With the rise of face and fingerprint recognition technology, just how safe is our biometric data?
Gabriela Kennedy and Karen Lee say while such technological advancements have made all kinds of daily transactions more convenient, we need to counter the threat of abuse
Biometric technology can enhance a user’s experience by speeding up delivery and offering increased security. But is a fingerprint scan more secure than a password? Fingerprints can easily be “lifted” and used to fool sensors.
Biometric technology used to track employee attendance has also given rise to a host of data privacy concerns. Regardless of the benefits, the collection of biometric data makes the individual vulnerable to threats – misuse, theft, data leakage and an erosion of human dignity. Unlike passwords, which can be reset, biometric features cannot be replaced when stolen.
Biometric data can be used to identify the people from whom it was collected. The data can be stored on a person’s device, but is also recorded in a central database. Should such data be freely collected, and how can people be assured that it will not be misused?
It is no surprise that the collection and use of biometric data has led to heightened public and regulatory concern about the risk to privacy. Most countries, however, have no specific provisions in data privacy laws that solely address the collection and use of biometric data. In some jurisdictions, additional protections and restrictions regarding the collection and use of “sensitive data” exist.
READ MORE: New Hong Kong privacy chief vows to balance flow of information
In an employer-employee context, even if the collection of biometric data may be justified and proportionate, alternative options should still be provided (e.g. password access instead of a fingerprint scan). Otherwise, consent cannot really be said to be voluntary or “fair” for the purposes of the law.
READ MORE: Data privacy is the new frontier
Hong Kong is one of the first Asian jurisdictions where a regulator has issued specific guidelines on the collection and use of biometric data. Even though the “Guidance Note”, issued in July by the Office of the Privacy Commissioner for Personal Data is not legally binding, and a breach of its provisions will not constitute an offence, the regulator will probably take into account any data users’ non-compliance when determining whether a breach of the law has occurred.
Advancements in biometric technology have rendered everyday transactions more convenient and efficient. As more “bits” of us are being captured, compressed and used to enable daily transactions, what safeguards do we need to have in place, and how will they differ from one place to another?
For now it seems that more blood, sweat and tears will be needed to achieve the elusive balance between greater efficiency and security through the use of biometric data, versus safeguarding privacy, human dignity and, ironically, the security of such data.
Gabriela Kennedy is a partner at Mayer Brown JSM, where Karen H. F. Lee is a senior associate