Michael
Back

Regulating the Use of Biometrics in the United States and the United Kingdom: A Comparative Perspective

Dec 2022·8 min read

A comparative analysis of how the US and UK regulate biometric data collection and use, examining differences in legislative frameworks, enforcement mechanisms, and privacy protections across the two jurisdictions.

Public PolicyData
Note: “Amnesia” refers to a fictional government used as a case study placeholder throughout this brief.

Executive Summary

Digitalization drives economy growth but the use of related technologies also challenges civil values such as liberty and privacy. In pursuit of convenience and higher level of security, human society adopted biometric technologies at unprecedented rate. But due to technical limits and invasion, the leakage of biometric data can be catastrophic for its biological uniqueness. The brief compares the approaches employed by the US and the UK—the pair shares a lot of commonalities but generates distinctive outcomes in the biometric protection landscape. Despite both countries apply the classic ‘command and control’ approaches (with some variants), there are huge discrepancies in their biometric regulatory system; in particular, the generality and specificity of various regulatory stages. The comparison offers several key lessons for Amnesia government to balance liberation of innovation and protection of human rights, including comprehensive analysis at early stage, pluralistic approaches to cover the life cycle of data collection, impartial coverage of the regulated parties (when necessary), alternatives through rescoping and separating risks, and collaboration at various levels.

Introduction: The Use of Biometrics and Risks Associated

For their uniqueness and convenience, biometrics including fingerprints, palm prints, face, and iris have been widely applied in both public and private settings (Bernat, 2012). Nevertheless, the ubiquity of biometric technologies brews new challenges—they can sometimes malfunction and even backfire.

There are direct property losses as well as potential breach of human rights, which might stem from improper handling of the information, illegal trading of biometric data and personal data theft. The hack on Chinese government’s facial recognition service using impersonation technique have resulted in frauds of more than 76 million USD (Kanapienis, 2021). In 2019, major breaches on biometric system have been found in UK, impacting over one million people whose fingerprints were leaked (Taylor, 2019). Taliban’s takeover of the biometric system also frightens supporters for the previous regime, as related information can be used to track them and might put their life at threat (Guo, 2021). In the private sector, some companies seemed to fail to collect biometric information properly and faced lawsuits, such as the famous Facebook Biometric Information Privacy Litigation (Avelar, 2022).

While the likelihood of hazards remains largely unknown, increasing risks emerge as the use of biometric becomes compulsory and frequent in many scenarios (Manahan, 2021). The ramifications are multifaceted while the key uncertainties rest on information asymmetric. Unlike other personal data, the leakage of biometric information is more damaging as the information identifies particular person (or group) and cannot be changed for life-long, and thus bringing about enduring knock-on effects. People can hardly realize how well is their biometric information processed and stored, generating concerns over ‘covert collection’ and ‘cross-matching’ (OPCC, 2011). The victims can hardly realize that their data have been leaked before any material loss had occurred. Considering the various scenarios of application, they cannot easily track the perpetrators.

How should we deal with the related technologies? Should we abandon them or simply limit their coverage in life? While there are still debates on the adoption of related technologies, the global community has offered lessons in their regulatory practices.

A Tale of Two Countries: Biometric Regulatory Systems in the United States and the United Kingdom

Biometric Privacy Ranking Distribution by Countries in 2019 and 2022
Figure 1. Biometric Privacy Ranking Distribution by Countries in 2019 and 2022

The negative values represent ranking distance (in %) from the lowest ranking, and the positive values represent ranking distance (in %) from the highest ranking. Visualization used Tableau Desktop. Source: Raw data obtained from Comparitech (2019) and Comparitech (2022).

The US and UK have shared a lot in common. The two countries shared strong culture ties (British Council, 2019). There are also official claims from the US Department of States (2022) that “the United States has no closer Ally than the United Kingdom”. But despite these commonalties in ideologies that might shape similar regulatory styles (Baldwin et al., 2012), the ranking distribution of the two countries in terms of their protection of biometric data divides (Comparitech, 2019; Comparitech, 2022). This provides lessons that might be more implementable since “power of ideas” (Baldwin et al., 2012) requires long-term efforts. Moreover, the performance at the two extremes enables more comprehensive learnings.

In the following section, we will discuss the regulatory systems in each country using the framework with five major components (Lodge&Stirton, 2010). Comparison will be conducted to investigate the similarities and differences between the two countries. Finally, we will analyze the strengths and weaknesses of related approaches and conclude by drawing lessons for the Government of Amnesia.

Biometric Regulatory System in the United States

Technological disruption and overwhelming public concerns over biometric data privacy accelerate the establishment of related regulatory regime (Illinois General Assembly, 2008; Baldwin et al., 2012). The introduction of Biometric Information Privacy Act (BIPA) in 2008 have paved the way for biometric information protection in the State of Illinois, US. The Act requires private entities to obtain consent before collecting consumers’ biometric information and follow the procedures of information handling from collection to destruction (Illinois General Assembly, 2008). Also, it prohibits the trading of biometric information (Illinois General Assembly, 2008). Citizens in Illinois are empowered the rights to sue the non-compliance and the private entities would be fined for their misconducts (Illinois General Assembly, 2008).

Later on, other states and cities in the country, such as Texas and Washington followed suit and introduced similar Acts (Tsukayama, 2022). And the controversial application of facial recognition technologies has triggered another wave of reform in the field, with some eliminate their application (for example, San Francisco, Oakland, Portland, and Minneapolis) and some set restrictions (for instance, Massachusetts) (Tsukayama, 2022).

Despite the discrepancies, the regulations across cities and states inherently follows the classic “command and control” approach (Lodge&Wegrich, 2012). Given there is no single legislation at federal level, the regulators are either state-level governments or city-level governments. In particular, the Attorney General enforce these laws. But regardless of the laws, there is no particular agencies overseeing the activities of regulated enterprises. The information-gathering processes represent the idea of “fire-alarm” (Lodge&Wegrich, 2012), where relevant complaint records would be presented in courts when violations of the standards have occurred. When the misconducts in the business sector approve to be true, related parties will face punishment, such as fines. Any businesses engaging in any biometric collection activities are advised to pay special attention to this field and comply with the standards and requirements through voluntary self-regulation.

According to a report by Bryan Cave Leighton Paisner LLP (2021), there are increasing laws and Bills in the domain of biometric regulation. Most of the proposed legislation targets at biometric as a whole, with some point at specific type and technology and some remain relatively general. Nevertheless, biometric specific Acts at federal level, though having been proposed in 2020, has not been passed till now.

Biometric Regulatory System in the United Kingdom

The accommodation of latest technological trends and the mission to protect “the rights and freedoms of EU Citizens” have encouraged the EU to formulate new regulations for Personal Identifiable information (PII) (European data protection supervisor, 2016; GDPRADVISOR,2022). In 2016, the EU introduced the General Data Protection Regulation (GDPR), which is commonly accepted by EU members including the United Kingdom. Biometric has been put under the “special categories of personal data” (ICO, 2022).

Almost at the same time, the UK government has updated its own data protection law, Data Protection Act 2018 (GDPRADVISOR,2022). In 2021, after Brexit, the country renewed the DPA 2018 as a response to the changing scope of EU GDPR (GDPRADVISOR,2022). The UK GDPR now sits alongside with the DPA 2018.

In details, related regulations in UK stipulated the obligation of data collectors and processors, rights of the data subject, treatments for non-compliance, and the function of the Commissioner (GDPRADVISOR,2022). The Information Commissioner’s Office (ICO), the independent body “to uphold information rights”, is responsible for the oversight of the regulations (ICO,2022; GDPRADVISOR,2022). The regulations are applicable to people or organization in both the public or private sectors. The regulatees should follow the “data protection principles” (UK government, 2022). “Accountability”, one of the basic principles, has been highlighted—as the ICO provided a detailed “Accountability Framework” for business to self-regulate their activities and demonstrate compliance (ICO, 2022). The data subject can file complaints for infringement of the regulations. For example, failures to follow the Accountability Framework lead to “a fine up to 10 million Euros or 2% of global turnover” (ICO, 2022) and parties of data breaches have to pay fine of “up to the value of £17 million or 4% of an organization’s annual turnover (whichever is higher)” (Brindley,2022).

Apart from some general laws, there is no single regulation governing the use of biometric and related technologies. According to an independent review, the live facial recognition (LFR) should be paused before associated laws have been drafted and enacted (Lomas, 2022). Before the introduction of Data Protection Act 2018 and UK GDPR, the Protection of Freedoms Act 2012 (PFA2012) have included provisions on biometric information. But the Bill placed more emphasis on the public intrusion and criminal activities other than data protection in a more general sense. But the potential enactment of Data Protection and Digital Information Bill would possibly change the status quo (House of Commons, 2022).

Biometric Regulatory Systems: A Comparison

Table 1. Biometric Regulatory Systems: A Comparison
ComponentsThe United States (US)The United Kingdom (UK)
TriggersExogenous: technology advancement; uniqueness of biometric Endogenous: reduction of public concernsExogenous: (same) Endogenous: protection of human rights
RegulatorState/city-level governmentICO
Impacted PartiesPrivate entitiesPeople and organization at both public and private sectors
Standard-SettingRepresentative Law(s): BIPA and other follow-up state/city laws Management-based Biometric specific laws, focusing on the procedure of handling biometric data Non-compliance faces administrative fineRepresentative Law(s): DPA 2018, UK GDPR, PFA 2012 Management-based General personal data protection laws (explicitly incorporate “biometric”) with detailed guidance from ICO, focusing on the procedure of handling biometric data (more principle-oriented) Non-compliance faces administrative fine
Information-GatheringLawsuitsLawsuits; Report by internal auditors; ICO investigation
Enforcement StyleMostly Command and ControlMostly Command and Control; enforce self-regulation
Regulatees’ ActivitiesFollow the laws; voluntary review of internal activitiesFollow the laws and guidance; compulsory review of internal activities

The table is based on the components of the regulatory system (Lodge&Stirton, 2010).

For almost the same accounts, the two countries create the biometric regulatory system. There is one nuance: while the US explicitly incorporated their mitigation on public worries about data security as part of the rationale, the UK government mention the protection as their active pursuit. But unsurprisingly, both pointed to “public interest” as their explanations (Baldwin, et al., 2012).

There are fundamental differences in terms of specificity of the regulators, scope of the regulated, and the dimension of the related laws. As for regulators, the US did not have a particular body to deal with targeted affairs; instead, it follows the multiple-layer approach that the state or city level governments are supposed to regulate related business activities. The UK delegate a particular body, ICO to implement regulation activities. While the UK’s regulation is applicable to all social members or organizations, the US’s approach targets at private entities. Besides, although both focus on procedures of dealing with the sensitive personal information, the US’s regulation is more biometric-targeted.

Table 2. Standard-Setting Criteria Comparison
CriteriaThe United States (US)The United Kingdom (UK)
TransparencyHigh, but the concise law clauses might not cover variantsMedium to High, intension between principles and guidance
AcceptabilityHighHigh
VerifiabilityMedium, constrained by information asymmetricMedium to High, information asymmetric reduced by self-regulation
Administrative cost/discretionMedium to high, for collective actions relieve some of the burdens dealing with individual complaintsHigh, the file of individual complaints is common
Over/under-inclusionUnder-inclusion (high) for technological standards and governed subjectsUnder-inclusion (high) for technological standards

The table is based on the framework in the Book Chapter 4: Standard-Setting (Lodge&Wegrich, 2012).

A closer examination for respective country produces almost a tie. Although resistance might emerge, the acceptability for the regulation remain relatively high, given that it caters to concentrated interests (Baldwin, et al., 2012). The management-based approach adopted by both also contains trade-offs. The generality of UK’s laws is offset by the specificity of guidelines and regulator, impacting transparency, verifiability, administrative cost/discretion, and the varieties of information-gathering channels.

It seems that the information-gathering relies much on feedbacks from those impacted. But different form the US, the UK encourage hiring Data Protection Officer (DPO) to extend the channels of information-gathering. Non-compliance will normally be disclosed in lawsuits in both countries, and the punishment for the violations of the rules is various administrative fine, depending on the severity of violation.

For their enforcement, the classic “command and control” appear to be the primary instrument (Lodge&Wegrich, 2012) but with some variants. While the US approach fit more neatly in the concept, UK’s “principle-oriented” weaken its effectiveness to some extent. Luckily, the issues have been dealt with supplementing more detailed guidelines and empowering the functions of ICO. In both cases, the regulated parties are supposed to follow the rules to avoid receiving blames and punishment, but the driven forces might differ for the distinctive regulatory design.

The effectiveness of the regulations in biometric is difficult to determine, as the increasing cases did not necessarily imply worsen conditions but instead the increasing awareness of biometric information protection. Also, neither countries have audit of the compliance and therefore the violations are not easy to detect.

Discussion on Advantages and Disadvantages

BIPA targeted at biometric information, which might be otherwise categorized as general data or even be ignored. The “written-down” clauses are brief, making the regulation easier to understand and execute (Lodge&Wegrich, 2012). The high-level autonomy of the states and cities offers flexibility and incentivizes localization of the regulation. And the increasing legislations in the field is also worth noting.

On the other hand, inconsistency, double standard and weaken effects are some of the biggest challenges for the US Biometric Regulatory System. The standards adopted are not always consistent across states and cities, impeding the comprehensive regulation on biometric technologies and information. The enterprises would possibly circumvent certain punishment by shifting their operation to another jurisdiction. The exclusion of government as regulated parties, another loophole, also invites attention. Throughout the years, the legislation has merely focused on modifying the behaviors of the business sectors but neglecting the public sectors that might use the data invasively. As such, people’s fears cannot be properly responded. And although more and more have started to pay attention to biometric regulation, the newcomers always bring the weaker versions, undermining the potential effectiveness of data protection.

The UK has offered a holistic approach to regulate biometric usages. One the biggest spotlights for the UK practice is that it categorizes the scopes in a more detailed way. For example, it did not only target at the private sectors, but the public sectors are also governed and restricted by the laws. In addition, it clarifies the scenarios for implementing biometric technologies. It also offers a very specific accountability framework to encourage self-regulation as a relief to government’s administrative burdens and shortcut to improve the overall efficiency. Also, the ICO can concentrate on its oversight activities and demonstrate its professionals, a huge difference from those might blur the responsibilities of different government divisions.

But the government treat the biometric information in the ways they deal with traditional data (although it classifies biometric information under special category). To make things worse, some of the laws did not even target at the right spot. For instance, the Protection of Freedoms Act 2012 have placed its focuses on the intrusion of privacy by the public sector. Still, there leaves a wide blank for biometric specific legislation.

Nevertheless, there are some shared disadvantages. For instance, the penalties for non-compliance are not strong enough. The “up to $5,000” administrative sanction (BIPA, 2018) might not sufficiently compensate for related losses and its deterrent effects might also be limited (Lodge&Wegrich, 2012). The seemingly more severe UK approach with fine of more than 10 million is undermined by the principle-oriented issue (Lodge&Wegrich, 2012). Also, given the relatively passive information-gathering, the non-compliance events are dealt normally in retrospective manner, a trend that cannot be easily changed.

Key Lessons for the Government of Amnesia

Anticipate the risks before launching a new technology. The advancement of technologies is irreversible. But in the absence of adequate evidence of their harms, the “precautionary principle” not always works well (Foster et al., 2000). As we can observe form the cases of US and UK, the regulation is way more later than the application of biometric technologies. Despite the high degree of uncertainty for emerging technologies, there are still alternatives that the government can consider adopting to ensure the well-functioning of the system and adaptation to the unknowns. On example might be the Regulatory Sandbox that has been widely adopted in the financial sector, as it brings together various participants and accentuates real operational problems that are otherwise uncontrollable in large-scale setting. In fact, the UK government is now planning to use this tool in better biometric regulation (ICO, 2022).

Attach importance to the regulation of related technologies. Currently, the regulatory focuses are placed on the biometric information, to an extent that the related biometric technologies seem to be ignored. While the management-based standards offer high-level of flexibility, the misinterpretation of the requirements would be problematic (Baldwin, et al., 2012). And even people follow the instructions, there are still technical issues due to the vulnerability of the technologies or system. Therefore, it is suggested that “technology-based” standards (Baldwin, et al., 2012) are created to cover the blind areas, or at least it is advised to make them guidelines. Apart from setting detailed rules on the proper handling of the biometric information, regulation should also keep pace with specifying the relevant technologies that identify, collect, process, and store the data.

Privacy-related regulation is supposed to set codes for the government as well. After comparison, we would find the root for the huge gaps of rankings (Comparitech, 2019; 2022) between the two countries. While both adopted regulation on biometrics for the private entities, the US did not constrain the application of biometric technologies and handling of biometric information in the public sectors. While the governments are supposed to perform their duties in data collection, they should also be aware of the side effects of overusing powers. The biometric field is a good chance for the governments to demonstrate commitments to safeguard privacy. Otherwise, the double standard will put the government into “regulatory capture” (Baldwin, et al., 2012) that might damage public trust.

Find alternatives to balance innovation liberation and risk reduction. Both the US and UK have provided good examples in diversifying their approaches. The US approach although seem to be fragmented, the “pilot scheme” mindset it involves is worth studying. Although BIPA did not covered the entire country, it alarms those operate outside the state (Lodge&Wegrich, 2012) and meanwhile leaving leeway for innovation. In a different manner, the UK achieved the liberation of innovation by pinpointing the usages in different scenarios. Apart from these, we can seek help via technical solutions, for example, sperate the equipment or algorithms of data collection, processing, and storage. As such, the technologies can achieve the purpose of authentication without storing original sensitive information. Meanwhile, the elevation of punishment should also be considered under these variants to increase deterrence (Lodge&Wegrich, 2012).

Facilitate same-level and cross-level collaboration. The notion of co-regulation (Lodge&Wegrich, 2012) matches the biometric landscape. The use of biometric has not solely a local issue. It is beyond nationalities, which calls for international cooperation. Unfortunately, we did not observe collaboration either at the same level or cross-level in the context of US and UK. The World Wide Web has connected people in the global community but also leaves entry for cybercrime and hacker attacks. For biometrics, the governments are supposed to seek network in the global community as it concerns with human rights in general. The beginning point can be setting ISO standards for the technologies. While the procedure is too difficult to intervene at international level, international organizations can publish guidelines for voluntary compliance.

References

  1. [1]Avelar, T. (2022, May 18). Facebook checks for $397 hit Illinois Bank Accounts. NBCNews.com. Retrieved December 13, 2022, from https://www.nbcnews.com/tech/tech-news/facebook-checks-397-hit-illinois-bank-accounts-rcna29280
  2. [2]Baldwin, R., Cave, M., & Lodge, M. (2012). Understanding Regulation: Theory, Strategy, and Practice. In Understanding Regulation (2nd ed.). Oxford University Press, Incorporated. https://doi.org/10.1093/0191617776.001.0001
  3. [3]Bernat, S. M. (2012, August 8). Biometrics: Enhancing security in the public and private sectors. Asia Pacific Security Magazine. Retrieved December 17, 2022, from https://www.asiapacificsecuritymagazine.com/biometrics-enhancing-security-in-the-public-and-private-sectors/
  4. [4]Biometric Information Privacy Act, Pub. L. No. 740 ILCS 14 (2008). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
  5. [5]Bischoff, P. (2022, April 4). Biometric data collection by country: What's collected, how is it used? Comparitech. Retrieved December 18, 2022, from https://www.comparitech.com/blog/vpn-privacy/biometric-data-study/
  6. [6]Bischoff, P. (2019, October 15). Data Privacy Laws & government surveillance by country. Comparitech. Retrieved December 18, 2022, from https://www.comparitech.com/blog/vpn-privacy/surveillance-states/
  7. [7]Brindley, B. (2022, March 1). (UK) GDPR: Consequences of non-compliance. Blacks Solicitors LLP. Retrieved December 18, 2022, from https://www.lawblacks.com/2022/02/21/uk-gdpr-consequences-of-non-compliance/
  8. [8]British Council. (2019). Culture keeps US-UK relationship special. British Council. Retrieved December 17, 2022, from https://www.britishcouncil.org/research-policy-insight/insight-articles/culture-keeps-us-uk
  9. [9]Bryan Cave Leighton Paisner LLP. (2021). U.S. biometric laws & pending legislation tracker. Bryan Cave Leighton Paisner. Retrieved December 18, 2022, from https://www.bclplaw.com/en-GB/insights/us-biometric-laws-and-pending-legislation-tracker.html?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration
  10. [10]European Data Protection Supervisor. (2022). The history of the General Data Protection Regulation. European Data Protection Supervisor. Retrieved December 18, 2022, from https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
  11. [11]Foster, K. R., Vecchia, P., & Repacholi, M. H. (2000). Science and the precautionary principle. Science, 288(5468), 979–981. https://doi.org/10.1126/science.288.5468.979
  12. [12]GDPRADVISOR. (2022, June 1). UK GDPR updated for Brexit. UK GDPR. Retrieved December 18, 2022, from https://uk-gdpr.org/
  13. [13]Guo, E. (2021, August 31). This is the real story of the Afghan biometric databases abandoned to the Taliban. MIT Technology Review. Retrieved December 13, 2022, from https://www.technologyreview.com/2021/08/30/1033941/afghanistan-biometric-databases-us-military-40-data-points/
  14. [14]ICO. (2022). Our key areas of focus for the regulatory sandbox. ICO. Retrieved December 18, 2022, from https://ico.org.uk/for-organisations/regulatory-sandbox/our-key-areas-of-focus-for-the-regulatory-sandbox/
  15. [15]Kanapienis, L. (2021, May 20). Council post: Businesses, be aware: A new wave of biometric crimes invades the digital space. Forbes. Retrieved December 13, 2022, from https://www.forbes.com/sites/forbesbusinesscouncil/2021/05/20/businesses-be-aware-a-new-wave-of-biometric-crimes-invades-the-digital-space/?sh=731142b7345d
  16. [16]Lodge, M., & Wegrich, K. (2012). Managing regulation: Regulatory analysis, politics and policy. Bloomsbury Publishing Plc.
  17. [17]Lomas, N. (2022, June 28). UK urgently needs new laws on use of biometrics, warns review. TechCrunch. Retrieved December 18, 2022, from https://techcrunch.com/2022/06/28/uk-biometrics-legal-review/
  18. [18]Manahan, S. E. (2021, February 27). 2.7: Reduction of risk- hazard and exposure. Chemistry LibreTexts. Retrieved December 17, 2022, from https://chem.libretexts.org/Bookshelves/Environmental_Chemistry/Green_Chemistry_and_the_Ten_Commandments_of_Sustainability_(Manahan)/02:_The_Key_Role_of_Chemistry_and_Making_Chemistry_Green/2.07:_Reduction_of_Risk-_Hazard_and_Exposure
  19. [19]Office of the Privacy Commissioner of Canada. (2022, March 1). Data at your fingertips biometrics and the challenges to privacy. Office of the Privacy Commissioner of Canada. Retrieved December 13, 2022, from https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/
  20. [20]Taylor, J. (2019, August 14). Major breach found in biometrics system used by banks, UK police and defense firms. The Guardian. Retrieved December 13, 2022, from https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms
  21. [21]Tsukayama, H. (2022, July 5). Trends in biometric information regulation in the USA. Ada Lovelace Institute. Retrieved December 18, 2022, from https://www.adalovelaceinstitute.org/blog/biometrics-regulation-usa/
  22. [22]U.S. Department of the State. (2022, September 9). U.S. relations with United Kingdom - United States Department of State. U.S. Department of State. Retrieved December 17, 2022, from https://www.state.gov/u-s-relations-with-united-kingdom/