The Expanding Universe of Biometric Data: Embrace, Curtail, or - - PowerPoint PPT Presentation

the expanding universe of biometric data
SMART_READER_LITE
LIVE PREVIEW

The Expanding Universe of Biometric Data: Embrace, Curtail, or - - PowerPoint PPT Presentation

Nov 15, 2022 148 likes •445 views

May 7, 2020 The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate? K Royal TrustArc Debra Bromson AAA Club Alliance Inc. Joshua A. Mooney White and Williams LLP Michael Shapiro Clarip, Inc. Speaker Debra Bromson

slide-1
SLIDE 1

May 7, 2020

The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate?

K Royal TrustArc Debra Bromson AAA Club Alliance Inc. Joshua A. Mooney White and Williams LLP Michael Shapiro Clarip, Inc.

slide-2
SLIDE 2

Speaker

Debra Bromson

Assistant General Counsel AAA Club Alliance Inc.

Debra Bromson is AGC at AAA Club Alliance (3rd largest AAA Club) where she provides legal, compliance and business advice relating to Data Privacy, Cybersecurity, Information Technology, E- Commerce, Social Media and marketing, Business Development and Government and Public Affairs. She was previously the initial head of global privacy at Jazz Pharmaceuticals and the initial AstraZeneca privacy counsel and US officer. Ms. Bromson received her AB from Cornell University, JD from Georgetown University Law Center, and an LLM in taxation from New York University School of Law.

slide-3
SLIDE 3

Speaker

Joshua A. Mooney

Chair of Cyber Law & Data Protection Group White and Williams LLP

  • Compliance and implementation of data privacy and

security, including through as-a-service platforms

  • Incident response, litigation
  • Vice Chair of ABA TIPS Cybersecurity and Data Privacy

Committee

  • Founding Chair of PBA Cybersecurity Committee
slide-4
SLIDE 4

Speaker

K Royal, FIP, CIPP/E / US, CIPM

Associate General Counsel TrustArc

  • RN turned attorney, focused on global privacy law
  • Teach privacy law at Arizona State University
  • Co-host Serous Privacy podcast
slide-5
SLIDE 5

Speaker

Michael Shapiro, CIPP/US/E, CIPM

Senior Counsel, Director of Data Privacy Clarip, Inc.

Michael Shapiro is a Senior Counsel at Clarip, Inc., an enterprise data management software company that helps organizations comply with the GDPR, CCPA, and other privacy laws. He also serves as a Co-Chair

  • f the IAPP Philadelphia Knowledge Net Chapter and a Policy Vice-

Chair for the ABA International Law Section’s Privacy, Cybersecurity, & Digital Rights Committee. Mr. Shapiro is a graduate of the University of Pennsylvania Law School and Indiana University.

slide-6
SLIDE 6

The Expanding Universe of Biometric Data

  • Purpose of Session

The panel will explore privacy and data protection issues raised by collection and processing of biometrics in the private and public sectors as well as emerging laws and regulations designed to address these issues.

  • Main Sections

Understanding Biometric Data

  • Overview
  • Biometric Information Privacy Act and Other State Laws

Biometric Data in Use

  • Business considerations
  • Facial recognition in the Public Sector
  • Questions
slide-7
SLIDE 7

Understanding Biometric Data

Overview State Laws – BIPA, TX, WA, and Pending Laws

slide-8
SLIDE 8

Introduction - definition

slide-9
SLIDE 9

Introduction - definition

“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

slide-10
SLIDE 10

Overview

Biometrics Laws are Getting More “Popular” in States

  • It had always been BIPA—Illinois
  • Now there are a few new state laws (Texas, Washington)

Also, they exist in other countries

  • Australia
  • And of course—the EU—has a broad definition “personal data resulting from specific

technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See Art. 4(14) and is “special category” personal data And Biometrics are “built” into other state laws — e.g. NY Shield Act

  • Biometric data” is included in the definition of “personal information”

But people are saying other countries that don’t have biometric laws need them

  • Canada—Had an online petition all for reforms to law to cover facial recognition
slide-11
SLIDE 11

Overview

How businesses are using biometrics and related technologies

  • Use in wide range of applications to help business processes
  • Employees use fingerprint scanners for timing instead of cards or other

means

  • Banking—to help reduce identity theft
  • Shopping
  • Automobile—will this be used to enter or operate a car or monitor drivers
slide-12
SLIDE 12

Biometric Information Privacy Act

Biometric Information Privacy Act (BIPA)

  • Enacted to help regulate “the collection, use, safeguarding, handling, storage,

retention, and destruction of biometric identifiers and information."

  • “Biometric identifier" defined as “a retina or iris scan, fingerprint, voiceprint, or

scan of hand or face geometry.“

  • "Biometric information" defined as "any information, regardless of how it is

captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual."

slide-13
SLIDE 13

Biometric Information Privacy Act

BIPA imposes upon private entities

  • bligations for the

collection, retention, disclosure, and use of biometric data:

  • Inform data subject in writing that

biometric data is collected and stored

  • Inform data subject in writing specific

purpose and length that biometric data is collected, stored, and used

  • Receive from data subject written

release

  • Publish retention schedule and

guidelines for destruction of biometric data

slide-14
SLIDE 14

Biometric Information Privacy Act

BIPA prohibits disclosure

  • r dissemination of

biometric data unless:

  • Data subject consents
  • Disclosure completes a financial

transaction authorized by the data subject

  • Disclosure is required by law or legal

process

slide-15
SLIDE 15

Biometric Information Privacy Act

BIPA

  • “No private entity in possession of a biometric identifier or biometric information

may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.“

  • Prevailing party may recover for each violation:
  • $1,000 or actual damages, whichever is greater, for negligent breach
  • $5,000 or actual damages, whichever is greater, for intentional or reckless

breach

  • reasonable attorneys' fees and costs, including expert witness fees and other

litigation expenses

  • Injunctive relief
slide-16
SLIDE 16

Biometric Information Privacy Act

Rosenbach v. Six Flags Entm’nt

  • Corp. (Ill. 2019)
  • Mere violation of the statute

sufficient to file action

  • No other harm needed

Patel v. Facebook, Inc. (9th Cir. 2019)

  • Statute enacted to protect

person’s “concrete” privacy interests

  • Reasonable to infer that BIPA

intended to protect persons in Illinois even if some relevant activities occur out of state

slide-17
SLIDE 17

Biometric Laws in Other States

Other states have pending legislation:

  • Florida, Massachusetts, New York, Michigan, Alaska—provide for a private cause of action
  • South Carolina—H 4182 referred to Committee on Judiciary 1/14/2020
  • TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, BY ADDING CHAPTER 31 TO

TITLE 37 SO AS TO ENACT THE "SOUTH CAROLINA BIOMETRIC DATA PRIVACY ACT" AND TO PROVIDE CERTAIN REQUIREMENTS FOR A BUSINESS THAT COLLECTS A CONSUMER'S BIOMETRIC INFORMATION, TO ALLOW THE CONSUMER TO REQUEST THAT A BUSINESS DELETE THE COLLECTED BIOMETRIC INFORMATION AND TO PROHIBIT THE SALE OF BIOMETRIC INFORMATION, TO ESTABLISH CERTAIN STANDARDS OF CARE FOR A BUSINESS THAT COLLECTS BIOMETRIC INFORMATION, TO ESTABLISH A PROCEDURE FOR A CONSUMER TO OPT OUT OF THE SALE OF BIOMETRIC INFORMATION, TO PROHIBIT A BUSINESS FROM DISCRIMINATING AGAINST A CONSUMER WHO OPTS OUT OF THE SALE OF THEIR BIOMETRIC INFORMATION, AND TO PROVIDE A PENALTY.

slide-18
SLIDE 18

Biometric Data in Use

Business Considerations Facial Recognition in the Public Sector

slide-19
SLIDE 19

Business Considerations

  • Disclosure and Consent for collection
  • Third-party dissemination
  • Cannot sell
  • Contractor/”processor” considerations
  • Licensing Considerations
  • Do you need the data/prohibit transmission of data
  • Strong indemnity provisions
  • Insurance
slide-20
SLIDE 20

Business Considerations

  • Biometrics should always be included in the definition of “Personal

Information” or “Personal Data” in your company’s policies, contracts with vendors, etc.

  • Companies that collect, use biometric data need to make sure they have

policies about how it is handled and limits on access, distribution and terms of destruction and how long retained

  • Must inform and disclose this to employees or customers whose

biometric data you are handling

  • Should be secured with encryption
  • Two-factor authentication?
  • Risk due to fact that if these are compromised, there may be no recourse

since these are unique to each person, so may not be able to change them.

slide-21
SLIDE 21

Facial Recognition: Public Sector

▪ FBI has access to around 640 million photos in searchable repositories maintained by the federal and state agencies and has conducted over 390,000 searches since 2011. ▪ Law enforcement face recognition networks in the United States include at least 117 million Americans. ▪ At least 1 out of 4 state or local police departments has an option to run face recognition searches through their or another agency’s system. ▪ As many as 30 states allow law enforcement to run or request searches against their database of driver’s license and ID photos.

Sources: Government Accountability Office; Georgetown Law, Center on Privacy and Technology

slide-22
SLIDE 22

Facial Recognition: Public Sector

Facial Recognition Is Less Accurate on Minority Groups

▪ MIT and the University of Toronto Study (2018)

▪ Darker-skinned women identified as men 31% of the time, while there were no errors for lighter-skinned men.

▪ NIST Face Recognition Vendor Test Study (2019)

▪ Higher rate of false positives in one-to-one matching for Asians, African Americans, Native American groups, and African American females.

▪ ACLU Facial Recognition Experiment (2018)

▪ Incorrectly matched 28 members of Congress to a mug shot database. The false matches were disproportionately of people of color, including six members of the Congressional Black Caucus.

slide-23
SLIDE 23

Facial Recognition: Public Sector

State and Local Bans of Facial Recognition: ▪ City-wide ban on use of facial recognition technology by law enforcement: San Francisco, Oakland, Sommerville ▪ State-wide ban on use of facial recognition in police body cameras: CA, OR, NH ▪ State-wide ban on use of Clearview AI facial recognition technology by police: NJ

slide-24
SLIDE 24

Facial Recognition: Public Sector

Washington Public Sector Facial Recognition Law (SB 6280)

▪ Notice of Intent ▪ Accountability Reports ▪ Meaningful human review for decisions that produce legal effects concerning individuals ▪ Enabling tests of facial recognition services ▪ Training ▪ Warrant requirement and disclosure of use to defendants

slide-25
SLIDE 25
slide-26
SLIDE 26

Resources

Privacy Laws and Guidance on Biometrics PIPEDA: https://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/

European Data Protection Board – has a link for biometrics, but …. Watch for developments https://edpb.europa.eu/our-work-tools/our-documents/topic/biometrics_en EDPB news: Fine for processing students fingerprints imposed on a school https://edpb.europa.eu/news/national-news/2020/fine-processing-students-fingerprints-imposed-school_en Dutch DPA report and findings on fine for company for processing fingerprints of employees https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-bedrijf-voor-verwerken-vingerafdrukken-werknemers Fieldfisher – the use of biometric data in an employment context https://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/

Article: Intersection of HIPAA and Illinois Biometrics Information Privacy Act https://www.physicianspractice.com/article/intersection-hipaa-and-illinois-biometric-information- privacy-act

slide-27
SLIDE 27

Resources

Facial Recognition: Public Sector Resources

▪ United States Government Accountability Office. Face Recognition Technology. DOJ and FBI Have Taken Some Actions in Response to GAO Recommendations to Ensure Privacy and Accuracy, But Additional Work Remains (June 4, 2019) ▪ Georgetown Law, Center on Privacy & Technology. The Perpetual Lineup: Unprecedented Police Facial Recognition in America (Oct. 18, 2016) ▪ NIST Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects (2019) ▪ San Francisco “Stop Secret Surveillance” Ordinance ▪ California Body Camera Accountability Act (AB 1215) (2019) ▪ OR Rev Stat § 133.741 (2017) ▪ NH Rev Stat § 105-D:2 (2016) ▪ Washington Public Sector Facial Recognition Law (SB 6280)

slide-28
SLIDE 28

Questions + Contact

Joshua Mooney

Partner White and Williams LLP mooneyj@ whiteandwilliams.com

Debra Bromson

AGC AAA Club Alliance Inc. dbromson@ aaamidatlantic.com

K Royal

AGC TrustArc kroyal@trustarc.com

Michael Shapiro

Senior Counsel, Director

  • f Data Privacy

Clarip, Inc. michael@clarip.com