It’s been a busy couple of weeks in regulatory news in the world of biometric and identity technologies. Here’s our roundup of some of the most important developments to have emerged so far this month, including ongoing BIPA proceedings:
The White House has set a date for its stakeholder meeting concerning plans to introduce a cybersecurity labelling system for Internet of Things devices, saying it will convene on October 19. “We’ve invited a range of stakeholders from device manufacturers, industry associations … and members of Congress to discuss what is needed to foster an effective IoT security labeling ecosystem,” said Stephen Kelly, the National Security Council’s Senior Director for Cybersecurity and Emerging Technology.
The European Parliament Committee on Civil Liberties, Justice and Home Affairs has approved a proposed legislative amendment that would establish guarantees of pseudonymity for end users as part of the legal framework for the EU’s digital identity wallet. The proposed amendment would also allow users to opt out of cloud storage of digital IDs. Read the full story on Mobile ID World.
California’s Bureau of Automotive Repair (BAR) has begun enrolling smog check inspectors’ palm biometrics as part of an effort to curb fraud at smog test stations. It’s the result of new regulations that also include a requirement to install webcam monitors at testing stations. The BAR hasn’t yet set an official date by which biometric enrolment will become mandatory, but says that it will provide a 30-day notification period prior to that date.
The White House’s Office of the National Cyber Director (ONCD) is working on a national strategy for “cyber training and education, digital awareness, and the cyber workforce,” and has issued an open call for third-party input. The strategy has a strong focus on training, recruitment, and diversity. In addition to written responses, the ONCD says it is also looking for “a limited number of innovative speakers” to present to government entities on one of a number of topics laid out in its RFI.
Australian government officials have scheduled the first Digital and Data Ministers’ Meeting in six months, with plans to convene in November. It will be the third such meeting of the year, and the first since the massive hack attack against Australian telecom Optus, in which up to 9.8 million customers’ data was exposed. Speaking to InnovationAus.com, Minister of Finance Katy Gallagher said the meeting will focus on “how we can ensure that Australians can access safe, secure and trusted government services online.”
The Biden administration has announced a so-called “AI Bill of Rights”, though it is a white paper, and not a piece of legislation. Credited to the Office of Science and Technology Policy (OSTP), the document broadly calls for the conscientious development and deployment of AI technologies like facial recognition, arguing that citizens should have control over their data and that AI systems should not be discriminatory. Marc Rotenberg, the head of the Center for AI and Digital Policy, told MIT Technology Review that the document is “clearly a starting point” for the AI ethics discussion.
The Canadian House of Commons ethics committee has published a new report urging the federal government to put a moratorium on the use of facial recognition technology by police, unless law enforcement agencies have obtained authorization to do so from a judge or the country’s privacy commissioner. The report suggests that the facial recognition pause should be in place until an explicit legislation framework is created to govern the technology’s use.
Canada’s Privacy Commissioner is refusing to offer his opinion regarding a proposed federal privacy bill, saying he wants to wait until Parliament debates the legislation before giving his two cents. Bill C-27 includes the Artificial Intelligence and Data Act and the Consumer Privacy Protection Act, and is aimed at updating the incumbent Personal Information Protection and Electronic Documents Act (or “PIPEDA”). But a previous effort to update the country’s digital privacy rules had failed amid criticism from the previous Privacy Commissioner, with the government having been unable to get substantial backing from lawmakers. The House Committee on Access to Information, Privacy and Ethics has not yet set any dates for hearings on the matter.
The Colorado Attorney General’s Office has published a draft proposal of rules for the Colorado Privacy Act (CPA), which now includes a definition of biometric data with respect to the CPA’s requirement that controllers obtain consent for the collection of biometric data. Along with the proposed rules, the Office has announced three stakeholder meeting dates – for November 10, 15, and 17 – as well as a public hearing on February 1, 2023.
The BIPA Beat:
Papa John’s has become the latest major brand to face a lawsuit under Illinois’s Biometric Information Privacy Act (BIPA). The restaurant chain is accused of collecting the voice biometrics of customers who used its PapaCall automated voice-ordering system without providing the proper disclosures, and without obtaining customers’ explicit consent, thereby violating BIPA. The plaintiff, Nicholas Pope, has requested a jury trial for the case.
RelaDyne, a provider of automotive, commercial, and industrial lubricants, has agreed to a $120,900 settlement over a lawsuit under Illinois’s BIPA. RelaDyne was accused of failing to obtain written consent from workers for its collection of their biometrics with respect to the use of a fingerprint-scanning time clock, as well as failing to provide certain disclosures required under BIPA.
BNSF Railway has lost its legal battle over a BIPA lawsuit. The case was the first jury trial of a BIPA case, and the jury has sided with the class of 44,000 truck drivers who alleged that the railway failed to obtain their written consent for its collection of their biometric data, a violation of Illinois’s expansive privacy law. BNSF is now facing a payout of up to $228 million in damages.
Envoy Air, a subsidiary of American Airlines, will pay $300,000 to 350 claimants in a class action lawsuit filed under the Biometric Information Privacy Act. The plaintiffs alleged that the airline collected workers’ fingerprint and handprint biometrics for a time and attendance tracking system without obtaining their written consent, a violation of BIPA. The settlement has received preliminary approval from the presiding judge.
October 14, 2022 – by Alex Perala