Review calls for urgent new laws over use of biometric technology

An independent legal review has concluded that new laws regulating the use of biometric data in the public and private sector are urgently needed.

The report, commissioned by The Ada Lovelace Institute and undertaken by Matthew Ryder QC, aimed to highlight the uncertain level of biometric technology regulation provided by existing laws such as the EU's General Data Protection Regulation (GDPR).

Among the review’s recommendations are a new statutory framework to set out the use of biometric data by private and public organisations for both identification and classification, and the establishment of a national Biometrics Ethics Board. This, it says, is necessary given the rights-intrusive potential of new technologies such as live facial recognition and gait recognition.

Further investigation into the private sector’s use of biometrics, as well as the sharing of information between private and public sector entities, was also highlighted as a matter of importance.

The review gives the example of the use of facial recognition technology at the King’s Cross site in 2019, which was later found to have included a data sharing agreement with the Metropolitan Police and British Transport Police, to “prevent and detect crime in the neighbourhood”, according to the site's owners.

Recommendations in this area include stricter regulation of Live Facial Recognition (LFR) and a complete moratorium on all LFR in both the public and private sector until the new framework is in place.

Additional concern was raised around the use of remote monitoring and video processing to collect biometric data in the private sector, enabled by the rise of remote working throughout the pandemic.

Under current protections provided by GDPR, biometric data is only classified as special category data when it is collected for ‘the purpose of uniquely identifying a natural person'. The Ada Lovelace Institute, in their policy report supplemental to the review, notes that this leaves biometric data used to determine a person’s “gender, race, or emotional state” subject to less stringent legal oversight.

Proposed legislation would cover use of biometric data for identification and classification. It would also require biometric technology earmarked for public use to first undergo a series of impact assessments to determine its potential impact on privacy and equality, as well as scrutinise the necessity and proportionality of the technology.

Public bodies would then have to refer any such technology to a newly proposed Biometric Ethics Board, the creation of which would provide ethical oversight in a public advisory capacity. It was also suggested that the advice of the board should be made publicly available, with public bodies required to publish explanations for any decisions made contrary to this advice within 14 days of any such decision.

Having begun in 2020, the review makes no reference to the proposed Data Reform Bill, which has been specifically highlighted by government ministers as relaxing certain restrictions imposed by GDPR that they dubbed “red tape and pointless paperwork”. These include aims by the government to cut down on the need to seek user consent for the processing of data in certain circumstances.

As part of the review, the Ada Lovelace council convened a Citizens’ Biometrics Council, composed of a diverse group of 50 members of the public asked to learn about and offer views on the use of biometric technology in legislation. A common view in their recommendations was the need for consent and transparency regarding the use of biometric data.