Guide to Understanding the Australian Biometric Privacy Law Landscape

09 March 2023 04:10

2023

By Sharon Givoni, General Editor of the Privacy Law Bulletin
Alec Christie, (Partner) Clyde & Co, a member of the Privacy Law Bulletin Editorial Panel

The 20^th edition of Privacy Law Bulletin contains 4 new articles written by expert lawyers and academics covering the rapidly changing legal landscape around privacy laws and biometric data, in Australia, New Zealand and around the world.

Enter your details to read the full bulletin today.

"Biometric data is the new oil in the digital world, valuable to everyone from cybercriminals to advertisers." – Forbes

Biometric data is information about an individual's unique physiological or behavioural characteristics, such as fingerprints, facial recognition data, iris scans, and their gate or keyboard movements that can be used to identify them. While biometric technologies have existed for decades, the pace of use of biometric technologies and data is increasing, with the rapid uptake of the digital economy: from methadone programs, taxi booking services, ATMs and online banking, access to buildings as well as financial services, healthcare, law enforcement (e.g., criminal investigations) through to telecommunications.

However, there are two distinct sides to the use of biometric data and technologies:

the significant cyber security and privacy enhancing use to make digital assets more secure; and
the frivolous uses of our biometric data and ever-increasing threats posed by cyber incidents as well as the consequences that arise from unauthorised access to and use of our biometric data.

While the use of biometric data and technologies is clearly warranted (and likely welcomed) in appropriate circumstances (such as cyber security), it is fair to say that annoyingly frivolous uses of our biometric data are also growing.

In addition, even for valid and valuable uses of our biometric data, where the information security of that data is lax, the potential impacts on us may be cataclysmic. Cybercriminals (let alone advertisers) having our face, voice or fingerprint which, unlike our passwords, cannot easily be changed will both (i) expose us to significant losses through identity theft and (ii) lock us out of much of the digital economy. This will be even more galling if our biometric ID is stolen from an unnecessary use.

In a world becoming ever more reliant on biometric data to ‘prove’ who we are and permit us access to the digital economy, the theft of our biometric data gives cybercriminals endless opportunity to access and expropriate our digital assets using our biometric ID. In the instance our biometric identity is stolen, it is also currently impossible to easily change one’s face, voice, or fingerprint for the purposes of our ongoing participation in the digital economy.

Therefore, the increasing use of biometric data and technologies to ‘prove’ our identity in order to access the digital economy needs to come with several qualifications, restrictions or guardrails to protect our future selves. Before we get too far down the track, too far to undo any harm done, we need to now consider how to redress the consequences of and reset an individual’s biometric identity in the instance it has been misappropriated by cybercriminals.

Australian privacy laws currently provide some generic guardrails with respect to the collection and use of biometric data and use of biometric technologies but, against a backdrop of significantly increasing use and reliance on biometrics (and the current widespread ‘misunderstanding’ or ignorance of what these require), more biometrics-specific work needs to be done to establish the minimum requirements noted above and the ‘way back’ if the worst happens (biometric-identity theft).

Given the wealth of opportunities for increased cyber security and privacy protection that appropriate uses of biometric data present, it is worth investing the time to develop a secure legal framework for its use.

These issues are increasingly relevant to privacy lawyers as biometric technologies become more widely used by our clients for various purposes including authentication, time and attendance tracking and surveillance.

The Privacy Law Bulletin Editorial Panel have identified several challenges for Australian lawyers advising on biometric data, including:

Privacy concerns: Biometric data is highly sensitive personal information, and there are numerous privacy concerns surrounding its collection, storage, and use. Lawyers must be able to advise their clients on the privacy implications of biometric data collection and use, and ensure that data protection measures are in place to prevent unauthorised access, use, or disclosure.

Regulatory compliance: There are several laws and regulations in Australia that govern the collection, storage, and use of biometric data, including the Privacy Act 1988, the Australian Privacy Principles, and various State and Territory laws, such as the Health Records and Information Privacy Act 2002. Lawyers must have a comprehensive understanding of these laws and regulations to advise their clients on compliance.

Legal uncertainty: There is a lack of clear guidance from the courts on the legal issues surrounding biometric data, including questions around ownership, control and responsibility. Lawyers must navigate the legal uncertainty and provide their clients with clear and practical advice on the implications of biometric data.

Technological developments: Biometric technologies are rapidly evolving and new developments can pose new legal and privacy challenges. Lawyers must stay up to date with the latest developments in the field and be able to advise their clients on the legal implications of new technologies.

Balancing privacy and security: Biometric data can be used to enhance security, but the use of biometric data also raises privacy concerns. Lawyers must help their clients balance the privacy and security implications of biometric data and advise on the best and privacy-law-compliant approaches to minimise privacy risks while maintaining security.

On a more general level, some of the most significant, current issues around the use of biometric data include:

Collection and use of biometric data without consent: Concerns have been raised about organisations collecting and using biometric data without individuals' knowledge or consent, and that people may not be aware of how their data is being used or who has access to it.

Security and protection of biometric data: With biometric data being unique and permanent, it has the potential to cause significant harm if it is lost or stolen. This has raised concerns about the security of biometric data and the measures organisations need to take to protect it.

Potential for misuse and discrimination: There are also concerns about the potential for biometric data to be used for purposes beyond those for which it was collected or for discriminatory purposes, such as for employment or housing decisions.

Lack of transparency: There are concerns about the lack of transparency in the collection, storage, use and sharing of biometric data and that individuals are not adequately informed about how their biometric data is being used and disclosed.

Inside this edition of the Privacy Law Bulletin

The below articles (authored by a member of the Privacy Law Bulletin Editorial Panel and external authors) highlight the need for ongoing debate and discussion to ensure that the privacy rights of individuals are protected as biometric technologies continue to evolve and increase in use. From a non-legal perspective, it is clear that biometrics will play an increasingly important role in our daily lives in the years to come.

Caitlin Surman (Senior Associate) HWL Ebsworth Lawyers - Mind the gap: facial recognition and the existing laws
Dr Natasha CHL Mazey UNIVERSITY OF CANTERBURY, Dr Marcin Betkier (Lecturer) VICTORIA UNIVERSITY OF WELLINGTON, and Reuel Baptista (Consultant) PRIVACY FOUNDATION NEW ZEALAND - De-identification and Anonymisation to Effectively Protect Privacy - Part 1: Navigating the Legal Conundrum
Dr Natasha CHL Mazey UNIVERSITY OF CANTERBURY, Dr Marcin Betkier (Lecturer) VICTORIA UNIVERSITY OF WELLINGTON, and Reuel Baptista (Consultant) PRIVACY FOUNDATION NEW ZEALAND - De-identification and Anonymisation to Effectively Protect Privacy – Part 2: The Need for Guidelines
Alec Christie (Partner) Clyde & Co and Iris Rad (Associate) Clyde & Co - The pitfalls of commercialising biometric data: case studies on facial recognition technology

On a lighter note, we will end this introduction with some fun facts about biometrics, some of which may surprise you!

Biometric Data: Fun facts

1. The first recorded use of biometrics was by an Egyptian pharaoh who required his slaves to press their fingerprints into clay tablets as proof of payment for goods.	6. Facial-recognition technology can identify individuals in real-time, even in a crowd, making it a powerful tool for security and law enforcement.
2. Biometric technologies were used during World War II to identify enemy soldiers, and this paved the way for modern biometric technologies.	7. Voice-recognition biometrics is often used for voice-activated virtual assistants, such as Siri and Alexa.
3. Biometric authentication is faster than traditional passwords and can be more secure, as passwords can be easily forgotten or stolen.	8. Some animals, such as elephants and monkeys, can recognise themselves in a mirror, indicating that they possess a self-awareness that is often used as a test for biometric recognition.
4. The human iris has over 265 unique characteristics and is one of the most unique biometric identifiers.	9. Biometric data can be used to provide a more secure and personalised experience for users, including for secure mobile devices, financial transactions and passports.
5. Fingerprints remain unchanged for a lifetime, making them one of the most commonly used biometric identifiers	10. The global biometric market is expected to grow rapidly in the coming years, with some experts estimating that the market will be worth over $70 billion by 2027.

Privacy Law Bulletin provides topical articles on privacy laws. News, analysis, policy, legislation, industry codes and case law are gathered and condensed to form a practical and accessible source of relevant information. Presenting a diversity of opinions from experts in the field, Privacy Law Bulletin covers Australian and international developments, keeping subscribers in touch with current thinking on areas such as employment, banking and finance, the administration of government benefits, telecommunications, health care, marketing and the media.

Enter your details to read the full bulletin today.

First Name *

Last Name *

Work Email Address *

Work Phone

Practice Area

Job Title

Organisation Name *

RELX Trading Australia Pty Limited and our affiliates may further contact you in your professional capacity about related products, services and events. You will be able to opt-out at any time via the unsubscribe link provided within our communications. For more information, see our Privacy Policy.

address1