UK urgently needs new laws on use of biometrics, warns review

An independent review of UK legislation has concluded the country urgently needs new laws to govern the use of biometric technologies and called for the government to come forward with primary legislation.

Among the legal review’s ten recommendations are that public use of live facial recognition (LFR) technology be suspended pending the creation of a legally binding code of practice governing its use, and pending the passing of wider, technologically neutral legislation to create a statutory framework governing the use of biometrics against members of the public.

A handful of UK police forces have been keen adopters of LFR, which has led to civil rights challenges and ongoing condemnation by human rights groups.

A year ago, the UK’s information commissioner also went public with concerns about reckless and inappropriate use of LFR in public places.

Since then, we’ve also seen the Information Commissioner’s Office (ICO) fine the controversial, U.S.-based facial recognition company Clearview AI, which uses selfies scraped off the internet without consent to power an AI-based identification matching service it’s targeted at law enforcement and other public sector bodies, and also order it to delete UK citizens’ data.

Despite plentiful concerns about existing use of biometrics against the UK public and their patchy regulation, the government’s digital policymaking has largely focused elsewhere to date — such as on online content regulation and post-Brexit data protection deregulation, in the digital sphere.

Although the government also recently indicated that its forthcoming Data Reform Bill will clarify the rules on police use of biometric data — by supporting the development of “policing-led guidance such as new codes of conduct.”

However, the independent legal review that’s been published today is calling for a more comprehensive approach to regulating public sector use of biometrics.

The review, which was commissioned by the Ada Lovelace Institute back in 2020 and led by Matthew Ryder QC, warns that the UK’s current legal regime is “fragmented, confused and failing to keep pace” with developments in biometrics.

“We urgently need an ambitious new legislative framework specific to biometrics. We must not allow the use of biometric data to proliferate under inadequate laws and insufficient regulation,” said Ryder, of Matrix Chambers, in a statement.

A key recommendation he calls for in the review is for the scope of biometrics legislation to cover use of the technology not only for unique identification of individuals but also for classification.

“Simply because the use of biometric data does not result in unique identification does not remove the rights-intrusive capacity of biometric systems, and the legal framework needs to provide appropriate safeguards in this area,” the review argues.

It also calls for sector and/or technology-specific codes of practice to be published — setting out “specific and detailed duties” that arise in particular use cases. It also recommends that a framework governing use of biometrics against members of the public should supplement (rather than replace) existing duties under the Human Rights Act, Equality Act and Data Protection Act.

Another recommendation is for a national biometrics ethics board to be set up — to have a statutory advisory role in respect of public sector biometrics use. The review also recommends that its advice is published and that bodies that go against its advice must publicly set out their reasons why.

“The regulation and oversight of biometrics should be consolidated, clarified and properly resourced. The overlapping and fragmented nature of oversight at present impedes good governance,” the review goes on to recommend, further warning of “significant concerns” about the proposed incorporation of the role of Biometrics and Surveillance Camera Commissioner into the existing duties of the ICO.

“We believe that the prominence and importance of biometrics means that it requires either a specific independent role, and/or a specialist commissioner or deputy commissioner within the ICO,” the review notes. “Wherever it is located, it must be adequately resourced financially, logistically, and in expertise, to perform the governance role that this field requires.”

The review is predominantly focused on public sector use of biometrics but its authors are calling for additional study of private sector applications of biometrics to consider how best to shape appropriate legislation — warning that further private-sector-specific research is “particularly important given the porous relationship between private-sector organisations gathering and processing biometric data and developing biometric tools, and public authorities accessing those datasets and deploying those tools.”

“[S]trong law and regulation is sometimes characterised as hindering advancements in the practical use of biometric data. This should not be the case. In practice a clear regulatory framework enables those who work with biometric data to be confident of the ethical and legal lines within which they must operate,” adds Ryder in a foreword to the review.

“They are freed from the unhelpful burden of self-regulation that arises from unclear guidelines and overly flexible boundaries. This confidence liberates innovation and encourages effective working practices. Lawmakers and regulators are not always helping those who want to act responsibly by taking a light touch.”

The Ada Lovelace research institute, which commissioned the review, is publishing a policy report to accompany it in which it presses the government to act — drawing on what it says was a 3-year program of public engagement to feed the policy research, including conducting a representative survey on UK public attitudes toward facial recognition technology and engaging with the Citizens’ Biometrics Council, a body comprised of 50 UK adults “assembled to learn and then deliberate on biometric governance in greater depth.”

“Both the survey and the citizens’ council highlighted public support for stronger safeguards on biometric technologies,” it notes.

Some of the Institute’s recommendations echo those in the legal review — including urging government to pass primary legislation to govern the use of biometrics and that oversight and enforcement of the regime should sit within a new regulatory function focused on biometric technologies, which is “national, independent and adequately resourced and empowered.”

It is also calling for the proposed regulator to assess biometrics technologies — both to require that all biometric technologies meet “scientifically based and clearly established standards of accuracy, reliability and validity” and to assess the proportionality of biometric technologies “in their proposed contexts, prior to use, for those that are used by the public sector, in public services, in publicly accessible spaces, or that make a significant decision about a person.”

“This proportionality test should consider individual harms, collective harms and societal harms that may arise from the use of biometric technologies,” it suggests. “If approval is granted, the regulatory function should monitor the technology during its deployment and implementation stages, and continuously as long as the system is in use.”

Another recommendation of the Institute is for regulatory monitor to trigger the creation of codes of practice “that may include bans or moratoria.” And the Institute is also calling for a moratorium on the use of biometrics for one-to-many identification in publicly accessible spaces and for categorization in the public sector (or for public services and in publicly accessible spaces) until governance legislation is passed.

Commenting in a statement, Carly Kind, the Institute’s director, said: “Our three-year programme of research demonstrates that the public support stronger safeguards and the existing legal landscape is inadequate. The government must take on this important issue and bring forward new primary legislation on biometrics.”

The European Union is ahead of UK policymakers when it comes to regulating applications of AI technologies — having already come out with a draft proposal last year (aka, the AI Act). However, the EU’s proposed risk-based framework for regulating applications of AI has faced plenty of criticism from civil society and human rights groups that are concerned it does not go far enough to put guardrails around fundamental rights.

And while the draft legislation includes a proposal to ban (some) police use of remote biometrics in public, again critics argue the provision contains so many qualifications it’s not actually a meaningful limitation.

Discussing the EU’s proposed AI regulation, Imogen Parker, associate director for policy at the Ada Lovelace Institute, argues there’s an opportunity for the UK to go further — and deliver stronger regulation of biometrics — but only if ministers adopt the policy recommendations that are being made today.

“The draft [EU] Act doesn’t adequately grapple with the risks arising from emotional recognition systems and classification. They sort them as ‘limited risk’ AI (apart from in some public sector circumstances for example used by law enforcement), only requiring users to be transparent when the technology is being deployed, for example through labelling or disclosure,” she argues.

“Categorisation poses comparable risks to the identification. The Citizens Biometrics Council were concerned about accuracy, both whether tools work well and whether the categories are rooted in evidence or pseudoscience; they pose privacy risks as intimate data is used and could reveal or presume sensitive information about you, like sexuality or religion; and there are concerns that these technologies may be discriminatory in their deployment if they assess whether somebody looks suspicious by the way they walk (their gait), or job worthy from their facial expressions and voice tone.

“We also recommend all biometrics technologies meet standards requirements, and a majority of uses (in the public sector, by public services, in public places or with significant effect) have to undergo a proportionality test in context and prior to use or procurement. Our recommendations ensure comprehensive high standards of regulation are applied to categorisation as well as identification; and private sector, as well as public sector, uses.”

Asked about the UK government’s partial attention to biometrics regulation in the Data Reform Bill, Parker suggests the measures it has set out so far don’t go far enough.

“On the proposals regarding biometric regulation in Data: A New Direction, the focus from the Government seems to be efforts to streamline, clarify and reduce confusion. We’ve identified the need to substantially strengthen oversight functions, which goes beyond reorganisation or clarification,” she tells TechCrunch. “The Citizens Biometrics Council wanted stronger regulation of biometrics, and the Ryder review found that existing governance isn’t fit for purpose: that existing legislation and oversight mechanisms are fragmented, unclear, ineffective and failing to keep pace with the technologies being developed.

“We are also proposing the approach to regulation be strengthened, reflecting the research. We want to see standards developed to assess the accuracy and the scientific validity of these tools — whether they are built on stereotypical or pseudoscientific assumptions. We are also recommending a requirement of a proportionality test to assess any uses of biometrics technologies in the public sector, in public spaces, or where significant decisions are made about individuals (for example in recruitment). That assessment should be of biometrics technologies in context, and before use or procurement.

“Our research demonstrates we need to be more ambitious about regulation than we have seen in the current proposals. But we look forward to seeing the draft legislation to see the further details.”