16 April 202410 minute read

Biometrics and privacy – consultation underway for regulation in Aotearoa, New Zealand

The collection of biometric information has become increasingly prevalent across various sectors, driven by advancements in technology (including artificial intelligence) and a growing demand for the efficiencies, process improvements and outcomes it can deliver.

Biometric information such as fingerprints, facial features, iris patterns, voiceprints, and gait, coupled with biometric processing technologies, offer a means of verifying individuals' identities, and inferring characteristics such as mood and physical state. Biometric-enabled devices have become commonplace in everyday life, from smartphone facial recognition to security checkpoints. Companies may utilise biometric information to enhance user experience, streamline processes, and bolster security measures.

While there are clear benefits, some commentators have identified privacy concerns driven by the widespread adoption of biometric technologies, prompting calls for regulation to safeguard individuals' rights and mitigate risks. Biometric information, being inherently personal and immutable, arguably presents heightened risks such as identity theft and intrusive monitoring. Moreover, the collection and use of biometric information raises concerns about surveillance, as biometric systems can enable pervasive monitoring and tracking of individuals' movements and activities, which could infringe upon privacy rights.

In response to these concerns, the Office of the Privacy Commissioner (OPC) released a draft Biometrics Processing Privacy Code (Code) and consultation document on the 10 April 2024, available here. As part of this process, the OPC has requested feedback from the public on the exposure draft by the 8 May 2024.

This article looks at:

  • key takeaways;
  • what we think; and
  • what it means for businesses.

 

KEY TAKEAWAYS

The Code sets out rules governing the purpose, sourcing, collection, storage, accessibility, retention, disclosure and limitations on the use of biometric information. Biometric information is defined as the following, to the extent it is about an identifiable individual: a behavioural, physiological, biometric sample, biometric template or biometric result, in connection with any type of biometric processing.

Scope: importantly, the Code focuses on automated systems for processing biometric information and excludes biometric information that is used in manual processes. It also excludes health information collected and used by health agencies (which is subject to the Health Information Privacy Code) and information about a person's biological and genetic material, brain activity or nervous system.

However, the scope of what constitutes 'biometric information' is broad. For example, it includes a 'biometric result' (such as an alert or match). This means an organisation that relies on biometric processing by a third party could be caught by the Code even though it does not process 'biometric' data itself. For example, if a law firm uses a third party to undertake ID verification as part of its anti-money laundering obligations, and that third party used automated biometric processing (such as facial recognition), the result (eg 'pass'/'fail') sent to the law firm would be 'biometric information'.

Additionally, unlike biometric regulation in other jurisdictions, the draft Code applies to 'biometric classification' – which is essentially the analysis of biometric information to detect or infer other information about a person, such as emotion recognition systems.

Departures from the Privacy Act: the Code amends the Information Privacy Principles (IPPs) of the Privacy Act 2020 (the Act) in relation to biometric information. Rules 1, 2, 3, 4, 6 and 10 of the Code modify their corresponding IPPs in the Act. For a summary of the key differences between the Code's Rules and the existing IPPs, refer to the table at the end of this article.

Transparency requirements: transparency requirements have increased from the current notification obligations in the Privacy Act. The Code requires organisations to give the following notices when collecting biometric information:

  • conspicuous notice: a written or verbal notice in plain language that is displayed or presented where it can be easily noticed by individuals before their biometric information is collected. It must include a location / address where people can find the organisation's accessible notice (but must stand alone from the accessible notice or any privacy statement); and
  • accessible notice: a plain language notice that is readily accessible to people and presented independently of any privacy statement.

Proportionality assessment: The Code requires organisations to undertake a proportionality assessment to determine whether they should collect and use biometric information. This goes beyond current requirements of the Privacy Act and requires a further assessment of the:

  • effectiveness of the biometric processing in achieving the organisation's lawful purpose;
  • degree of privacy risk;
  • alternative means to biometric processing;
  • benefit of achieving the purpose through biometric processing weighed against the privacy risks; and
  • cultural impacts and effects of biometric processing on Māori and any other demographic group.

Consent not a requirement: Under the Code, consent for the collection and use of biometric information is not a general requirement. However, it is one of the 'privacy safeguards' that can be used to reduce the privacy risks associated with processing biometric information. This is a significant development since the OPC's proposal in 2023, where consent was a requirement. The change was made for two reasons: it was impractical to develop a consent requirement that worked in a broad range of contexts, and consent was deemed an unnecessary burden for people with busy lives and it risked being overlooked.

Instead, organisations have been given the responsibility to uphold privacy rights by ensuring the collection of biometric data is transparent and done in appropriate circumstances, limiting the use of biometrics.

However, the OPC's consultation paper emphasises that informed consent should be obtained unless it is not practical in the circumstances.

Fair processing: the Code expressly prohibits the use of biometric classification to collect health information (for example, genetic conditions based on facial features), information about an individual's inner state or physical state (such as emotion or personality, alertness or attention level), or information about an individual to categorise them according to their age or a 'restricted biometric category' (a biometric category (other than age) that is a prohibited ground of discrimination under the Human Rights Act 1993). The OPC's consultation paper considers these types of processing to be highly intrusive and unfair, and therefore should be prohibited. There are some (limited) exceptions to the prohibition, such as where biometric information is used to detect an individual's physical state for health and safety purposes, or using age estimation to help restrict children's access to age-restricted goods.

Biometrics and Māori data: in developing the Code, the OPC has considered how biometric information holds cultural significance for Māori and how the use of biometric technology may perpetuate bias and negative profiling of Māori. The OPC determined that the best way to protect Māori biometric information is to strengthen the protections of biometric information overall and include built-in requirements that respond to specific concerns, including cultural consideration under the proportionality assessment.

Biometrics unrestricted for marketing purposes: the OPC's proposal in 2023 intended to restrict the use of biometrics for marketing. The Code no longer proposes this restriction. Instead, the OPC focuses on prohibiting intrusive types of biometric classification (such as emotion recognition), rather than a whole sector or use case.

 

WHAT DO WE THINK?

We understand the concerns expressed by some commentators about the potential for heightened risks with automated processing of inherently sensitive information like biometric data. However, in principle, we are concerned about the introduction of an economy-wide code that applies to all processing of a specific type of information or using specific technology.

The Privacy Act establishes a flexible, principles-based framework that is deliberately technology-neutral and can be applied to all activities involving the processing of personal information. Unlike privacy regulation in other jurisdictions, the Privacy Act does not include a legislative concept of 'sensitive information' or 'special categories of data'. Instead, the Act's flexibility (specifically, the obligations that require organisations to take steps or implement safeguards that are 'reasonable in the circumstances') allows a higher standard to be applied to the processing of inherently sensitive data, such as biometric information. 

Current codes of practice apply to specific sectors (such as the Health Information Privacy Code 2020 and the Telecommunications Information Privacy Code 2020) or in specific circumstances (the Civil Defence National Emergencies (Information Sharing) Code 2020). This economy-wide Code is a departure from the current approach to codes of practice.

Given the Privacy Act's inbuilt flexibility, we are not convinced of the need for a separate Biometric Processing Privacy Code. Moreover, we are concerned that it sets a precedent for specific regulation of new technologies, undermining the Privacy Act's flexible approach to protecting personal information, and creating unnecessary compliance burdens for organisations. If this becomes a trend, with the pace at which new technologies are becoming mainstream, it is not a big leap to imagine a patchwork of binding codes making it challenging for businesses in Aotearoa to leverage the benefits of technological development.

Our specific thoughts on the draft Code are:

  • We were pleased to see the consent requirement removed from this iteration of the OPC's position on biometrics. The Privacy Act is a notice, rather than consent, based regime – the introduction of a consent requirement would have been a significant departure from New Zealand's current privacy framework. However, the strong focus in the OPC's consultation document on obtaining informed consent unless it is impractical to do so needs to be worked through in more detail.
  • We also think the inclusion of 'biometric results' in the definition of 'biometric information' extends the scope of the Code beyond what is required to protect inherently sensitive biometric data such as facial features or fingerprints.

 

CONSEQUENCES FOR BUSINESSES

If the Code comes into force, it would apply immediately to any organisations that process biometric information. Organisations already undertaking biometric processing before the Code is in force would have six months to become compliant.

If you plan to, or currently, collect or develop biometric information/technology using automated processes, you will need to review your practices by asking:

  • Is the collection of biometric information appropriate for and proportionate to the purpose we are trying to achieve?
  • Are there alternative means of achieving the same purpose without using biometric information?
  • Does our use of biometric information fall into an area which the Code prohibits?
  • Do we collect Māori biometric information and if so, how does we plan to assess cultural impact?

If you would like help understanding how the Code would apply to you, please get in touch with DLA Piper's privacy and data experts.

 

HAVE YOUR SAY

The OPC is seeking feedback on the exposure draft of the Code. Submissions are due by the 8 May 2024.

The OPC has outlined three key areas of inquiry:

  • Proportionality: How should organisations be required to balance the pros and cons of biometrics before using them?
  • Transparency: How and what should people be told when their biometric data is being collected?
  • Fair processing limitations: What are some activities that biometrics should not be used for?

We recommend you also consider:

  • the requirement to adopt reasonable and relevant privacy safeguards (such as obtaining consent);
  • whether you agree with the new notification requirements;
  • the various definitions of biometric information and exclusions;
  • whether you agree with the fair processing limits in Rule 4;
  • whether organisations require more time to comply with the Code once in force;
  • the exclusion of health agencies from the scope of the Code;
  • the OPC's discussion on the cultural impact on Māori;
  • whether the Code should only focus on automated processing; and
  • the various exceptions and whether you would add, remove or keep them.

We would be happy to assist you in drafting a submission to the OPC. Please get in touch with DLA Piper's privacy and data experts.

Breakdown of the Biometrics Processing Privacy Code

Summary

Organisations must only collect biometric information when it is necessary for a lawful purpose connected with the function of the organisation. Organisations must consider the proportionality of their biometric processing and adopt applicable privacy safeguards.

Key differences to the equivalent IPP

Rule 1 has two additional considerations, being the adoption/implementation of privacy safeguards that are reasonable in the circumstances, and a proportionality assessment which requires organisations to assess whether the biometric processing is disproportionate in the circumstances.

Circumstances include assessing:

  • Effectiveness of biometric processing in achieving the purpose
  • Degree of privacy risk
  • Alternative means to biometric processing
  • Whether the benefit outweighs privacy risks
  • Cultural impacts of biometric processing on Māori and any other demographic group

Summary

Organisations must collect information directly from the relevant individual unless an exception applies.

Exceptions will apply where:

  • compliance prejudices the interests of the individual;
  • compliance prejudices the purpose of collection;
  • the individual authorises collection from someone else;
  • the information is publicly available;
  • legal or regulatory action or threat to life or safety are involved;
  • compliance is not reasonably practicable; or
  • information will be anonymised or will be used for research and publication is anonymous.

Key differences to the equivalent IPP

Rule 2 corresponds with IPP 2 but adds a specific ban on the collection of biometric samples via web scraping, other than collecting biometric samples that are publicly available information.

Summary

Before (or as soon as practicable after) collecting biometric information, an organisation must make relevant individuals aware of certain things:

  • that biometric information is being collected;
  • the purposes of collection with due particularity;
  • the intended recipients of the information;
  • contact details of the organisations collecting and holding the information;
  • consequences for the individual if the information is not provided;
  • rights of access and correction;
  • alternative options to biometric processing;
  • a summary of the organisation's information retention policies;
  • the process and rights of an individual to raise a concern or complaint about the processing and handling of their biometric information; and
  • policies, protocols and procedures that apply to the organisation's use and disclosure of biometric information.

Key differences to the equivalent IPP

Rule 3 goes beyond IPP 3's requirements by creating obligations to provide 'accessible notices' and 'conspicuous notices' as defined in the Code. The list of things an organisation must make individuals aware of has expanded.

There are also fewer exceptions to the notification requirement.

Summary

Organisations must not collect biometric information by unlawful or unfair means, or in a manner that intrudes to an unreasonable extent upon the personal affairs of the individual concerned, particularly where personal information is being collected from children.

Organisations may not use biometric classification (the process of inferring or detecting through analysis, health, inner state or physical state information or information) to categorise the individual according to restricted biometric categories or age.

Exceptions will apply if the organisation believes on reasonable grounds that:

  • physical state information is necessary for meeting health and safety standards;
  • age-estimation is necessary to comply with law, access limits or meet a duty owed to the individual;
  • collection is necessary to assist an individual with accessibility;
  • collection is necessary to prevent/lessen threats to the life or health of an individual or public health or safety; or
  • collection is for statistical or research purposes (and has ethical oversight, approval and authorisation from the individual concerned) and publication is anonymous.

Key differences to the equivalent IPP

In addition to IPP 4, organisations must not use biometric classification to collect information about people’s health, inner state (personality or mood), physical state or their demographic information like gender or ethnicity (restricted categories), unless an exception applies.

Summary

Organisations must ensure biometric information is protected by reasonable security safeguards against loss and unauthorised access, use, modification or disclosure, including when giving information to third parties (e.g. service providers).

Key differences to the equivalent IPP

No material differences.

Summary

Individuals can make requests for confirmation of whether an organisation holds biometric information about them, the type of biometric information held, and to access their biometric information.

Key differences to the equivalent IPP

Rule 6 adds that organisations must also, on request, confirm the type of biometric information they hold about an individual.

Summary

An individual can make a request to correct biometric information held about them. 

Key differences to the equivalent IPP

No material differences.

Summary

Organisations must not use or disclose biometric information without taking reasonable steps to ensure the information is accurate, up to date, complete, relevant, and not misleading.

Key differences to the equivalent IPP

No material differences.

Summary

Organisations must not keep biometric information for longer than is necessary for the purposes for which the information may lawfully be used.

Key differences to the equivalent IPP

No material differences.

Summary

Organisations holding biometric samples may not use the information in biometric processing or for a different type of processing for any purpose unless it has put in place reasonable and relevant privacy safeguards and completed a proportionality assessment.

Organisations must not use biometric information for any purpose other than the purpose for which it was collected, or a directly related purpose. 

Exceptions will apply if the organisation believes on reasonable grounds that:

  • the information is anonymised or will be used for research and publication is anonymous.
  • the organisation is authorised by the individual to use it for that other purpose;
  • the information is publicly available;
  • legal or regulatory issues are involved; or
  • the use is necessary to lessen the threat to the individual's life or health, or public health or safety.

Key differences to the equivalent IPP

Rule 10 adds that where an organisation already holds biometric information, and want to use it for biometric processing, they must first put in place reasonable and relevant privacy safeguards and assess whether it is a proportionate use.

Summary

Organisations must not disclose biometric information for any purpose other than for which it was collected, or a directly related purpose.

Exceptions will apply if the organisation believes on reasonable grounds that:

  • disclosure is to the individual;
  • disclosure is authorised by the individual;
  • the source of the information is public;
  • legal or regulatory issues are involved;
  • disclosure is necessary to lessen/prevent the threat to the individual's life or health, or public health or safety;
  • disclosure is necessary to enable intelligence or security agencies to perform its functions; or
  • the information will be anonymised or will be used for research and publication is anonymous.

Key differences to the equivalent IPP

Rule 11(1)(d) introduces a condition to the exception allowing disclosure where the source of the information is a publicly available publication and it would not be unfair or unreasonable to disclose the information, to carve out information that has been obtained by means of web scraping (in the case of a biometric sample). This aligns with the new web scraping restriction in Rule 2.

Summary

Organisations must not disclose biometric information outside of New Zealand unless one of the following exceptions apply:

  • the individual authorises disclosure after being informed that the recipient of the information may not provide comparable protections to the Act and Code;
  • the recipient is carrying on business in New Zealand and is subject to the Act and Code;
  • the recipient is subject to privacy laws which provide comparable safeguards;
  • the recipient is part of a prescribed binding scheme;
  • the recipient is subject to the laws of a prescribed country; or
  • the recipient is required to protect the information with comparable safeguards to the Act and Code (such as contractual clauses).

Key differences to the equivalent IPP

No material differences.

Summary

Organisations must not assign ‘unique identifiers’ to an individual unless it is necessary to enable the organisation to carry out one or more of its functions efficiently and it takes reasonable steps to verify identities and minimise risk of misuse.

Key differences to the equivalent IPP

No material differences.

Print