Published on the 15/08/2024 | Written by Heather Wright
Code concerns and the A/NZ view on biometrics…
Many Kiwis are concerned about the use of biometrics particularly for surveillance and by government or private businesses using biometrics at the expense of individual privacy.
The Office of the Privacy Commission, which released a draft code of biometrics practice in April, is considering 250 submissions around the possible new rules for biometric processing.
“Almost every one of the submissions … told us that people were concerned about the use of biometrics.”
Privacy Commissioner Michael Webster says almost every one of the submissions from members of the public expressed concern about the use of biometrics, in New Zealand.
Of the 250 submission, 180 were from members of the public, with the remaining 70 from businesses, industry groups, government agencies, individual experts and advocacy organisations.
Many viewed biometrics as an invasion of their privacy, and called for organisations to be required to provide an opt-out option.
The exposure draft code of practice, if adopted, would modify some of the privacy principles in the Privacy Act 2020.
It included three main proposals:
- Adding a requirement to do a proportionality test and to put in place appropriate privacy safeguards
- Additional notification and transparency obligations
- Fair processing limits that restrict some uses of biometric classification.
Collecting of health, inner state, physical state or information to categorise individuals under an age group or category deemed a prohibited ground of discrimination under the Human Rights Act, among others, would be prohibited.
Biometric checks such as facial recognition are already widely used by agencies including Customs and Internal Affairs. A trial of facial recognition technology by Foodstuffs prompted concerns early this year, as did reports last year that a number of retailers in Australia were using facial recognition.
In Australia, the Privacy Survey Report from the Office of the Australian Information Commissioner a year ago also highlighted concerns around the use of biometrics. It found more acceptance and trust in public sector use of biometric data, than for private sector use. Australians were also more at ease with one-to-one uses of biometric information – such as confirming a person’s identity – than one-to-many, such as comparisons against large databases containing the information of many individuals.
A survey from Monash University into facial recognition technology found similar results.
Carly Kind, Australia’s Privacy Commissioner, said late last year that the country’s biometric legislation is increasingly out of date, with a mismatch between how quickly biometric technologies are moving and how well they are appropriately regulated in different jurisdictions.
The Digital ID Bill 2024 and Digital ID (Transitional and Consequential Provisions) Bill 2024, to formally establish and provide a framework for the country’s digital ID system, passed in the Senate in March and passed the House of Representatives in May.
Back in New Zealand industry body NZTech has expressed concern over the proposed Code of Practice, so much so that it wrote an open letter to government officials saying it believes the code could have ‘significant’ negative effects on businesses, innovation and the economy.
When the proposed code was released, Digital Identity NZ also flagged concerns, including multiple definitions used for biometrics and inconsistency with ISO definition of ‘biometric sample’.
Graeme Muller, NZTech’s CEO, says the code’s restriction of the use of biometrics, including AI and health data, is seen as ‘overly prohibitive and lacking flexibility’.
“The code’s muddled rules, definitions and exceptions will make risk assessments too difficult and arguably defeat the purpose of the Office of the Privacy Commissioner issuing a code of practice – to provide clarity and certainty to industry and the public,” he says.
“The irony is that biometrics have the potential to preserve anonymity, so impeding investment decisions will prevent businesses from making privacy improvements.”
Key among NZTech’s concerns are the restriction of AI and the collection of health information, biometric classification and difference from existing Office of the Privacy Commissioner codes.
“Our input during consultations has been ignored, despite representing a significant portion of the tech sector.”
NZTech’s ‘urgent plea’ for government intervention resulted in conversation with the Privacy Commissioner, who assured NZTech the process is ‘far from finished’ and feedback is still being reviewed with further opportunities for engagement.
If the New Zealand biometrics code is issued, there would be a six-month transition period to enable organisations already using biometrics to bring activities into compliance.
