Australia stands at a critical juncture in privacy and artificial intelligence (AI) regulation. The Privacy and Other Legislation Amendment Bill 2024 was passed on 29 November 2024, alongside cybersecurity...
This new whitepaper from LexisNexis covers findings from a series of discussions jointly hosted by LexisNexis and the Governance Institute of Australia with industry leaders, on how organisations can prepare...
As Australian businesses navigate a rapidly changing risk landscape, the importance of digital transformation has never been greater. We’ve collaborated with our technology partner ReadiNow, who...
Ensuring operational resilience has become a critical priority for Australian and New Zealand organizations but navigating the complexities of CPS 230 can be daunting. They will need to establish appropriate...
Ben has observed that he now saves one-third of the time he would typically spend on legal research. Background Clifford Gouldson is a prominent law firm located in Toowoomba, Queensland, with additional...
By Sharon Givoni, General Editor of the Privacy Law BulletinAlec Christie, (Partner) Clyde & Co, a member of the Privacy Law Bulletin Editorial Panel
The 20th edition of Privacy Law Bulletin contains 4 new articles written by expert lawyers and academics covering the rapidly changing legal landscape around privacy laws and biometric data, in Australia, New Zealand and around the world.
Enter your details to read the full bulletin today.
"Biometric data is the new oil in the digital world, valuable to everyone from cybercriminals to advertisers." – Forbes
Biometric data is information about an individual's unique physiological or behavioural characteristics, such as fingerprints, facial recognition data, iris scans, and their gate or keyboard movements that can be used to identify them. While biometric technologies have existed for decades, the pace of use of biometric technologies and data is increasing, with the rapid uptake of the digital economy: from methadone programs, taxi booking services, ATMs and online banking, access to buildings as well as financial services, healthcare, law enforcement (e.g., criminal investigations) through to telecommunications.
However, there are two distinct sides to the use of biometric data and technologies:
While the use of biometric data and technologies is clearly warranted (and likely welcomed) in appropriate circumstances (such as cyber security), it is fair to say that annoyingly frivolous uses of our biometric data are also growing.
In addition, even for valid and valuable uses of our biometric data, where the information security of that data is lax, the potential impacts on us may be cataclysmic. Cybercriminals (let alone advertisers) having our face, voice or fingerprint which, unlike our passwords, cannot easily be changed will both (i) expose us to significant losses through identity theft and (ii) lock us out of much of the digital economy. This will be even more galling if our biometric ID is stolen from an unnecessary use.
In a world becoming ever more reliant on biometric data to ‘prove’ who we are and permit us access to the digital economy, the theft of our biometric data gives cybercriminals endless opportunity to access and expropriate our digital assets using our biometric ID. In the instance our biometric identity is stolen, it is also currently impossible to easily change one’s face, voice, or fingerprint for the purposes of our ongoing participation in the digital economy.
Therefore, the increasing use of biometric data and technologies to ‘prove’ our identity in order to access the digital economy needs to come with several qualifications, restrictions or guardrails to protect our future selves. Before we get too far down the track, too far to undo any harm done, we need to now consider how to redress the consequences of and reset an individual’s biometric identity in the instance it has been misappropriated by cybercriminals.
Australian privacy laws currently provide some generic guardrails with respect to the collection and use of biometric data and use of biometric technologies but, against a backdrop of significantly increasing use and reliance on biometrics (and the current widespread ‘misunderstanding’ or ignorance of what these require), more biometrics-specific work needs to be done to establish the minimum requirements noted above and the ‘way back’ if the worst happens (biometric-identity theft).
Given the wealth of opportunities for increased cyber security and privacy protection that appropriate uses of biometric data present, it is worth investing the time to develop a secure legal framework for its use.
These issues are increasingly relevant to privacy lawyers as biometric technologies become more widely used by our clients for various purposes including authentication, time and attendance tracking and surveillance.
The Privacy Law Bulletin Editorial Panel have identified several challenges for Australian lawyers advising on biometric data, including:
Privacy concerns: Biometric data is highly sensitive personal information, and there are numerous privacy concerns surrounding its collection, storage, and use. Lawyers must be able to advise their clients on the privacy implications of biometric data collection and use, and ensure that data protection measures are in place to prevent unauthorised access, use, or disclosure.
Regulatory compliance: There are several laws and regulations in Australia that govern the collection, storage, and use of biometric data, including the Privacy Act 1988, the Australian Privacy Principles, and various State and Territory laws, such as the Health Records and Information Privacy Act 2002. Lawyers must have a comprehensive understanding of these laws and regulations to advise their clients on compliance.
Legal uncertainty: There is a lack of clear guidance from the courts on the legal issues surrounding biometric data, including questions around ownership, control and responsibility. Lawyers must navigate the legal uncertainty and provide their clients with clear and practical advice on the implications of biometric data.
Technological developments: Biometric technologies are rapidly evolving and new developments can pose new legal and privacy challenges. Lawyers must stay up to date with the latest developments in the field and be able to advise their clients on the legal implications of new technologies.
Balancing privacy and security: Biometric data can be used to enhance security, but the use of biometric data also raises privacy concerns. Lawyers must help their clients balance the privacy and security implications of biometric data and advise on the best and privacy-law-compliant approaches to minimise privacy risks while maintaining security.
On a more general level, some of the most significant, current issues around the use of biometric data include:
Collection and use of biometric data without consent: Concerns have been raised about organisations collecting and using biometric data without individuals' knowledge or consent, and that people may not be aware of how their data is being used or who has access to it.
Security and protection of biometric data: With biometric data being unique and permanent, it has the potential to cause significant harm if it is lost or stolen. This has raised concerns about the security of biometric data and the measures organisations need to take to protect it.
Potential for misuse and discrimination: There are also concerns about the potential for biometric data to be used for purposes beyond those for which it was collected or for discriminatory purposes, such as for employment or housing decisions.
Lack of transparency: There are concerns about the lack of transparency in the collection, storage, use and sharing of biometric data and that individuals are not adequately informed about how their biometric data is being used and disclosed.
Inside this edition of the Privacy Law Bulletin
The below articles (authored by a member of the Privacy Law Bulletin Editorial Panel and external authors) highlight the need for ongoing debate and discussion to ensure that the privacy rights of individuals are protected as biometric technologies continue to evolve and increase in use. From a non-legal perspective, it is clear that biometrics will play an increasingly important role in our daily lives in the years to come.
On a lighter note, we will end this introduction with some fun facts about biometrics, some of which may surprise you!
Biometric Data: Fun facts
Privacy Law Bulletin provides topical articles on privacy laws. News, analysis, policy, legislation, industry codes and case law are gathered and condensed to form a practical and accessible source of relevant information. Presenting a diversity of opinions from experts in the field, Privacy Law Bulletin covers Australian and international developments, keeping subscribers in touch with current thinking on areas such as employment, banking and finance, the administration of government benefits, telecommunications, health care, marketing and the media.