At a glance.
- State and Federal biometric regulations under consideration.
- Proposed US Federal controls over facial recognition software.
- National styles in data protection.
US states, FTC: hands off the faces.
Legislators in the US state of New York have introduced a biometric privacy bill, which Biometricupdate.com says would prohibit private organizations from profiting off iris, retina, voice, face, fingerprint, and hand identifiers. The bill would also institute a clear biometric data disposal timeline, require organizations to protect biometric data with as much security as proprietary data, and bar organizations from using or disclosing identifiers without written consent. Each violation could come with a five-thousand dollar price tag. The bill bears some similarities to the 2008 Illinois Biometric Information Privacy Act.
JD Supra notes the US states of Texas and Washington have biometric privacy laws as well, in a discussion of the Everalbum settlement with the Federal Trade Commission (FTC), where Everalbum agreed to dispose of algorithms built using customers’ images. Accused of misleading users, the photo storing firm further agreed to discard data from deactivated and non-consenting accounts, and to represent their policies honestly and obtain positive consent moving forward. Class action lawsuits are likely to follow. The Director of the FTC Bureau of Consumer Protection commented that “ensuring that companies keep their promises to customers about how they use and handle biometric data will continue to be a high priority.” JD Supra recommends that all organizations involved with biometric data design for privacy, transparency, and choice—and sit down with their lawyers.
A ban on Federal facial recognition?
Reuters reports that some members of Congress plan to reintroduce legislation that would outlaw Federal use of facial recognition technology, notwithstanding the role the technology is currently playing in apprehending Capitol intruders. Motivating considerations include the potential for racial discrimination and enhanced surveillance.
Comparing national data protection laws.
Lexology details differences between the EU’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA), characterizing the GDPR as the more exacting of the two, with its larger fines, meticulous categories, and focus on consumer rights. Recent amendments, however, are moving the PDPA closer to the GDPR.
While the GDPR covers both public and private entities, the PDPA only regulates private entities. Both laws deal in terms of data processors, data controllers, and Data Processing Officers, and include portability, cross-border transfer, and Data Protection Impact Assessment provisions. Although both mandate data processing disclosures and install negative consent guardrails, the GDPR comes with stricter consent and breach notification rules, and the PDPA doesn’t allow individuals to demand data deletion. Under the GDPR, consumers can access their data for free, and in a machine-readable format to boot. Under the PDPA, companies can charge a fee for access.