Biometrics and privacy – consultation underway for regulation in Aotearoa, New Zealand

The collection of biometric information has become increasingly prevalent across various sectors, driven by advancements in technology (including artificial intelligence) and a growing demand for the efficiencies, process improvements and outcomes it can deliver.

Biometric information such as fingerprints, facial features, iris patterns, voiceprints, and gait, coupled with biometric processing technologies, offer a means of verifying individuals' identities, and inferring characteristics such as mood and physical state. Biometric-enabled devices have become commonplace in everyday life, from smartphone facial recognition to security checkpoints. Companies may utilise biometric information to enhance user experience, streamline processes, and bolster security measures.

While there are clear benefits, some commentators have identified privacy concerns driven by the widespread adoption of biometric technologies, prompting calls for regulation to safeguard individuals' rights and mitigate risks. Biometric information, being inherently personal and immutable, arguably presents heightened risks such as identity theft and intrusive monitoring. Moreover, the collection and use of biometric information raises concerns about surveillance, as biometric systems can enable pervasive monitoring and tracking of individuals' movements and activities, which could infringe upon privacy rights.

In response to these concerns, the Office of the Privacy Commissioner (OPC) released a draft Biometrics Processing Privacy Code (Code) and consultation document on the 10 April 2024, available here. As part of this process, the OPC has requested feedback from the public on the exposure draft by the 8 May 2024.

This article looks at:

• key takeaways;
• what we think; and
• what it means for businesses.

KEY TAKEAWAYS

The Code sets out rules governing the purpose, sourcing, collection, storage, accessibility, retention, disclosure and limitations on the use of biometric information. Biometric information is defined as the following, to the extent it is about an identifiable individual: a behavioural, physiological, biometric sample, biometric template or biometric result, in connection with any type of biometric processing.

Scope: importantly, the Code focuses on automated systems for processing biometric information and excludes biometric information that is used in manual processes. It also excludes health information collected and used by health agencies (which is subject to the Health Information Privacy Code) and information about a person's biological and genetic material, brain activity or nervous system.

However, the scope of what constitutes 'biometric information' is broad. For example, it includes a 'biometric result' (such as an alert or match). This means an organisation that relies on biometric processing by a third party could be caught by the Code even though it does not process 'biometric' data itself. For example, if a law firm uses a third party to undertake ID verification as part of its anti-money laundering obligations, and that third party used automated biometric processing (such as facial recognition), the result (eg 'pass'/'fail') sent to the law firm would be 'biometric information'.

Additionally, unlike biometric regulation in other jurisdictions, the draft Code applies to 'biometric classification' – which is essentially the analysis of biometric information to detect or infer other information about a person, such as emotion recognition systems.

Departures from the Privacy Act: the Code amends the Information Privacy Principles (IPPs) of the Privacy Act 2020 (the Act) in relation to biometric information. Rules 1, 2, 3, 4, 6 and 10 of the Code modify their corresponding IPPs in the Act. For a summary of the key differences between the Code's Rules and the existing IPPs, refer to the table at the end of this article.

Transparency requirements: transparency requirements have increased from the current notification obligations in the Privacy Act. The Code requires organisations to give the following notices when collecting biometric information:

• conspicuous notice: a written or verbal notice in plain language that is displayed or presented where it can be easily noticed by individuals before their biometric information is collected. It must include a location / address where people can find the organisation's accessible notice (but must stand alone from the accessible notice or any privacy statement); and

• accessible notice: a plain language notice that is readily accessible to people and presented independently of any privacy statement.

Proportionality assessment: The Code requires organisations to undertake a proportionality assessment to determine whether they should collect and use biometric information. This goes beyond current requirements of the Privacy Act and requires a further assessment of the:

• effectiveness of the biometric processing in achieving the organisation's lawful purpose;
• degree of privacy risk;
• alternative means to biometric processing;
• benefit of achieving the purpose through biometric processing weighed against the privacy risks; and
• cultural impacts and effects of biometric processing on Māori and any other demographic group.

Consent not a requirement: Under the Code, consent for the collection and use of biometric information is not a general requirement. However, it is one of the 'privacy safeguards' that can be used to reduce the privacy risks associated with processing biometric information. This is a significant development since the OPC's proposal in 2023, where consent was a requirement. The change was made for two reasons: it was impractical to develop a consent requirement that worked in a broad range of contexts, and consent was deemed an unnecessary burden for people with busy lives and it risked being overlooked.

Instead, organisations have been given the responsibility to uphold privacy rights by ensuring the collection of biometric data is transparent and done in appropriate circumstances, limiting the use of biometrics.

However, the OPC's consultation paper emphasises that informed consent should be obtained unless it is not practical in the circumstances.

Fair processing: the Code expressly prohibits the use of biometric classification to collect health information (for example, genetic conditions based on facial features), information about an individual's inner state or physical state (such as emotion or personality, alertness or attention level), or information about an individual to categorise them according to their age or a 'restricted biometric category' (a biometric category (other than age) that is a prohibited ground of discrimination under the Human Rights Act 1993). The OPC's consultation paper considers these types of processing to be highly intrusive and unfair, and therefore should be prohibited. There are some (limited) exceptions to the prohibition, such as where biometric information is used to detect an individual's physical state for health and safety purposes, or using age estimation to help restrict children's access to age-restricted goods.

Biometrics and Māori data: in developing the Code, the OPC has considered how biometric information holds cultural significance for Māori and how the use of biometric technology may perpetuate bias and negative profiling of Māori. The OPC determined that the best way to protect Māori biometric information is to strengthen the protections of biometric information overall and include built-in requirements that respond to specific concerns, including cultural consideration under the proportionality assessment.

Biometrics unrestricted for marketing purposes: the OPC's proposal in 2023 intended to restrict the use of biometrics for marketing. The Code no longer proposes this restriction. Instead, the OPC focuses on prohibiting intrusive types of biometric classification (such as emotion recognition), rather than a whole sector or use case.

WHAT DO WE THINK?

We understand the concerns expressed by some commentators about the potential for heightened risks with automated processing of inherently sensitive information like biometric data. However, in principle, we are concerned about the introduction of an economy-wide code that applies to all processing of a specific type of information or using specific technology.

The Privacy Act establishes a flexible, principles-based framework that is deliberately technology-neutral and can be applied to all activities involving the processing of personal information. Unlike privacy regulation in other jurisdictions, the Privacy Act does not include a legislative concept of 'sensitive information' or 'special categories of data'. Instead, the Act's flexibility (specifically, the obligations that require organisations to take steps or implement safeguards that are 'reasonable in the circumstances') allows a higher standard to be applied to the processing of inherently sensitive data, such as biometric information. 

Current codes of practice apply to specific sectors (such as the Health Information Privacy Code 2020 and the Telecommunications Information Privacy Code 2020) or in specific circumstances (the Civil Defence National Emergencies (Information Sharing) Code 2020). This economy-wide Code is a departure from the current approach to codes of practice.

Given the Privacy Act's inbuilt flexibility, we are not convinced of the need for a separate Biometric Processing Privacy Code. Moreover, we are concerned that it sets a precedent for specific regulation of new technologies, undermining the Privacy Act's flexible approach to protecting personal information, and creating unnecessary compliance burdens for organisations. If this becomes a trend, with the pace at which new technologies are becoming mainstream, it is not a big leap to imagine a patchwork of binding codes making it challenging for businesses in Aotearoa to leverage the benefits of technological development.

Our specific thoughts on the draft Code are:

• We were pleased to see the consent requirement removed from this iteration of the OPC's position on biometrics. The Privacy Act is a notice, rather than consent, based regime – the introduction of a consent requirement would have been a significant departure from New Zealand's current privacy framework. However, the strong focus in the OPC's consultation document on obtaining informed consent unless it is impractical to do so needs to be worked through in more detail.

• We also think the inclusion of 'biometric results' in the definition of 'biometric information' extends the scope of the Code beyond what is required to protect inherently sensitive biometric data such as facial features or fingerprints.

CONSEQUENCES FOR BUSINESSES

If the Code comes into force, it would apply immediately to any organisations that process biometric information. Organisations already undertaking biometric processing before the Code is in force would have six months to become compliant.

If you plan to, or currently, collect or develop biometric information/technology using automated processes, you will need to review your practices by asking:

• Is the collection of biometric information appropriate for and proportionate to the purpose we are trying to achieve?
• Are there alternative means of achieving the same purpose without using biometric information?
• Does our use of biometric information fall into an area which the Code prohibits?
• Do we collect Māori biometric information and if so, how does we plan to assess cultural impact?

If you would like help understanding how the Code would apply to you, please get in touch with DLA Piper's privacy and data experts.

HAVE YOUR SAY

The OPC is seeking feedback on the exposure draft of the Code. Submissions are due by the 8 May 2024.

The OPC has outlined three key areas of inquiry:

• Proportionality: How should organisations be required to balance the pros and cons of biometrics before using them?
• Transparency: How and what should people be told when their biometric data is being collected?
• Fair processing limitations: What are some activities that biometrics should not be used for?

We recommend you also consider:

• the requirement to adopt reasonable and relevant privacy safeguards (such as obtaining consent);
• whether you agree with the new notification requirements;
• the various definitions of biometric information and exclusions;
• whether you agree with the fair processing limits in Rule 4;
• whether organisations require more time to comply with the Code once in force;
• the exclusion of health agencies from the scope of the Code;
• the OPC's discussion on the cultural impact on Māori;
• whether the Code should only focus on automated processing; and
• the various exceptions and whether you would add, remove or keep them.

We would be happy to assist you in drafting a submission to the OPC. Please get in touch with DLA Piper's privacy and data experts.