercial entities, should be strictly prohibited. Moreover, access to the biometric and other sensitive personal data collected and stored for processing by FRTs should be prohibited unless some vital interest (i.e. public health, public security, etc.) militates in favor of granting access to that personal data.
While the general utility of FRTs is acknowledged, their deployment--particularly in the absence of robust regulatory oversight--must be balanced against the imperative of safeguarding fundamental rights, particularly those to data protection and privacy. In light of this, the reported deployment of FRTs by law enforcement and other private actors in Jamaica warrants careful consideration and targeted action by the relevant stakeholders to establish an appropriate regulatory regime.
Comments