May 7, 2020 The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate? K Royal TrustArc Debra Bromson AAA Club Alliance Inc. Joshua A. Mooney White and Williams LLP Michael Shapiro Clarip, Inc.
Speaker Debra Bromson Assistant General Counsel AAA Club Alliance Inc. Debra Bromson is AGC at AAA Club Alliance (3 rd largest AAA Club) where she provides legal, compliance and business advice relating to Data Privacy, Cybersecurity, Information Technology, E- Commerce, Social Media and marketing, Business Development and Government and Public Affairs. She was previously the initial head of global privacy at Jazz Pharmaceuticals and the initial AstraZeneca privacy counsel and US officer. Ms. Bromson received her AB from Cornell University, JD from Georgetown University Law Center, and an LLM in taxation from New York University School of Law.
Speaker Joshua A. Mooney Chair of Cyber Law & Data Protection Group White and Williams LLP • Compliance and implementation of data privacy and security, including through as-a-service platforms • Incident response, litigation • Vice Chair of ABA TIPS Cybersecurity and Data Privacy Committee • Founding Chair of PBA Cybersecurity Committee
Speaker K Royal, FIP, CIPP/E / US, CIPM Associate General Counsel TrustArc • RN turned attorney, focused on global privacy law • Teach privacy law at Arizona State University • Co-host Serous Privacy podcast
Speaker Michael Shapiro, CIPP/US/E, CIPM Senior Counsel, Director of Data Privacy Clarip, Inc. Michael Shapiro is a Senior Counsel at Clarip, Inc., an enterprise data management software company that helps organizations comply with the GDPR, CCPA, and other privacy laws. He also serves as a Co-Chair of the IAPP Philadelphia Knowledge Net Chapter and a Policy Vice- Chair for the ABA International Law Section’s Privacy, Cybersecurity, & Digital Rights Committee. Mr. Shapiro is a graduate of the University of Pennsylvania Law School and Indiana University.
The Expanding Universe of Biometric Data • Purpose of Session The panel will explore privacy and data protection issues raised by collection and processing of biometrics in the private and public sectors as well as emerging laws and regulations designed to address these issues. • Main Sections Understanding Biometric Data • Overview • Biometric Information Privacy Act and Other State Laws Biometric Data in Use • Business considerations • Facial recognition in the Public Sector • Questions
Understanding Biometric Data Overview State Laws – BIPA, TX, WA, and Pending Laws
Introduction - definition
Introduction - definition “Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Overview Biometrics Laws are Getting More “Popular” in States • It had always been BIPA — Illinois • Now there are a few new state laws (Texas, Washington) Also, they exist in other countries • Australia • And of course — the EU — has a broad definition “personal data resulting from specific technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See Art. 4(14) and is “special category” personal data And Biometrics are “built” into other state laws — e.g. NY Shield Act • Biometric data” is included in the definition of “personal information” But people are saying other countries that don’t have biometric laws need them • Canada — Had an online petition all for reforms to law to cover facial recognition
Overview How businesses are using biometrics and related technologies • Use in wide range of applications to help business processes • Employees use fingerprint scanners for timing instead of cards or other means • Banking — to help reduce identity theft • Shopping • Automobile — will this be used to enter or operate a car or monitor drivers
Biometric Information Privacy Act Biometric Information Privacy Act (BIPA) • Enacted t o help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." • “Biometric identifier" defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.“ • "Biometric information" defined as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual."
Biometric Information Privacy Act • Inform data subject in writing that biometric data is collected and stored BIPA imposes upon • Inform data subject in writing specific private entities purpose and length that biometric obligations for the data is collected, stored, and used collection, retention, • Receive from data subject written disclosure, and use of release biometric data: • Publish retention schedule and guidelines for destruction of biometric data
Biometric Information Privacy Act • Data subject consents BIPA prohibits disclosure or dissemination of • Disclosure completes a financial biometric data unless: transaction authorized by the data subject • Disclosure is required by law or legal process
Biometric Information Privacy Act BIPA • “N o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.“ • Prevailing party may recover for each violation : • $1,000 or actual damages, whichever is greater, for negligent breach • $5,000 or actual damages, whichever is greater, for intentional or reckless breach • reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses • Injunctive relief
Biometric Information Privacy Act Patel v. Facebook, Inc. Rosenbach v. Six Flags Entm’nt (9 th Cir. 2019) Corp. (Ill. 2019) • • Statute enacted to protect Mere violation of the statute person’s “concrete” privacy sufficient to file action interests • No other harm needed • Reasonable to infer that BIPA intended to protect persons in Illinois even if some relevant activities occur out of state
Biometric Laws in Other States Other states have pending legislation: • Florida, Massachusetts, New York, Michigan, Alaska — provide for a private cause of action • South Carolina — H 4182 referred to Committee on Judiciary 1/14/2020 • TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, BY ADDING CHAPTER 31 TO TITLE 37 SO AS TO ENACT THE "SOUTH CAROLINA BIOMETRIC DATA PRIVACY ACT" AND TO PROVIDE CERTAIN REQUIREMENTS FOR A BUSINESS THAT COLLECTS A CONSUMER'S BIOMETRIC INFORMATION, TO ALLOW THE CONSUMER TO REQUEST THAT A BUSINESS DELETE THE COLLECTED BIOMETRIC INFORMATION AND TO PROHIBIT THE SALE OF BIOMETRIC INFORMATION, TO ESTABLISH CERTAIN STANDARDS OF CARE FOR A BUSINESS THAT COLLECTS BIOMETRIC INFORMATION, TO ESTABLISH A PROCEDURE FOR A CONSUMER TO OPT OUT OF THE SALE OF BIOMETRIC INFORMATION, TO PROHIBIT A BUSINESS FROM DISCRIMINATING AGAINST A CONSUMER WHO OPTS OUT OF THE SALE OF THEIR BIOMETRIC INFORMATION, AND TO PROVIDE A PENALTY.
Biometric Data in Use Business Considerations Facial Recognition in the Public Sector
Business Considerations • Disclosure and Consent for collection • Third-party dissemination • Cannot sell • Contractor/”processor” considerations • Licensing Considerations • Do you need the data/prohibit transmission of data • Strong indemnity provisions • Insurance
Business Considerations • Biometrics should always be included in the definition of “Personal Information” or “Personal Data” in your company’s policies, contracts with vendors, etc. • Companies that collect, use biometric data need to make sure they have policies about how it is handled and limits on access, distribution and terms of destruction and how long retained • Must inform and disclose this to employees or customers whose biometric data you are handling • Should be secured with encryption • Two-factor authentication? • Risk due to fact that if these are compromised, there may be no recourse since these are unique to each person, so may not be able to change them.
Recommend
More recommend