The Data Protection Act 2018 is the UK’s implementation of the GDPR, and it controls how the personal information of individuals is used by organizations, businesses, or the government. Also called UK GDPR, the DPA 2018 singles out biometrics data as likely to be a more sensitive version of personal data. If an entity uses biometrics to learn something about an individual, authenticate his/her identity, control access, make a decision regarding him/her, or treat him/her differently in any way, DPA 2018 requires such entity to comply with Article 9. In addition, organizations that process special category data must have a lawful basis to process data as stated under Article 6 of the GDPR.

Recently, Information Commissioner’s Office (ICO), UK’s independent regulator for data protection and information rights laws, announced its provisional intent to impose a potential fine of around £17 million on Clearview AI Inc., a facial recognition app, for not complying with UK data protection laws in meeting higher data protection standards requirements for biometric data, including but not limited to failure to:

• fair processing;

• informing people about what’s happening to their data;

• stopping data retention indefinitely;

• having a lawful reason for collecting the information.

The ICO has this understanding that the images in the Clearview AI Inc’s database may have data belonging to a substantial number of UK residents and may have been collected or scrapped from publicly available domains, like social media, without people’s knowledge or consent.

Takeaway In wake of biometric laws becoming commonplace, Meta has announced shutting down the facial recognition system on Facebook. Influenced by biometrics laws, to avoid legal risk, Google has decided to block Illinois and Texas users from its offering of a new facial recognition feature on the Google Arts & Culture App. Apple is joining the suit with its guidelines prohibiting manufacturing partners from collecting biometric data such as fingerprints or facial scans of Apple employees who visit their facilities.

With biometrics laws morphing the attitude of businesses towards handling biometrics data, it’s crystal clear how biometrics laws are poised to change the world of data for good. Businesses must understand that biometric data are subject to legal protections and therefore, it’s more necessary than ever to develop and implement policies that help them address risk management practices—and comply with biometrics data protection laws.