The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Biometrics Bitesize

28 May 2024

In March 2024 the Centre for Emerging Technology and Security (CETaS), a research centre based at the Alan Turing Institute, the UK’s national institute for data science and artificial intelligence published a research report, The Future of Biometric Technology for Policing and Law Enforcement: Informing UK Regulation.[1] Relevant to both the public and private sectors, as the former leads the way in forging a path through the UK’s ‘complex web of overlapping equality, human rights, data protection and police powers legislation’ to enable the lawful use of biometric technologies, the key findings were:

  • The current definition of biometric technology, primarily focused on systems used for the purpose of uniquely identifying an individual or verifying their identity, is outdated. The report argues for a broader conceptualisation, to include new inferential and classification biometrics-based systems such as like age estimation, emotion recognition, and demographic-based categorisation. This is to encourage the law to keep pace with emerging technologies and to allow for the imposition of appropriate safeguards.
  • The benefits to biometric systems are that they can significantly enhance capabilities to detect and prevent crime by identifying individuals with a high degree of confidence which in certain circumstances – such as crowded public places – would be extremely challenging for human operators to achieve manually. In some cases, biometrics might protect against the errors of human judgement. There is also increasing demand for secure data protection due to sophisticated cybersecurity threats and identity fraud techniques: given recent evidence showing poor human detection rates against e.g. deepfakes, new security risks may arise by opting not to use biometric measures.
  • Primary concerns about biometrics include technical flaws affecting reliability and the risks of false positives and false negatives – whether as a result of poor quality data or human error; multiple human rights risks (for example, privacy, freedom of expression, freedom of assembly, demographic bias, and mission creep concerns); and, in some cases scientific validity concerns (for example behavioural inferences such as emotion detection), which have led to calls for certain biometric systems to be heavily regulated or outright banned.   
  • The EU’s forthcoming AI Act (which received approval from the Council of Europe on 21 May 2024) is likely to implement a general ban on live facial recognition technology, with exemptions for specific policing and law enforcement use, as a means of attempting to balance benefits and risks. Discussions are ongoing in the UK regarding how best to regulate AI technology and this is likely to encompass debate about the best regulatory framework for emerging biometric systems.

The report’s recommendations were, in summary:

  • Future legislation should introduce a new legal definition of ‘biometrics-based data’ to take into account how different types of biometric data may be used for purposes other than uniquely identifying individuals, such as inference and classification.
  • New Codes of Practice should be issued by the UK Equality and Human Rights Commission, the College of Policing, the Home Office, and the Police Digital Service, to ensure consistent and responsible use across different applications.
  • Improved Governance and Oversight is required with roles for the National Police Chiefs Council and the Information Commissioner’s Office in this regard, to ensure accountability and public confidence.
  • Efforts should be made to increase public engagement (involving collaboration rather than simply informing the public), for example through consultation and roundtable discussions, to communicate the benefits and risks of biometric technologies, to ensure transparency and to address concerns.
  • Clear frameworks should be adopted for assessing proportionality, and early stage testing of biometric systems was recommended to seek to minimise potential negative impacts on the public, with results being clearly articulated to regulators and to the public.
  • Minimum system requirements and consistent testing and evaluation standards should be employed.

The report’s research methodology included a 662-person ‘nationally representative sample’ survey of public attitudes, which found varying levels of comfort and trust depending on the application and organisation involved. There was support for police and law enforcement use of biometric identification and verification systems such as live facial recognition, but not for the use of inferential systems such as polygraph testing or emotion recognition. However, there was anxiety over the adequacy of safeguards to protect individuals from a range of risks, such as data misuse and discriminatory implications of certain emerging use cases.

The report emphasised the need for the UK to simplify the complex web of existing regulatory and policy measures; introduce new protections for emerging biometric systems; and standardise testing and evaluation procedures. In short, it advocates for a robust and up to date regulatory framework to manage the developing landscape of biometric technology in order to reassure the public, maximise the benefits of the technologies and to protect individual rights.

Whilst this report focused upon the future of biometric technology for police and law enforcement, it recognised that private sector use of biometric systems is growing, highlighting concern that biometrics regulation predominantly applies to the public sector. Not only is a clear and coherent regulatory framework for public sector use needed, but as companies increasing explore using biometric systems for tackling crime (for example, identifying shoplifters), they would be well advised to take account of this report and to consider what safeguards are in place to encourage public confidence.

 
Further reading: The Future of Biometric Technology for Policing and Law Enforcement: Informing UK Regulation

[1] Sam Stockwell, Megan Hughes, Carolyn Ashurst and Nóra Ní Loideáin, “The Future of Biometric Technology for Policing and Law Enforcement: Informing UK Regulation,” CETaS Research Reports (March 2024).

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)