With the rise of face and fingerprint recognition technology, just how safe is our biometric data?
Gabriela Kennedy and Karen Lee say while such technological advancements have made all kinds of daily transactions more convenient, we need to counter the threat of abuse
Face recognition technology to help “tag” friends in photographs, fingerprint recognition to unlock smartphones, and fingerprint door locks are just some of the ways in which biometric data has been used in recent years. In Asia, developments include palm vein authentication technology for payments and mobile terminals, or “biocarts” that take photos and fingerprints of passengers for immigration processing in Japan; fingerprint authentication for ATMs in Vietnam; and facial recognition technology for ATMs in China. Is this the end of long passwords and complex authentication systems?
Biometric technology can enhance a user’s experience by speeding up delivery and offering increased security. But is a fingerprint scan more secure than a password? Fingerprints can easily be “lifted” and used to fool sensors.
Biometric technology used to track employee attendance has also given rise to a host of data privacy concerns. Regardless of the benefits, the collection of biometric data makes the individual vulnerable to threats – misuse, theft, data leakage and an erosion of human dignity. Unlike passwords, which can be reset, biometric features cannot be replaced when stolen.
Biometric data can be used to identify the people from whom it was collected. The data can be stored on a person’s device, but is also recorded in a central database. Should such data be freely collected, and how can people be assured that it will not be misused?
It is no surprise that the collection and use of biometric data has led to heightened public and regulatory concern about the risk to privacy. Most countries, however, have no specific provisions in data privacy laws that solely address the collection and use of biometric data. In some jurisdictions, additional protections and restrictions regarding the collection and use of “sensitive data” exist.
In Hong Kong, where there is no separate definition of sensitive data, the biggest collector of biometric data is the government. Fingerprint data is stored on all Hong Kong identity cards. A new smart(er) biometric ID card is expected to be introduced in phases between 2018 and 2022.
The city has witnessed the increased adoption and use of biometric technology by the private sector, and a few instances of misuse have led to investigations by the privacy watchdog. In May 2014, for example, it came to light that an investment company had required all female staff to provide blood samples for DNA testing in a misguided attempt to investigate toilet hygiene complaints. This July, a fashion trading company was reprimanded for the collection of employees’ fingerprint data. In both cases, the collection of data was found to have been excessive, as the sensitive nature of the data was disproportionate to the purpose of collection, and less intrusive measures for collection were available.
In an employer-employee context, even if the collection of biometric data may be justified and proportionate, alternative options should still be provided (e.g. password access instead of a fingerprint scan). Otherwise, consent cannot really be said to be voluntary or “fair” for the purposes of the law.
Hong Kong is one of the first Asian jurisdictions where a regulator has issued specific guidelines on the collection and use of biometric data. Even though the “Guidance Note”, issued in July by the Office of the Privacy Commissioner for Personal Data is not legally binding, and a breach of its provisions will not constitute an offence, the regulator will probably take into account any data users’ non-compliance when determining whether a breach of the law has occurred.
Advancements in biometric technology have rendered everyday transactions more convenient and efficient. As more “bits” of us are being captured, compressed and used to enable daily transactions, what safeguards do we need to have in place, and how will they differ from one place to another?
For now it seems that more blood, sweat and tears will be needed to achieve the elusive balance between greater efficiency and security through the use of biometric data, versus safeguarding privacy, human dignity and, ironically, the security of such data.
Gabriela Kennedy is a partner at Mayer Brown JSM, where Karen H. F. Lee is a senior associate