d1revolver - Fotolia

Urgent need for new laws to govern biometrics, legal review finds

Independent review says new framework is needed to clear up legal and ethical concerns over the use of biometric data and technologies, which can impact privacy, freedom of expression and other human rights

New legislation is urgently needed to address the increasing use of biometric technologies by both public authorities and the private sector, as current frameworks are inadequate and failing to keep pace with its use, according to an independent legal review.

The 221-page legal review takes stock of a range of biometric data and technologies, including well-known forms such as fingerprints, DNA, iris scanning and facial recognition. It also takes into account less well-known and novel forms of biometrics, including behavioural traits such as gait or keystroke analysis.

While the review focuses primarily on the use of biometrics by public authorities, particularly by police forces, it also takes into account private sector uses of biometric data and technologies, such as in public-private partnerships and for workplace monitoring.

Conducted by Matthew Ryder QC of Matrix Chambers and commissioned by the Ada Lovelace Institute, the independent review found that the current legal framework governing these technologies is not fit for purpose, has not kept pace with technological advances and does not make clear when and how biometrics can be used, or the processes that should be followed.

It also found that the current oversight arrangements are fragmented and confusing, and that the current legal position does not adequately protect individual rights or confront the very substantial invasions of personal privacy that the use of biometrics can cause.

“We’re at the beginning of a biometric revolution,” said Ryder. “Our biometric data is now able to be collected and processed in previously unimaginable ways.

“My independent legal review clearly shows that the current legal regime is fragmented, confused and failing to keep pace with technological advances. We urgently need an ambitious new legislative framework specific to biometrics. We must not allow the use of biometric data to proliferate under inadequate laws and insufficient regulation.”

In his foreword to the review, Ryder noted that he was “repeatedly struck by two counterintuitive features” in the conversation around the development and deployment of biometric technologies – the first being that strong laws and regulations are sometimes characterised as hindering advancements in the use of biometric data.

“In practice, a clear regulatory framework enables those who work with biometric data to be confident of the ethical and legal lines within which they must operate,” he said.

“They are freed from the unhelpful burden of self-regulation that arises from unclear guidelines and overly flexible boundaries. This confidence liberates innovation and encourages effective working practices. Lawmakers and regulators are not always helping those who want to act responsibly by taking a light touch.”

The second counterintuitive feature, said Ryder, was that although the importance of transparency and public consultation was emphasised by all stakeholders involved in the review, the practical effect of such emphasis was not always positive.

“On the one hand, obtaining active and informed public understanding through a structured process – such as a ‘citizens’ jury’ – could provide valuable information on which to base policy,” he said. “But too often, public and private authorities were relying on the public’s partially understood purported consent, an ill-defined assessment of public opinion, or the mere fact of an election victory, as a broad mandate for intrusive collection and use of the public’s biometric data.”

Ryder also said that because much public focus was on the police’s use of biometric technologies, particularly live facial recognition, research into the private sector’s use of biometrics has been comparatively lacking. “We strongly recommend urgent research on regulating biometric data in the context of use by private companies,” he said.

“Where we have felt we have a sufficiently robust evidence base to make recommendations relating to the regulation of biometrics in private sector and commercial entities, we have done so. But it is also one of our recommendations that specific, additional, private sector-focused work be undertaken.”

Other recommendations in the review include making any statutory framework require sector and/or technology-specific codes of practice to be published; consolidating the oversight of biometrics either under a new independent regulator or a specialist commissioner who sits in the Information Commissioner’s Office (ICO); and establishing a national Biometrics Ethics Board with a mandatory advisory role when it comes to public sector use of biometrics.

Read more about biometrics

The review separately recommended that this Ethics Board should openly publish its advice to public sector organisations seeking to deploy biometric technologies, adding that the deploying body should also be made to publish its reasoning within 14 days, when a decision is taken to use the technology contrary to the board’s advice.

Two recommendations also focused specifically on live facial recognition (LFR), one calling for a legally binding code of practice to be published by the government as soon as possible, and another calling for a moratorium on the technology until a new statutory framework and code of practice are in place.

In August 2020, the use of LFR by South Wales Police was deemed unlawful by the Court of Appeal, which made its decision on the grounds that the force’s use of the technology was “not in accordance” with Article 8 privacy rights, that it did not conduct an appropriate data protection impact assessment (DPIA), and that it did not comply with its public sector equality duty (PSED) to consider how its policies and practices could be discriminatory.

the Ryder Review said: “We consider the numerous and varied voices calling for a ban on LFR – from a diverse range of stakeholders – to be persuasive. We are fortified in that view by the key legal challenge to LFR in England finding it to be unlawful.

“With a proper legal framework, we cannot exclude the possibility that it could be deployed in a rights-compatible way. But we are persuaded that, at present, it is not possible. We therefore recommend a moratorium on its use until an adequate legal framework is introduced.”

It further recommended that any framework should supplement, rather than replace, existing duties arising under the Human Rights Act 1998, the Equality Act 2010 and the Data Protection Act 2018 (DPA 18).

In July 2019, the UK Parliament’s Science and Technology Committee published a report that identified the lack of legislation surrounding facial recognition in particular, and called for a moratorium on its use until a framework was in place.

However, in its official response to the report, which was published after a delay of nearly two years in March 2021, the government claimed there was “already a comprehensive legal framework for the management of biometrics, including facial recognition”.

Outlining the framework, the government said it included police common law powers to prevent and detect crime, the DPA 18, the Human Rights Act 1998, the Equality Act 2010, the Police and Criminal Evidence Act 1984 (PACE), the Protection of Freedoms Act 2012 (POFA), and police forces’ own published policies.

More recently, in January 2022, policing minister Kit Malthouse told the Home Affairs and Justice Committee (HAJC) that the use of new technologies by police, including biometrics, should be tested in court rather than defined by new legislation, which he argued could “stifle innovation”.

While the HAJC noted that new legislation would be needed to govern the general use of emerging technologies by police – which it described as “a new Wild West” – it did not call for a specific biometrics law.

However, responding to the publication of the Ryder Review, HAJC chair Baroness Hamwee said: “The central place that ethics should take in society, transparency, the dangers of bias and discrimination, standards, proportionality – all are acknowledged. But without a regulatory framework, rooted in a sound legislative and institutional basis, they are mere words.

“The current uncoordinated and confusing arrangements are inadequate. Biometric technologies have huge potential. They need an essential component: public trust and confidence, which in turn needs sound regulation.”

The UK’s former commissioner for the retention and use of biometric material, Paul Wiles, told the House of Commons Science and Technology Committee in July 2021 that although there was currently a “general legal framework” governing the use of biometric technologies, their pervasive nature and rapid proliferation meant a more explicit legal framework was needed.

Fraser Sampson, the UK’s current biometrics and surveillance camera commissioner, said in response to the Ryder Review: “If people are to have trust and confidence in the legitimate use of biometric technologies, the accountability framework needs to be comprehensive, consistent and coherent.  And if we’re going to rely on the public’s implied consent, that framework will have to be much clearer.”

Read more on Privacy and data protection