Menu

BIOMETRIC DATA AND THE LAW: SAFEGUARDING INDIVIDUAL RIGHTS

Publications, Research paper

ABSTRACT

Facial recognition, fingerprint scanning, and iris recognition are, in fact, just some

applications that have transformed biometric technologies into everyday uses, ranging from law enforcement to consumer applications. Yet while these technologies are said to guarantee security and convenience, they are simultaneously mired in legal and ethical dilemmas. Just a few of the challenges that remain are data privacy risks, mass surveillance, algorithmic

biases, and whether the regulatory framework goes far enough to protect individual rights. This paper discusses the legal perspectives arising out of the collection and use of biometric data by analysing the global regulatory landscape comprising the GDPR, BIPA, and the Aadhaar Act. It then discusses landmark case laws such as Rosenbach v. Six Flags and

Bridges v. South Wales Police, which show the evolution of judicial thought. The paper then discusses ethical challenges regarding consent, equity, and accountability and provides

recommendations for better legal safeguards. By weighing innovation against privacy and equity, this study aspires to contribute to the creation of a fair and robust biometric

governance framework.

KEYWORDS
  • Biometric Privacy
  • Data Protection
  • Algorithmic Bias
  • Mass Surveillance
  • Regulatory Frameworks
INTRODUCTION

Biometric technologies are unique physical, physiological, or behavioural attributes of a

person used to identify or verify him or her. From facial recognition unlocking smartphones to fingerprint scans to verify one’s identity, biometrics are used for security and convenience. Applications of this technology include, but are not limited to, law enforcement, banking,

healthcare, and national identification systems. The growing adoption of biometrics brings forth increased legal, ethical, and privacy challenges. Unlike passwords or PINs, biometric data is inalterable, and its misuse or compromise is a serious threat to the privacy of

individuals. The integration of biometrics in this surveillance system raised debates around the issue of mass surveillance, algorithmic biases, and discrimination. Besides, the storage and treatment of sensitive biometric data stir debates on informed consent, data ownership, and misuse by corporations and governments alike. Though regulatory frameworks like GDPR in Europe and Biometric Information Privacy Act (BIPA) in Illinois provide some

backing, most jurisdictions have yet to pass comprehensive legislation addressing biometric- specific risks.

RESEARCH METHODOLOGY

This paper is of descriptive nature and the research is based on secondary sources for the deep analysis of Biometric Data and the Law safeguarding individual rights. Secondary sources of information like newspapers, journals, and websites are used for the research.

REVIEW OF LITERATURE

Jain, Flynn, & Ross (2019) [1] provided an extensive review of biometric technologies, having a dual-edged impact on privacy and security talking about the facial recognition

systems, fingerprint systems, and iris scans while analysing how these very systems increase the circle of security and bring along with it the potential for breach, surveillance, and

identity theft. The authors also discuss legal inconsistency at the global level and underscore that “stringent measures” must be instituted as countermeasures to any probable hurts. They also use case studies-I think of India’s Aadhaar system-to illustrate the strengths and

weaknesses of such large-scale biometric projects.

Mantelero (2018) [2] Outlined the strict conditions under which biometric data can be

processed, including explicit consent, minimum data collection, and the rights to access and erasure. The article also looks at enforcement under the GDPR, focusing on fines for non- compliance, among other things, and discusses how it shapes global data protection

standards.

Garvie, Bedoya, & Frankle (2016) [3] discussed the face recognition technology unregulated use in police forces across the country. Its serious problems, like racial and gender bias in algorithms, a high possibility of wrongful arrests, and violations of civil liberties, beg for a

highly critical look at face recognition.

Ajunwa, & Schultz (2017) [4] deals with the spread of the biometric systems at the

workplace-fingerprint scanning, face identification, and others. The authors express critical views on consent in certain applications and on power differences between employers and employees. The legal disputes spill over to class action suits under one of the most

comprehensive U.S. statutes against unauthorized collection and misuse of biometric data, the Biometric Information Privacy Act of Illinois.

Gelb & Clark (2018) [5] analyse the role of biometrics in global development, focusing on large-scale identification systems like Aadhaar in India and similar initiatives in Africa. While acknowledging the benefits of such systems in improving access to public services and

financial inclusion, the authors also highlight risks, including exclusion due to errors, misuse of data, and inadequate safeguards.

Methods
Biometrics and Associated Risks

The advantages accruable from biometric identifiers-fingerprints, face and iris recognition, voice recognition-being convenience in security issues unparalleled in nature are apparent.

Unlike passwords or even traditional identifiers, however, biometrics are immutable: once

compromised, they cannot be changed. It is this very immutability that makes their misuse so destructive in the form of identity theft, unauthorized surveillance, or discriminatory

practices. Increased dependency on biometrics introduces yet another level of risk: that

related to centralization1. Large databases of sensitive biometric data have become one of the most valuable objects of cyberattacks. The breaching of such sensitive data, as was evident by the 2015 hack of 5.6 million fingerprints in the U.S. Office of Personnel Management, shows the vulnerabilities associated with employing biometric systems. Thirdly, most of these biometric technologies are deployed in the absence of proper oversight-that is, questions have been raised regarding the adequacy of existing legal frameworks protecting individual rights.

Legal Frameworks Governing Biometrics

Biometric data regulation varies from one place to another around the world, reflecting the peculiar challenges and concerns associated with its use. For instance, in Europe, biometric data is considered “special category data” under the General Data Protection Regulation,

enjoying heightened protection under Article 9. Processing biometric data is prohibited unless there is explicit consent or another legal basis. Organizations also must perform Data

Protection Impact Assessments to consider certain risks linked with the processing of

biometric data. The stringency of GDPR is seen in a 2021 case in Sweden, where a school was fined for using facial recognition to monitor attendance without valid consent, thus showing the place of regulation in the protection of individual rights. The most robust,

biometric-specific laws include the Biometric Information Privacy Act, or BIPA, of Illinois within the United States. It was enacted in 2008 and requires consent before collecting any biometric information, while any sale or improper disclosure of such information is banned.

Due to non-compliance, considerable penalties will be imposed; for instance, the decision of the Illinois Supreme Court maintained the stern requirements of the BIPA in Rosenbach v. Six Flags Entertainment Corp. Besides, a 2020 settlement in a class-action suit regarding Facebook Biometric Privacy is going to compensate $650 million against unauthorized facial

1 Sonia B. Silva, Privacy, and Identity Management: The Challenges of Biometric Applications (Springer 2011).

recognition-a landmark precedent for holding corporate accountability regarding biometric privacy.

The Aadhaar Act, which governs the working of the Aadhaar system in India-the largest biometric database in the world-promotes efficiency in service delivery, but there are also concerns about privacy and data security. The judgment of the Indian Supreme Court in Justice K.S. Puttaswamy v. Union of India, pronounced in 2017, declared privacy as a

fundamental right and restricted the use of Aadhaar by insisting on proportionality and consent in collecting biometric data. Other jurisdictions, such as Australia, Singapore, and Canada, have also passed legislation on data protection, covering biometrics. The

Singaporean PDPA requires an organization to notify an individual about the collection of

biometric data and obtain consent. However, globally, the lack of consensus-based standards still creates difficulty for cross-border sharing among other issues, and as a result, there has been a growing need to have uniform international governance.

Ethics Concerning the Use of Biometric Data

Such use of the technology has tremendous ethical implications, especially in regard to informed consent, algorithmic bias, and mass surveillance. Informed consent is an ethical

core of data collection; however, most biometric systems try to avoid such requirements. For instance, people get their images recorded through face recognition cameras fitted in public places without knowing it or giving consent. Transparency means taking a position where an organization should be able to explain how they collect, store, and use biometric data2.

Another critical concern is that of algorithmic bias; notably, facial recognition technology has been shown to exhibit racial and gender biases. “Studies from institutions like MIT to

Georgetown University show these systems are more likely to misidentify people of color and women, and to do so in a way that can produce false positive identifications and

discriminatory results. Notably, there was the wrongful arrest of Robert Williams in Michigan due to inaccuracies in a facial recognition algorithm. Incidents like this further heighten the urgent need for mitigation of bias and ethical development of algorithms that are unbiased.

Biometric technology has great potential for misuse in mass surveillance, which seriously threatens privacy and civil liberties. Facial recognition is extensively deployed in countries like China to monitor people, which does raise very important concerns regarding state

overreach for social control. Wherever unchecked surveillance is at risk, even democratic societies may suffer from it, hence reduced public trust and freedom of individuals. In the face of these concerns, strong oversight mechanisms and legal safeguards must be put in

2 Brandon R. McKelvey, An Examination of the Biometric Information Privacy Act in Illinois, 40 J. Marshall L. Rev. 771 (2007).

place, ensuring that biometric technology offers benefits in balance with human rights and ethical standards.

Sector-Specific Applications and Challenges

Biometric technologies are becoming all-pervasive across various sectors, enhancing

efficiency, security, and convenience. With the advantages, however, come special challenges related to the issues of privacy, misuse, and ethical implications. Applications can be seen in law enforcement, national security, identification of suspects, border control, and crime

prevention. Such applications can go a long way in ensuring public safety but are also

associated with risks of misuse and overreach. The landmark UK case of R. Bridges v. South Wales Police, in 2020, echoed these concerns, wherein the court held that it was unlawful for police to use live facial recognition technology. The ruling emphasized inadequate data

protection measures, lack of transparency, and insufficient legal safeguards governing the technology’s use. This case underlines the necessity for effective frameworks that balance public security against individual rights, making sure that surveillance technologies do not whittle down privacy and civil liberties.

In employment settings, biometric systems are increasingly applied for timekeeping, access control, and monitoring employee productivity. While such technologies bring in operational efficiencies, they also raise severe privacy risks for employees. For example, in Liu v. Four Seasons Hotel Ltd., employees in Canada protested fingerprinting, arguing that it gave rise to concerns about potential misuse of their biometric information and lack of informed consent. Such disputes reflect the broader tension between workplace security and individual privacy rights, with an emphasis on creating policies that respect both employer needs and employee autonomy. Biometrics have become so pervasive, from smartphones to wearables, from

payment systems3. It is a fact that with such increased conveniences, greater risks to the user also arise: these technologies may provide improved security and convenience; at the same time, they create potential risks for users without comprehensive consumer protection laws to prevent unauthorized access and misuse. This came into prominence in 2019, when Apple was sued on grounds that its facial recognition software mistakenly identified a customer as a thief. The case underlines the need to bring consumer-facing biometric technologies within the purview of accountability and specific guidelines to protect users from harm.

Biometrics has also found its place in healthcare to identify patients, grant secure access to medical records, and facilitate seamless processes like telemedicine. While these innovations have brought efficiency and reduced errors, they come with considerable risks. Breaches of biometric health data can lead to severe privacy violations and loss of trust. A 2021

cyberattack on Ireland’s Health Service Executive compromised sensitive patient data-a testament to the vulnerabilities that biometric systems in healthcare expose. Incidents like this show how important it is to take severe measures of security, such as encryption, access

3 Clare Garvie, Alvaro Bedoya & Jonathan Frankle, The Perpetual Line-Up: Unregulated Police Face Recognition in America, Geo. L. Tech. Rev. (2016)

controls, and following all legal standards, like HIPAA in the United States and GDPR in Europe. The challenges of biometric technologies across all sectors really show the need for stronger regulatory frameworks and ethical guidelines. While the benefits of biometrics are truly transformative, any deployment must put a premium on privacy, consent, and

accountability. Policymakers and industry leaders must come together to develop sectoral regulations that make sure applications of biometrics respect human rights principles and societal values.

CASE LAWS
  • Rosenbach v. Six Flags Entertainment Corp. [6]

The Illinois Supreme Court held that a technical failure of compliance with BIPA established standing without the need to prove harm. This judgment indicates how seriously biometric

privacy laws are taken and how such privacy violations can be considered actionable in themselves.

  • Carpenter v. United States [7]

Although not directly related to biometrics, the decision by the U.S. Supreme Court in Carpenter established that accessing sensitive data without a warrant is a violation of the

Fourth Amendment. This decision will have ramifications on the use of biometric data by police forces and reinforces the importance of judicial oversight.

  • Bridges v. South Wales Police [8]

The judgment put great weight on data protection impact assessments and use of biometric surveillance proportionately. This UK case was considered a landmark win for privacy

advocates.

  • Facebook Biometric Privacy Settlement [9]

Facebook’s $650 million settlement over its breach of BIPA showed how class action lawsuits can make sure that corporations are held accountable in the case of biometric privacy

violation. It also brings into light the role informed consent plays in making sure compliance is followed.

  • Justice K.S. Puttaswamy (Retd.) v. Union of India [10]

The judgment delivered by the Supreme Court of India declared the right to privacy a

fundamental right under Article 21 of the Indian Constitution. The petitions were filed against the Aadhaar system, which used biometric data for authenticating identity. The Supreme

Court of India upheld the Aadhaar Act but brought in limitations on its use, making the principles of proportionality, consent, and data protection integral to it.

  • Ritesh Sinha v. State of Uttar Pradesh [11]

This decision by the Supreme Court let a magistrate order someone to give his or her voice sample during criminal investigation. It is not, in strict terms, on biometric identification like fingerprint or iris, but it certainly opened floodgates with which the debates on personal

identifier use and privacy could flow.

  • Madras High Court on Biometric Attendance [12]

During the COVID-19 pandemic, the Madras High Court ordered a temporary moratorium on biometric attendance systems to avoid health risks. This case indirectly dealt with the issue of mandatory biometric systems and underlined that proportionality and situational flexibility

are necessary in such cases. These cases, therefore, engage with the developing jurisprudence of India on biometric data, privacy, and its regulatory frameworks. These also underline the

principles of consent, proportionality, and safeguards while deploying such technology.

Recommendations for Legal and Ethical Safeguards

For these challenges, along with many more that might arise, one needs an approach on several levels. Considering the threats associated with it, the need of the hour is to have

proper biometric-specific legislation designed by lawmakers. Such regulations should, inter alia, provide strict conditions to obtain informed consent, limit data retention to minimum

requirements, and severe punishments in the case of disobedience. Drawing on frameworks such as Illinois’s BIPA or the GDPR, for example, Indian policymakers could draft similar robust regulations that meet local contexts while protecting individual rights. Transparency around algorithms is yet another area where much work must be done. It has to be ensured by agencies implementing biometric systems that these algorithms are free from, among others, racial and gender biases4. This might be achieved with independent audits, regular testing, using diverse sets of training data to avoid unfair outcomes, fairness metrics, and

accountability mechanisms that help ensure non-discriminatory outputs, minimizing the risk of harm.

With the cross-border use of biometric data, there is a need for international cooperation. Harmonized international standards iron out inconsistencies and loopholes within the current regulations. This can be achieved through expansion from existing regimes such as the

4 Clare Garvie et al., The Perpetual Line-Up: Unregulated Police Face Recognition in America, Geo. L. Ctr. Priv. & Tech. (2016), https://www.perpetuallineup.org.

OECD Guidelines on Privacy and Data Protection or the Convention 108+ of the Council of Europe. Such cooperation will also offer safe transfer of biometric data across jurisdictions with a guarantee that such protection and its enforcement is not dissimilar.

Lastly, awareness and education of the public are critical components of a sound legal and ethical strategy. Governments and organizations must invest in educating individuals about their rights, the implications of biometric technologies, and the mechanisms available for

redress5. It is a mix of strict laws, open processes, international cooperation, and public participation that would ensure a level playing field in which biometric technologies can thrive without violating individual rights and ethical standards.

SUGGESTIONS

To make sure biometric data is used ethically and legally, it’s a multidimensional affair. First, biometric-specific legislation should be enacted by governments to place the interests of

privacy, informed consent, and significant punitive damages for non-compliance in the

forefront. Models do exist, such as the General Data Protection Regulation in Europe and

Illinois’s Biometric Information Privacy Act. Second, the companies implementing biometric systems will have to invest in algorithmic fairness to overcome racial, gender, and other

biases. Independent audits with diverse datasets are a must to make sure that these systems produce equitable outcomes. Third, international cooperation on harmonization of data

protection standards is required for addressing challenges of cross-border data sharing.

International frameworks like OECD Guidelines or Convention 108+ should be leveraged to create universal governance principles. Finally, the priority must be public education

campaigns to increase awareness about biometric privacy rights and available legal remedies.

Transparency, accountability, and robust oversight stand out as the keys to protecting individual rights while enabling innovation.

CONCLUSION

Whereas increased adoption of such biometric technologies has been seen to revolutionize security, efficiency, and accessibility in these fields, at the same time they greatly increase serious legal and ethical concerns on several issues, which urgently call for effective

safeguards: informed consent, algorithmic bias, breaches of privacy, and mass surveillance. Legal frameworks, such as the GDPR in Europe, BIPA in the United States, and India’s Aadhaar Act, have made great strides in regulating biometric data, but many challenges

remain, particularly regarding achieving global consistency and addressing emerging risks. To balance innovation with the protection of individual rights, comprehensive biometric- specific laws must be enacted worldwide. These laws should emphasize consent, data

minimization, and accountability. Concurrently, organizations must prioritize algorithmic

5 Ifeoma Ajunwa et al., Limitless Worker Surveillance: Biometric Data Collection and Workplace Privacy, 105 Cal.

L. Rev. 735 (2017)

fairness, ensuring unbiased outcomes through rigorous testing and audits. International collaboration is crucial to establish harmonized standards and close regulatory gaps.

Public awareness and education on biometric privacy rights are equally important in empowering the individual and engendering trust. A balanced approach, with its roots in

transparency, accountability, and ethics, will let biometric technologies thrive responsibly and protect individual rights in the digital age. To balance innovation with the protection of

individual rights, comprehensive biometric-specific laws must be enacted worldwide. These laws should emphasize consent, data minimization, and accountability. Concurrently,

organizations must prioritize algorithmic fairness, ensuring unbiased outcomes through rigorous testing and audits. International collaboration is crucial to establish harmonized standards and close regulatory gaps.

  1. Anil K. Jain, Patrick J. Flynn & Arun A. Ross, Handbook of Biometrics: Privacy and Security Implications (2019)
  2. Alessandro Mantelero, AI, and Big Data: Biometric Data Regulation Under GDPR, 34 Comp. L. Rev. 375 (2018)
  3. Clare Garvie, Alvaro Bedoya & Jonathan Frankle, The Perpetual Line-Up: Unregulated Police Face Recognition in America (2016)
  4. Ifeoma Ajunwa, Kate Crawford & Jason Schultz, Limitless Worker Surveillance: Biometric Data Collection and Workplace Privacy, 105 Calif. L. Rev. 735 (2017)
  5. Alan Gelb & Julia Clark, Identification Revolution: Achieving Sustainable Development with Biometrics (2018)
  6. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019).
  7. Carpenter v. United States, 138 S. Ct. 2206 (2018)
  8. R. (Bridges) v. Chief Constable of South Wales Police, [2020] EWCA Civ 1058 (Eng.)
  9. In re Facebook Biometric Information Privacy Litigation, 522 F. Supp. 3d 617 (N.D. Cal. 2020)
  10. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
  11. Ritesh Sinha v. State of Uttar Pradesh, (2019) 8 SCC 1 (India).
  12. Dr. Arjun Sampath v. Union of India, W.P. No. 7412/2020 (Madras High Court, 2020).

NAME: RISHITA RAJ

COLLEGE NAME: SYMBIOSIS LAW SCHOOL, NOIDA