A recent report commissioned by the UK’s Ada Lovelace Institute (the Ryder Review) concludes that the current legal framework governing biometrics “is not fit for purpose, has not kept pace with technological advances and does not make clear when and how biometrics can be used, or the processes that should be followed.”

The Ryder Review calls for a new biometric-specific law, echoing the views of some major industry players such as Microsoft: It has called for specific legislation on facial recognition technology because the ‘use of facial recognition technology could unleash mass surveillance on an unprecedented scale’ and a clear legal framework would avoid a commercial race to the bottom on rights by creating a level playing field. 

What is biometric data?

Mark Twain in his memoir about life as a steamboat pilot, Life on the Mississippi, published in 1883, was the first writer to use the device of fingerprints to detect and prove a murderer’s identity - ten years ahead of real world detectives.

Other common forms of biometrics are a person’s fingerprints DNA, iris scans, voice recognition and facial recognition. However, big data analysis is allowing for new forms of biometrics, such as behavioural traits like gait analysis or key-stroke analysis.

The Ryder Review gives some examples of use of these new forms of biometric data:

• a recent EU-funded development of a border control system called iBorderCtrl deployed biometric classification to detect deception based on facial recognition technology and the measurement of, what was termed, “biomarkers of deceit”.
• a major accounting firm developed a facial recognition tool to check whether remote workers left their screens. The tool was developed for clients in the financial sector with strict compliance requirements, presumably to avoid information leaks or backroom deals during the pandemic, but it raised concerns about its intrusiveness and its potential to be used by employers for other purposes.

A cautionary tale

The Ryder Review starts by noting that “more than 20 years ago, English law took a wrong turn in relation to the regulation of biometric data [and] that misstep took over a decade to rectify, and the law surrounding biometric data has struggled to stay current and effective ever since.”

In 1998, the DNA of a man accused of burglary was inadvertently retained by the police, contrary to law. The DNA was later used to identify and convict the same man for a horrific rape and assault that might otherwise never have been detected.

In 2001, as a direct result of that case, the UK law was changed not only to allow biometric data – DNA and fingerprints – to be collected in a wide range of circumstances but also to allow it to be retained almost indefinitely.

Within a few years the UK had created the world’s largest DNA database, which included the biometric data of people who had never been charged or convicted of offences, including children. The data retained was disproportionately weighted towards those who had contact with the police, particularly young Black men.

After the 2008 decision of the European Court of Human Rights in S and Marper v United Kingdom critical of the UK’s collection and use of DNA, legislative change slowly occurred in UK law, culminating in the Protections of Freedoms Act 2012, which established a Biometrics Commissioner and a Surveillance Camera Commissioner with limited powers to monitor police use of biometrics.

Why a new law?

The Ryder Review identifies three reasons why current laws are not ‘fit for purpose’ in regulating use of biometrics.

First, the definitions of personal information used in traditional privacy and data protection laws focus on the data’s ability to identify an individual uniquely. Hence all that debate over whether data has been sufficiently anonymised so as not to be capable of reverse-engineering.

At a technical level, there is debate regarding the extent of individuation that can be achieved with biometric data. The UK’s Forensic Science Regulator expressed some concern that ‘there is no such thing as absolute identification from biometrics’, which would undermine the usefulness of a definition that required absolute unique identification in order for safeguards to be engaged. The UK courts have taken a pragmatic approach (i.e. fudged it) by defining biometric data as “data [that] enables the unique identification of individuals with some accuracy.” (R (Bridges) v Chief Constable of South Wales Police).

But the Ryder Review thinks that the bigger problem with the traditional privacy definition of personal information is that it fails to capture the use of biometric data for classification purposes: i.e. if the link with an individual is broken, the aggregated biometric data can be used to assess other individuals by category:

“We concluded that, where data which has the capacity to uniquely identify individuals with some confidence is obtained or used for purposes other than unique identification – for example, where facial images are captured which could identify individuals but which are used instead for classifying them into race or sex categories – that use, or systems that provide for such activity, must also be subject to robust, rights-safeguarding regulation equivalent to the regulation necessary where identification actually takes place.”

The Ryder Review rejects the argument that use of biometric data for classification is less intrusive than its use for individual identification, taking a dig at metadata retention laws such as we have in Australia:

“There is an uncomfortable parallel with erroneous views by lawmakers that because the acquisition of the content of communications is potentially more intrusive than the acquisition of the metadata of communications, the latter needed far less protection. That type of legislative wrong turn is one that needs to be avoided in relation to the processing of biometric data for categorisation rather than identification.”

Second, use of privacy and data protection laws, as the entry point for biometric governance, fails to take into account some of the specific features and specific risks posed by biometrics to groups of people, such as racial groups.

Third, the current legal framework only provides for legal action vindicating individual rights to be brought once there has been a breach of those rights. All stakeholders, including the police, agreed that there needs to be a process for prior authorisation of the use of biometrics.

What would this biometrics law look like?

The Ryder Review recommends that a new biometric law should make provision for four stages of biometric technology development: testing, piloting, use and evaluation.

The biometric law would require the following studies be undertaken upfront for any new proposal by a public authority to use biometric data:

• conduct and publish an equality impact assessment;
• conduct and publish a privacy impact assessment, which should consider the individual and group privacy rights ramifications;
• conduct a technical accuracy assessment; and
• conduct a necessity and proportionality analysis, requiring up-front consideration by the intended user of a biometric technology whether that use is (i) necessary in pursuit of a legitimate aim and (ii) proportionate, including whether a less intrusive means of pursuing the legitimate aim could be used and whether a fair balance will be struck between the various rights and interests at stake.

Turning then to the procedure or permissions which would be necessary for the use of biometrics, the Ryder Review accepts the view of most stakeholders that a warrant system (by which specific authorisation via court-issued warrants would be necessary before biometric technologies could be deployed) would be too cumbersome and opaque.

However, the Ryder Review thinks that the biggest missing element in the current review processes is a requirement for ethics to be taken into account in respect of operational decisions relating to biometric technologies. This is in contrast to the well-established review processes in medical and other research.

Therefore, the Ryder Review recommends the established of an Ethics Board. It would be a mandatory requirement that all proposals by a public authority to use biometric data would be referred to the Ethics Board. The Ethics Board would not have a power to veto a proposal, but if a public authority decided to proceed notwithstanding opposition or concerns from the Ethics Board, it would have to publish a detailed statement of reasons addressing the Ethics Board’s decision.

Private sector

Although the Ryder Review initially wanted to consider use of biometrics in the private sector, it got too little input from the private sector to make any recommendations. However, the report points out two particular areas of concern:

• Public-private collaboration: the report gives examples of collaboration between estate and building management companies and police over live facial recognition systems. Public-private collaboration could mean that biometric data collected for a public purpose, such as policing, is used to train algorithms which function for different and broader purposes.
• Biometrics in the workplace: The shift to remote working and videoconferencing accelerated by the pandemic means that many interactions are now digital, which enables forms of processing that are not possible in face-to-face communications. Over a quarter of large firms surveyed said they had implemented remote monitoring or planned to do so.

Read more: The Ryder Review: Independent legal review of the governance of biometric data in England and Wales