the expanding universe of biometric data: embrace, curtail ... · michael shapiro is a senior...
TRANSCRIPT
May 7, 2020
The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate?
K RoyalTrustArc
Debra BromsonAAA Club Alliance Inc.
Joshua A. Mooney White and Williams LLP
Michael ShapiroClarip, Inc.
Speaker
Debra BromsonAssistant General CounselAAA Club Alliance Inc.
Debra Bromson is AGC at AAA Club Alliance (3rd largest AAA Club)where she provides legal, compliance and business advicerelating to Data Privacy, Cybersecurity, Information Technology, E-Commerce, Social Media and marketing, Business Developmentand Government and Public Affairs. She was previously the initialhead of global privacy at Jazz Pharmaceuticals and the initialAstraZeneca privacy counsel and US officer. Ms. Bromsonreceived her AB from Cornell University, JD from GeorgetownUniversity Law Center, and an LLM in taxation from New YorkUniversity School of Law.
Speaker
Joshua A. MooneyChair of Cyber Law & Data Protection GroupWhite and Williams LLP
• Compliance and implementation of data privacy and security, including through as-a-service platforms
• Incident response, litigation • Vice Chair of ABA TIPS Cybersecurity and Data Privacy
Committee • Founding Chair of PBA Cybersecurity Committee
Speaker
K Royal, FIP, CIPP/E / US, CIPMAssociate General CounselTrustArc
• RN turned attorney, focused on global privacy law
• Teach privacy law at Arizona State University
• Co-host Serous Privacy podcast
Speaker
Michael Shapiro, CIPP/US/E, CIPMSenior Counsel, Director of Data PrivacyClarip, Inc.
Michael Shapiro is a Senior Counsel at Clarip, Inc., an enterprise data management software company that helps organizations comply with the GDPR, CCPA, and other privacy laws. He also serves as a Co-Chair of the IAPP Philadelphia Knowledge Net Chapter and a Policy Vice-Chair for the ABA International Law Section’s Privacy, Cybersecurity, & Digital Rights Committee. Mr. Shapiro is a graduate of the University of Pennsylvania Law School and Indiana University.
The Expanding Universe of Biometric Data
• Purpose of SessionThe panel will explore privacy and data protection issues raised by collection and processing of biometrics in the private and public sectors as well as emerging laws and regulations designed to address these issues.
• Main SectionsUnderstanding Biometric Data
• Overview• Biometric Information Privacy Act and Other State Laws
Biometric Data in Use • Business considerations • Facial recognition in the Public Sector
• Questions
Understanding Biometric Data
OverviewState Laws – BIPA, TX, WA, and Pending Laws
Introduction - definition
Introduction - definition
“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.
Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Overview
Biometrics Laws are Getting More “Popular” in States• It had always been BIPA—Illinois • Now there are a few new state laws (Texas, Washington)
Also, they exist in other countries• Australia• And of course—the EU—has a broad definition “personal data resulting from specific
technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See Art. 4(14) and is “special category” personal data
And Biometrics are “built” into other state laws — e.g. NY Shield Act• Biometric data” is included in the definition of “personal information”
But people are saying other countries that don’t have biometric laws need them• Canada—Had an online petition all for reforms to law to cover facial recognition
Overview
How businesses are using biometrics and related technologies
• Use in wide range of applications to help business processes• Employees use fingerprint scanners for timing instead of cards or other
means• Banking—to help reduce identity theft• Shopping• Automobile—will this be used to enter or operate a car or monitor drivers
Biometric Information Privacy Act
Biometric Information Privacy Act (BIPA)
• Enacted to help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."
• “Biometric identifier" defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.“
• "Biometric information" defined as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual."
Biometric Information Privacy Act
BIPA imposes upon private entities obligations for the collection, retention, disclosure, and use of biometric data:
• Inform data subject in writing that biometric data is collected and stored
• Inform data subject in writing specific purpose and length that biometric data is collected, stored, and used
• Receive from data subject written release
• Publish retention schedule and guidelines for destruction of biometric data
Biometric Information Privacy Act
BIPA prohibits disclosure or dissemination of biometric data unless:
• Data subject consents
• Disclosure completes a financial transaction authorized by the data subject
• Disclosure is required by law or legal process
Biometric Information Privacy Act
BIPA
• “No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.“
• Prevailing party may recover for each violation:• $1,000 or actual damages, whichever is greater, for negligent breach• $5,000 or actual damages, whichever is greater, for intentional or reckless
breach• reasonable attorneys' fees and costs, including expert witness fees and other
litigation expenses• Injunctive relief
Biometric Information Privacy Act
Rosenbach v. Six Flags Entm’nt Corp. (Ill. 2019)
• Mere violation of the statute sufficient to file action
• No other harm needed
Patel v. Facebook, Inc.(9th Cir. 2019)
• Statute enacted to protect person’s “concrete” privacy interests
• Reasonable to infer that BIPA intended to protect persons in Illinois even if some relevant activities occur out of state
Biometric Laws in Other States
Other states have pending legislation:• Florida, Massachusetts, New York, Michigan, Alaska—provide for a private cause of action
• South Carolina—H 4182 referred to Committee on Judiciary 1/14/2020• TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, BY ADDING CHAPTER 31 TO
TITLE 37 SO AS TO ENACT THE "SOUTH CAROLINA BIOMETRIC DATA PRIVACY ACT" AND TOPROVIDE CERTAIN REQUIREMENTS FOR A BUSINESS THAT COLLECTS A CONSUMER'SBIOMETRIC INFORMATION, TO ALLOW THE CONSUMER TO REQUEST THAT A BUSINESSDELETE THE COLLECTED BIOMETRIC INFORMATION AND TO PROHIBIT THE SALE OFBIOMETRIC INFORMATION, TO ESTABLISH CERTAIN STANDARDS OF CARE FOR A BUSINESSTHAT COLLECTS BIOMETRIC INFORMATION, TO ESTABLISH A PROCEDURE FOR A CONSUMERTO OPT OUT OF THE SALE OF BIOMETRIC INFORMATION, TO PROHIBIT A BUSINESS FROMDISCRIMINATING AGAINST A CONSUMER WHO OPTS OUT OF THE SALE OF THEIRBIOMETRIC INFORMATION, AND TO PROVIDE A PENALTY.
Biometric Data in Use
Business ConsiderationsFacial Recognition in the Public Sector
Business Considerations
• Disclosure and Consent for collection
• Third-party dissemination• Cannot sell • Contractor/”processor” considerations
• Licensing Considerations• Do you need the data/prohibit transmission of data• Strong indemnity provisions• Insurance
Business Considerations
• Biometrics should always be included in the definition of “Personal Information” or “Personal Data” in your company’s policies, contracts with vendors, etc.• Companies that collect, use biometric data need to make sure they have
policies about how it is handled and limits on access, distribution and terms of destruction and how long retained
• Must inform and disclose this to employees or customers whose biometric data you are handling
• Should be secured with encryption
• Two-factor authentication?
• Risk due to fact that if these are compromised, there may be no recourse since these are unique to each person, so may not be able to change them.
Facial Recognition: Public Sector
▪ FBI has access to around 640 million photos in searchable repositories maintained by the federal and state agencies and has conducted over 390,000 searches since 2011.
▪ Law enforcement face recognition networks in the United States include at least 117 million Americans.
▪ At least 1 out of 4 state or local police departments has an option to run face recognition searches through their or another agency’s system.
▪ As many as 30 states allow law enforcement to run or request searches against their database of driver’s license and ID photos.
Sources: Government Accountability Office; Georgetown Law, Center on Privacy and Technology
Facial Recognition: Public Sector
Facial Recognition Is Less Accurate on Minority Groups
▪ MIT and the University of Toronto Study (2018)▪ Darker-skinned women identified as men 31% of the time, while there were no errors for
lighter-skinned men.
▪ NIST Face Recognition Vendor Test Study (2019) ▪ Higher rate of false positives in one-to-one matching for Asians, African Americans, Native
American groups, and African American females.
▪ ACLU Facial Recognition Experiment (2018)▪ Incorrectly matched 28 members of Congress to a mug shot database. The false matches
were disproportionately of people of color, including six members of the Congressional Black Caucus.
Facial Recognition: Public Sector
State and Local Bans of Facial Recognition:
▪ City-wide ban on use of facial recognition technology by law enforcement: San Francisco, Oakland, Sommerville
▪ State-wide ban on use of facial recognition in police body cameras: CA, OR, NH
▪ State-wide ban on use of Clearview AI facial recognition technology by police: NJ
Facial Recognition: Public Sector
Washington Public Sector Facial Recognition Law (SB 6280)
▪ Notice of Intent
▪ Accountability Reports
▪ Meaningful human review for decisions that produce legal effects concerning individuals
▪ Enabling tests of facial recognition services
▪ Training
▪ Warrant requirement and disclosure of use to defendants
Resources
Privacy Laws and Guidance on BiometricsPIPEDA: https://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/
European Data Protection Board – has a link for biometrics, but …. Watch for developmentshttps://edpb.europa.eu/our-work-tools/our-documents/topic/biometrics_en
EDPB news: Fine for processing students fingerprints imposed on a schoolhttps://edpb.europa.eu/news/national-news/2020/fine-processing-students-fingerprints-imposed-school_en
Dutch DPA report and findings on fine for company for processing fingerprints of employeeshttps://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-bedrijf-voor-verwerken-vingerafdrukken-werknemers
Fieldfisher – the use of biometric data in an employment contexthttps://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/
Article: Intersection of HIPAA and Illinois Biometrics Information Privacy Acthttps://www.physicianspractice.com/article/intersection-hipaa-and-illinois-biometric-information-privacy-act
Resources
Facial Recognition: Public Sector Resources
▪ United States Government Accountability Office. Face Recognition Technology. DOJ and FBI Have Taken Some Actions in Response to GAO Recommendations to Ensure Privacy and Accuracy, But Additional Work Remains (June 4, 2019)
▪ Georgetown Law, Center on Privacy & Technology. The Perpetual Lineup: Unprecedented Police Facial Recognition in America (Oct. 18, 2016)
▪ NIST Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects (2019)
▪ San Francisco “Stop Secret Surveillance” Ordinance
▪ California Body Camera Accountability Act (AB 1215) (2019)
▪ OR Rev Stat § 133.741 (2017)
▪ NH Rev Stat § 105-D:2 (2016)
▪ Washington Public Sector Facial Recognition Law (SB 6280)
Questions + Contact
Joshua MooneyPartnerWhite and Williams [email protected]
Debra BromsonAGCAAA Club Alliance [email protected]
Michael ShapiroSenior Counsel, Director of Data PrivacyClarip, [email protected]