In June 2022, the Ada Lovelace Institute published an ‘Independent legal review of the governance of biometric data in England and Wales’ written by Matthew Ryder. This review aims to address the current legal uncertainty concerning the collection, use and processing of biometric data in England and Wales. It also puts forward 10 recommendations to improve the legal framework as well as the governance of biometrics in England and Wales. For the review, the authors analysed, among other documentation, statutory reports, policies, and use cases where live facial recognition (LFR) was mainly deployed by public actors such as South Wales Police and the London Metropolitan Police.
The review acknowledges the legal changes in UK legislation, which have been driven by the European Court of Human Rights rulings, such as S. and Marper v. the United Kingdom, which culminated in the adoption of the Protection of Freedoms Act. Furthermore, the review underlines the legal developments that are ongoing on the use and processing of personal data such as the GDPR, the UK General Data Protection Regulation, and the forthcoming EU AI Act. However, the review considers that these legal instruments do not provide sufficient clarity on the regulation of biometric technologies. Besides the lack of clarity, the current legal framework is considered insufficient to meet the challenges faced by how data is being used, and new biometric technologies developed.
The report also tackles the issue of how biometric systems are defined. ‘Biometric data’ is generally defined as “…personal data, often obtained from or relating to a person’s body or behaviour, which may be used to uniquely identify them.” However, the review considers that systems that use data for purposes other than ‘unique identification’ (e.g. using facial images for classification purposes) should also be subject to robust, rights-safeguarding regulation equivalent to that which applies to systems which enable unique identification of data subjects. Aside from the most well known and common forms of biometrics in use (fingerprints, DNA, iris scans, and voice and facial recognition), there are novel and less well known, behavioural forms of analysis such as gait analysis or key-stroke analysis.
The author explains that the current governance of biometric data “relies on a patchwork of overlapping laws addressing data protection, human rights, discrimination and criminal justice issues”, considering that “there is no single overarching legal framework for the management of biometric data”.
As part of his research for the report, the author conducted a series of interviews with different actors working on the issue. Various concerns were expressed: some consider a ban on live technology necessary while others are calling for the adoption of a legal framework to regulate it. Nevertheless, there was consensus on the need for new legislation on biometrics.
The review then puts forward 10 recommendations, the first of which expressing the urgent need for new and specific legal frameworks to regulate biometric data, covering not only the use of biometric data for identification purposes, but also for classification purposes. Moreover, with regard to LFR the review proposes a complete moratorium on its use by public and private actors until a new statutory framework and code of practice are in place. In addition, the authors call on the government to publish a legally binding code of practice governing LFR, and its use by the police in particular. Furthermore, the review also recommends that specific codes of practice on the use of biometric data should be formulated to regulate specific technologies or specific sectors, a national Biometrics Ethics Board be created, whose advice should be published, and oversight functions should be consolidated, clarified and properly resourced. Finally, the review points out the lack of sufficient work on the issue of private sector use of biometrics and public/private sharing of biometric data, considering further work on the issue a necessity.
This review sheds a light on the questionable legality of the biometric recognition systems being deployed in the UK. The author states that “[t]he world is at the beginning of an ambitious new revolution in the collection, use and processing of biometric data both by public authorities and the private sector” and, “[i]n order to protect our fundamental rights … this revolution in biometric data use will need to be accompanied by a similarly ambitious new legal and regulatory regime”. Hence the urgent need for regulation as a way of preventing the misuse of this technology by public and private actors.