We have had some very interesting discussions in our Privacy and Policy Expert Group (PEG) around some of the recent stories on the use of biometrics for a loyalty programme of a hotel and for payment transactions.
The PEG is discussing the responsible use of biometrics regularly. Biometrics have a place: they offer increased security and greater convenience, but proportionality remains a key principle of the Biometrics Institute Privacy Guidelines. The PEG will next meet during the Biometrics Congress and PIA Workshop, 16-18 October in London.
So, where do we draw the line as an industry community? Where do biometrics fit in to our everyday interactions? What are the data protection concerns and ethical questions we should think about?
We have put some questions to our PEG which we would like to share with you.
‘Although the GDPR (General Data Protection Regulation) only applies to the EU members, how does it apply in reality to other jurisdictions in other countries?’
At a commercial level, there is already significant privacy wariness by companies that are not based in the European Union but conduct business there, particularly businesses reliant on the harvesting and usage of personal data. If nothing else, the size and scope of the possible penalties is a factor, given that many jurisdictions around the world have had relatively soft penalties for privacy breaches.
Even the world’s biggest data based companies could be daunted by the possible fines of 20 million euros or 4% of world-wide annual turn-over. Reputational damage is also a key concern in an area where customer and community trust is important. In sheer marketing terms, the size of the EU market is too big to ignore, so, in terms of business planning, ‘privacy and the responsible use of data’ is likely to be much more in the forefront of commercial decision makers minds. Big penalties are also an effective way to ensure that miscreants receive prominence in the media.
At a regulatory level, the GDPR is geographically limited, however, as with the early OECD privacy rules, there is often a spill over into other countries, sometimes driven by previously reluctant commercial businesses who want a level playing field or at least certainty built into their planning. It also sets a benchmark for privacy advocates to promote privacy, especially whenever there are notorious break-downs in privacy protection at either a government or commercial level. Whenever those major data breaches hit the headlines, media coverage almost always cites the GDPR as the gold standard of privacy protection.
It is noted that the UK immediately established its own privacy regime after Brexit but that regime was based almost word for word on the GDPR. I think it is fair to expect other countries outside the EU to follow at a lesser or equal level.
On an ethical level, the GDPR has a practical deterrent effect. “If you don’t improve your privacy performance you’ll get a GDPR type regulatory regime.” It also returns privacy, ethics and human rights back to centre stage in liberal countries.
The down side is that authoritarian regimes are based on conformity and intervention in the private lives of their citizens. There is not a lot that can be done with governments that spy on and repress their citizens but in areas of international co-operation such as policing, travel, media and communications, anti-fraud measures, trade and security there are opportunities for freer countries to require a lifting of privacy protection levels.
Built into that non-regulatory environment is the need for individuals to play a key role in protecting their own personal data. New biometrically based hotel systems such as smart speakers and biometric access or recognition controls should be scrutinized by customers.
In what ways can organisations based outside the EU understand whether or not they can be affected by GDPR?
The first question any organisation needs to ask is whether or not they collect, store, process or transmit the personal data of European Union citizens. If they do, they come under the ambit and reach of the GDPR. It is also arguable that dealing with EU citizens on the internet or advertising your services on the internet also brings an organisation under the GDPR. Companies should also be aware of situations where their customer data is processed in an EU country. For example, an Australian organization may use a Spanish based company for its servers. Some US companies could have their processing done in the Czech Republic. This type of outsourcing is not always brought to the proper attention of senior decision makers in the organisation.
Where do ethics come into the equation?
Put simply, there is the law, that is, a set of legal rules that must be followed. Then there is the question of ‘doing the right thing’; that is, an organisation goes beyond its statutory obligations and puts itself into the shoes of its customer. This is especially important when dealing with children or vulnerable people who may not be able to stand up for their rights or who are deliberately misled by organisations that fulfil their legal obligations under privacy law but rely on complex language or procedures to gain an advantage. This conduct may succeed for a while but, from time to time, the oppressive conduct becomes public through the media and or whistleblowers from within that organisation.
An organisation like the Biometrics Institute has an important role to play precisely because it is committed to the responsible use of biometrics supported by its global multi-stakeholder community. It is raising awareness about some of the challenges and how to resolve them. The development of ethical principles for biometrics is one proposal which will be discussed at the Congress in October.
Where do commercial considerations become a factor that all organisations should consider?
Reputation and trust are the most valuable assets a commercial organisation can have. Commercial history is littered with the skeletons of commercial businesses that have lost both. Others have been dealt significant share price blows by their failure to protect customer data and even for delaying reporting of major data breaches.
In some cases, the organisation has been forced to change its name to minimize the reputational damage caused by its negligence or venality. Put simply, many organisations understand that personal data is a gold mine. From improved customer service to a tradable commodity, personal data is the new currency of the 21st Century. Much of that data is or has been supplied free by customers and there is a temptation to commercialise the data. This presents some real ethical challenges.
Questions around biometrics and ethics will be further discussed in our global forum, the Biometrics Congress, and we look forward to a healthy debate and some actionable outcomes.