Parliament needs to create legislation that explicitly deals with the use of biometric technologies in the UK, according to former biometrics commissioner Paul Wiles.
The former commissioner for the retention and use of use of biometric material told the House of Commons Science and Technology Committee that while there was currently a “general legal framework” governing the use of biometric technologies, their pervasive nature and rapid proliferation meant a more explicit legal framework was needed.
Referencing the use of various biometric technologies by UK police in particular – including live facial recognition (LFR), voice recognition and gait analysis – Wiles said the current framework governing their use had “not kept up with the development of new biometrics” and nor had “the government responded to judgments by both domestic courts and the European Court of Human Rights about the inadequacy of that current framework”, some of which “go back almost nine years”.
Wiles further added that while the Information Commissioner’s Office (ICO) could issue opinions or guidance about the use of biometric technologies, as well as intervene if “general data [protection] requirements” are not met during their deployment, specific legislation is needed to properly establish when the tech can and cannot be used, and what uses are acceptable.
“At the moment, there is a framework that allows the information commissioner to express an opinion, but when it comes to the old biometrics – DNA and fingerprints – it was Parliament that made the decision, through legislation,” said Wiles. “That’s what I’m pointing to, that lack of a legislative framework.”
He argued that creating specific legislation for the use of biometrics would make it clear “what is in the public interest and therefore acceptable, and what is not in the public interest, and therefore not acceptable”.
In terms of police facial recognition, specifically, Wiles highlighted the retention of custody images in the Police National Database (PND) – which a 2012 High Court ruling found to be unlawful on the basis that the six-year retention period was not proportionate – as a major problem.
The PND holds roughly 23 million images taken of people in custody, regardless of whether they were subsequently convicted, and is used as the basis for the “watch lists” police LFR systems operate on to identify people’s faces.
Paul Wiles, former biometrics commissioner
For Wiles, however, the Management of Police Information (MoPI) rules, which govern when certain information like facial images should be deleted, are not clear enough because they give too much discretion to chief officers.
In the event Parliament fails to create specific legislation for biometrics, Wiles suggested “the most obvious thing to do” would be for Parliament to extend the Protection of Freedoms Act (POFA) from 2012, which sets “clear rules… about when DNA and fingerprints must be deleted”, to include how police should deal with facial images.
Private sector biometrics
While most of the Science and Technology Committee’s discussion centred around police use of biometrics, Wiles said the pervasiveness and use of such technologies in the private sector would also need to be addressed by new legislation.
“Public interest in this issue developed very rapidly with the use of live facial recognition by South Wales Police and the Metropolitan Police. There was clearly a public concern…that there wasn’t already a clear legal framework around the use of facial images in this way,” he said, adding it was a “galvanising event” that brought more attention to the use of LFR by private companies too.
“It will be possible in the future to use live facial recognition purely for a private commercial profit motive interest, without necessarily making the individual aware that it is going on. This is simply the analogue of what we’re already seeing in the use made of the data that every day all of us give, not just to big tech companies but the small companies as well, and the fact that they are exploiting that and selling that data on without us really understanding.”
Referring to the case of South Wales Police – which the High Court ruled in August 2020 was using LFR unlawfully by not having conducted the appropriate checks for bias and discrimination – Wiles pointed to the fact the tech was provided by a private firm “which refused to disclose what they knew about [the system’s] biases” to the police force, something that would need to be addressed in legislation.
The supplier to both South Wales Police and the Metropolitan Police, Japanese biometrics firm NEC, launched a facial recognition system in January 2021 specifically for identifying people wearing masks.
Since the start of the pandemic, a slew of other biometrics companies from across the globe have been busy updating their facial recognition algorithms to identify people with hidden faces, also in response to the sudden and widespread adoption of masks.
In June 2021, information commissioner Elizabeth Denham said she was “deeply concerned” about the inappropriate and reckless use of LFR in public spaces, prompting her to publish an official Information commissioner’s opinion to act as guidance for companies and public organisations looking to deploy biometric technologies.
In an accompanying blog post, she noted: “It is telling that none of the [private] organisations involved in our completed investigations were able to fully justify the processing and, of those systems that went live, none were fully compliant with the requirements of data protection law. All of the organisations chose to stop, or not proceed with, the use of LFR.”
A patchwork of legislation
In July 2019, the Science and Technology Committee published a report that identified the lack of legislation surrounding LFR, and called for a moratorium on its use until a framework was in place.
In its official response to the report, which was given after a delay of nearly two years in March 2021, the government claimed there was “already a comprehensive legal framework for the management of biometrics, including facial recognition”.
Outlining the framework, the government said it included police common law powers to prevent and detect crime, the Data Protection Act 2018 (DPA), the Human Rights Act 1998, the Equality Act 2010, the Police and Criminal Evidence Act 1984 (PACE), the Protection of Freedoms Act 2012 (POFA), and police forces’ own published policies.
UK government
“In terms of oversight and regulation, the Information Commissioner’s Office regulates compliance with the DPA, including police use and retention of biometrics, and POFA created the surveillance camera commissioner and biometrics commissioner roles and the Forensic Information Databases Service strategy board, which oversees the police DNA and fingerprint databases,” it said.
“While it is a strong framework, the government recognises that it is complex for the police and public, and so could arguably inhibit the confident adoption of technologies that can help us improve public safety and keep up with the pace of technological change.”
Responding to the Science and Technology Committee’s questions about whether the government would seek to legislate specifically on biometrics, policing minister Kit Malthouse said: “Obviously there is a framework at the moment, and that’s been adduced through the courts, but as technology advances we would like to get to a position where both the police and the public can be confident about the legislative architecture that enables the adoption of future technology.
“Whether that is required through legislation or not is a matter of a discussion, but we’ve got a manifesto commitment, so no doubt we’ll be bringing forward plans before the next election.”
Malthouse was asked for a more specific timeline, but was unable to provide one at the time.