May 7, 2020

The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate?

K RoyalTrustArc

Debra BromsonAAA Club Alliance Inc.

Joshua A. Mooney White and Williams LLP

Michael ShapiroClarip, Inc.

Speaker

Debra BromsonAssistant General CounselAAA Club Alliance Inc.

Debra Bromson is AGC at AAA Club Alliance (3rd largest AAA Club)where she provides legal, compliance and business advicerelating to Data Privacy, Cybersecurity, Information Technology, E-Commerce, Social Media and marketing, Business Developmentand Government and Public Affairs. She was previously the initialhead of global privacy at Jazz Pharmaceuticals and the initialAstraZeneca privacy counsel and US officer. Ms. Bromsonreceived her AB from Cornell University, JD from GeorgetownUniversity Law Center, and an LLM in taxation from New YorkUniversity School of Law.

Speaker

Joshua A. MooneyChair of Cyber Law & Data Protection GroupWhite and Williams LLP

• Compliance and implementation of data privacy and security, including through as-a-service platforms

• Incident response, litigation • Vice Chair of ABA TIPS Cybersecurity and Data Privacy

Committee • Founding Chair of PBA Cybersecurity Committee

Speaker

K Royal, FIP, CIPP/E / US, CIPMAssociate General CounselTrustArc

• RN turned attorney, focused on global privacy law

• Teach privacy law at Arizona State University

• Co-host Serous Privacy podcast

Speaker

Michael Shapiro, CIPP/US/E, CIPMSenior Counsel, Director of Data PrivacyClarip, Inc.

Michael Shapiro is a Senior Counsel at Clarip, Inc., an enterprise data management software company that helps organizations comply with the GDPR, CCPA, and other privacy laws. He also serves as a Co-Chair of the IAPP Philadelphia Knowledge Net Chapter and a Policy Vice-Chair for the ABA International Law Section’s Privacy, Cybersecurity, & Digital Rights Committee. Mr. Shapiro is a graduate of the University of Pennsylvania Law School and Indiana University.

The Expanding Universe of Biometric Data

• Purpose of SessionThe panel will explore privacy and data protection issues raised by collection and processing of biometrics in the private and public sectors as well as emerging laws and regulations designed to address these issues.

• Main SectionsUnderstanding Biometric Data

• Overview• Biometric Information Privacy Act and Other State Laws

Biometric Data in Use • Business considerations • Facial recognition in the Public Sector

• Questions

Understanding Biometric Data

OverviewState Laws – BIPA, TX, WA, and Pending Laws

Introduction - definition

Introduction - definition

“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.

Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Overview

Biometrics Laws are Getting More “Popular” in States• It had always been BIPA—Illinois • Now there are a few new state laws (Texas, Washington)

Also, they exist in other countries• Australia• And of course—the EU—has a broad definition “personal data resulting from specific

technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See Art. 4(14) and is “special category” personal data

And Biometrics are “built” into other state laws — e.g. NY Shield Act• Biometric data” is included in the definition of “personal information”

But people are saying other countries that don’t have biometric laws need them• Canada—Had an online petition all for reforms to law to cover facial recognition

Overview

How businesses are using biometrics and related technologies

• Use in wide range of applications to help business processes• Employees use fingerprint scanners for timing instead of cards or other

means• Banking—to help reduce identity theft• Shopping• Automobile—will this be used to enter or operate a car or monitor drivers

Biometric Information Privacy Act

Biometric Information Privacy Act (BIPA)

• Enacted to help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."

• “Biometric identifier" defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.“

• "Biometric information" defined as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual."

Biometric Information Privacy Act

BIPA imposes upon private entities obligations for the collection, retention, disclosure, and use of biometric data:

• Inform data subject in writing that biometric data is collected and stored

• Inform data subject in writing specific purpose and length that biometric data is collected, stored, and used

• Receive from data subject written release

• Publish retention schedule and guidelines for destruction of biometric data

Biometric Information Privacy Act

BIPA prohibits disclosure or dissemination of biometric data unless:

• Data subject consents

• Disclosure completes a financial transaction authorized by the data subject

• Disclosure is required by law or legal process

Biometric Information Privacy Act

BIPA

• “No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.“

• Prevailing party may recover for each violation:• $1,000 or actual damages, whichever is greater, for negligent breach• $5,000 or actual damages, whichever is greater, for intentional or reckless

breach• reasonable attorneys' fees and costs, including expert witness fees and other

litigation expenses• Injunctive relief

Biometric Information Privacy Act

Rosenbach v. Six Flags Entm’nt Corp. (Ill. 2019)

• Mere violation of the statute sufficient to file action

• No other harm needed

Patel v. Facebook, Inc.(9th Cir. 2019)

• Statute enacted to protect person’s “concrete” privacy interests

• Reasonable to infer that BIPA intended to protect persons in Illinois even if some relevant activities occur out of state

Biometric Laws in Other States

Other states have pending legislation:• Florida, Massachusetts, New York, Michigan, Alaska—provide for a private cause of action

• South Carolina—H 4182 referred to Committee on Judiciary 1/14/2020• TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, BY ADDING CHAPTER 31 TO

TITLE 37 SO AS TO ENACT THE "SOUTH CAROLINA BIOMETRIC DATA PRIVACY ACT" AND TOPROVIDE CERTAIN REQUIREMENTS FOR A BUSINESS THAT COLLECTS A CONSUMER'SBIOMETRIC INFORMATION, TO ALLOW THE CONSUMER TO REQUEST THAT A BUSINESSDELETE THE COLLECTED BIOMETRIC INFORMATION AND TO PROHIBIT THE SALE OFBIOMETRIC INFORMATION, TO ESTABLISH CERTAIN STANDARDS OF CARE FOR A BUSINESSTHAT COLLECTS BIOMETRIC INFORMATION, TO ESTABLISH A PROCEDURE FOR A CONSUMERTO OPT OUT OF THE SALE OF BIOMETRIC INFORMATION, TO PROHIBIT A BUSINESS FROMDISCRIMINATING AGAINST A CONSUMER WHO OPTS OUT OF THE SALE OF THEIRBIOMETRIC INFORMATION, AND TO PROVIDE A PENALTY.

Biometric Data in Use

Business ConsiderationsFacial Recognition in the Public Sector

Business Considerations

• Disclosure and Consent for collection

• Third-party dissemination• Cannot sell • Contractor/”processor” considerations

• Licensing Considerations• Do you need the data/prohibit transmission of data• Strong indemnity provisions• Insurance

Business Considerations

• Biometrics should always be included in the definition of “Personal Information” or “Personal Data” in your company’s policies, contracts with vendors, etc.• Companies that collect, use biometric data need to make sure they have

policies about how it is handled and limits on access, distribution and terms of destruction and how long retained

• Must inform and disclose this to employees or customers whose biometric data you are handling

• Should be secured with encryption

• Two-factor authentication?

• Risk due to fact that if these are compromised, there may be no recourse since these are unique to each person, so may not be able to change them.

Facial Recognition: Public Sector

▪ FBI has access to around 640 million photos in searchable repositories maintained by the federal and state agencies and has conducted over 390,000 searches since 2011.

▪ Law enforcement face recognition networks in the United States include at least 117 million Americans.

▪ At least 1 out of 4 state or local police departments has an option to run face recognition searches through their or another agency’s system.

▪ As many as 30 states allow law enforcement to run or request searches against their database of driver’s license and ID photos.

Sources: Government Accountability Office; Georgetown Law, Center on Privacy and Technology

Facial Recognition: Public Sector

Facial Recognition Is Less Accurate on Minority Groups

▪ MIT and the University of Toronto Study (2018)▪ Darker-skinned women identified as men 31% of the time, while there were no errors for

lighter-skinned men.

▪ NIST Face Recognition Vendor Test Study (2019) ▪ Higher rate of false positives in one-to-one matching for Asians, African Americans, Native

American groups, and African American females.

▪ ACLU Facial Recognition Experiment (2018)▪ Incorrectly matched 28 members of Congress to a mug shot database. The false matches

were disproportionately of people of color, including six members of the Congressional Black Caucus.

Facial Recognition: Public Sector

State and Local Bans of Facial Recognition:

▪ City-wide ban on use of facial recognition technology by law enforcement: San Francisco, Oakland, Sommerville

▪ State-wide ban on use of facial recognition in police body cameras: CA, OR, NH

▪ State-wide ban on use of Clearview AI facial recognition technology by police: NJ

Facial Recognition: Public Sector

Washington Public Sector Facial Recognition Law (SB 6280)

▪ Notice of Intent

▪ Accountability Reports

▪ Meaningful human review for decisions that produce legal effects concerning individuals

▪ Enabling tests of facial recognition services

▪ Training

▪ Warrant requirement and disclosure of use to defendants

Resources

Privacy Laws and Guidance on BiometricsPIPEDA: https://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/

European Data Protection Board – has a link for biometrics, but …. Watch for developmentshttps://edpb.europa.eu/our-work-tools/our-documents/topic/biometrics_en

EDPB news: Fine for processing students fingerprints imposed on a schoolhttps://edpb.europa.eu/news/national-news/2020/fine-processing-students-fingerprints-imposed-school_en

Dutch DPA report and findings on fine for company for processing fingerprints of employeeshttps://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-bedrijf-voor-verwerken-vingerafdrukken-werknemers

Fieldfisher – the use of biometric data in an employment contexthttps://www.priv.gc.ca/en/privacy-topics/identities/identification-and-authentication/auth_061013/

Article: Intersection of HIPAA and Illinois Biometrics Information Privacy Acthttps://www.physicianspractice.com/article/intersection-hipaa-and-illinois-biometric-information-privacy-act

Resources

Facial Recognition: Public Sector Resources

▪ United States Government Accountability Office. Face Recognition Technology. DOJ and FBI Have Taken Some Actions in Response to GAO Recommendations to Ensure Privacy and Accuracy, But Additional Work Remains (June 4, 2019)

▪ Georgetown Law, Center on Privacy & Technology. The Perpetual Lineup: Unprecedented Police Facial Recognition in America (Oct. 18, 2016)

▪ NIST Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects (2019)

▪ San Francisco “Stop Secret Surveillance” Ordinance

▪ California Body Camera Accountability Act (AB 1215) (2019)

▪ OR Rev Stat § 133.741 (2017)

▪ NH Rev Stat § 105-D:2 (2016)

▪ Washington Public Sector Facial Recognition Law (SB 6280)

Questions + Contact

Joshua MooneyPartnerWhite and Williams LLPmooneyj@whiteandwilliams.com

Debra BromsonAGCAAA Club Alliance Inc.dbromson@aaamidatlantic.com

K RoyalAGCTrustArckroyal@trustarc.com

Michael ShapiroSenior Counsel, Director of Data PrivacyClarip, Inc.michael@clarip.com