Biometric Data – Is The Law Falling Behind?
In 2001, the laws regulating the collection of biometric data in England and Wales were radically reformed. The Criminal Justice and Police Act 2001 empowered the police force to keep fingerprint records for an unrestricted period of time. These records were retained even when the individual was not convicted of a crime. Consequently, this evolved into the world’s largest database of DNA, raising concerns relating to human rights as a by-product.
After years of frustration towards this practice, the law was amended following the decision in S and Marper v United Kingdom [2008]. The applicants successfully argued that there was a violation of their right to respect for private and family life (Article 8 ECHR), leading to the Protection of Freedoms Act 2012. Since, there have been no further legislative developments strictly focused on the collection, storage and use of biometric data.
However, the last 11 years have seen vast technological advances. There is no indication of this trend plateauing. As biometric data becomes more useful, in both the private and public sectors, it naturally becomes more sensitive. For this reason, the adequacy of our current legislation should be assessed. Efforts towards this have already begun with the publication of The Ryder Review in June 2022.
The Ryder Review provides an extensive discussion on biometric data, including a summary of rapid developments in the last three decades. The Review focuses on providing ten recommendations for our lawmakers to consider when drafting future legislation.
The first recommendation focuses on the “urgent need” for a new legal framework in this field. This suggestion is underpinned by the fact that there is currently no single source of authority regulating biometric data in the UK. Instead, there is a “patchwork of overlapping laws” - a structure which is problematic for two reasons. Firstly, it introduces uncertainty for individuals, regarding their rights and the extent of protection. Secondly, it leaves companies, which aim to utilise biometric data, with difficulties when assimilating the boundaries that confine their conduct.
Importantly, Recommendation 6 stipulates that a new framework should “supplement, and not replace” duties which are already implemented in legislation.
One source of law which requires such attention is the Data Protection Act 2018. The Act includes a definition of biometric data in the UK, as adopted from the General Data Protection Regulation (GDPR). Currently, the GDPR only addresses biometric data used for identification purposes. Whilst identifying an individual is a key feature of biometric data, recent technological developments have led to other uses, including the classification of individuals on characteristics such as race and sex. Indeed, this does not always result in malicious use. However, the express wording of the GDPR may deprive individuals in such circumstances of further protection.
Conclusion
Technology relating to biometric data is advancing at a significant rate, yet the laws regulating it do not appear to reciprocate these developments. This is an extensive topic which deserves further discussion; this article has sought to promote discourse on the topic.
By Alexander McLean