(Image source: https://www.buzzfeednews.com/article/daveyalba/house-oversight-committee-hearing-facial-recognition)

Technology is based on making tasks we do everyday more convenient. New technology that has been taking companies by storm is the use of Facial Recognition Technology (“FRT”). Right now there is little law on point that directly addresses the dangers that may come with FRT. Many experts state that FRT involves greater dangers than other biometric authentication: the technology and database already exist (e.g. drivers license databases vs. no fingerprint in database unless crimes are committed); faceprints are easier to collect without consent from afar; constitutional issues; racial biases both intentional and unintentional. Because of the lack of federal law, some large tech companies have called the country to take notice and called for federal legislators to take action. Certain members of Congress have asked for a hearing and some have also asked for a GAO report on the technology. It is unclear whether these cries are aware of the 2015 GAO report on the technology or they are asking for an update given how quickly technology changes.

Currently, privacy law protects the public by a means of self-management, meaning consumers are responsible to protect themselves for any contracts that implicate privacy. On top of that, some states have law protecting citizens only from private companies from misusing biometric data: Texas, Washington, Illinois. All of these statutes follow a notice and consent model.

The movement of concern comes likely as a response to Facebook’s suit under Illinois’ BIPA (Biometric Information Protection Act) law. Illinois law is considered the most robust law protecting an individual’s right to his/her own biometric data. Three cases main cases have come under the Act: Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App. 2d 170317 (2017), rev’d, 2019 IL 123186 (2019), Rivera v. Google Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017), and In re Facebook Biometric Information Privacy Litigation, 185 F. Supp. 3d 1155 (N.D. Cal. 2016). In Rosenbach, the court concluded that a BIPA plaintiff is required to do more than allege a technical violation of the Act, and that a defendant’s failure to provide notice or obtain consent before collecting biometric data is not enough to meet BIPA’s “aggrieved by” standard. However, just recently the Supreme Court of Illinois overturned that decision. After lengthy analysis of statutory interpretation, the court ultimately held that suffering actual damage is not necessary for a plaintiff to qualify as aggrieved. Further stating that the appellate court’s prior holding that the violation of the law was merely technical in nature misunderstands the purpose of the legislation and the harm the law seeks to prevent. This brings the case further in line with In re Facebook Biometric Information Privacy Litigation & Gullen v. Facebook Inc. where the court held that BIPA codifies a right of privacy with regard to personal biometric information, and that a violation of that right is sufficient for a cause of action under BIPA. In Rivera, the court held that the BIPA does not dictate how biometric measurements must be obtained and thus defendant’s motion to dismiss was denied.

These cases, especially the reversal of Rosenbach, shows that these privacy matters are being more and more valued. A simple technological violation is sufficient as a harm. However, it is still unclear how the Federal Government aims to resolve privacy law issues in protecting biometric data and if the notice and consent model that states are using is sufficient to protect interests.

Questions to consider:

1. Is facial recognition truly different from other biometric authentications?
2. Is federal legislation necessary to protect the public or is state law sufficient?
3. Does the public truly care about their privacy? There is great debate on how much we care about our privacy given our presence on social media and lack of reading the terms and conditions our uses of these websites is governed by.

Relevant links:

“As Concerns Over Facial Recognition Grow, Members Of Congress Are Considering Their Next Move” – https://www.buzzfeednews.com/article/daveyalba/house-oversight-committee-hearing-facial-recognition

“Data Privacy Legislation Is Coming for Big Tech” – http://fortune.com/2019/03/01/data-privacy-legislation-us/

“Facial Recognition Is the Perfect Tool for Oppression” – https://medium.com/s/story/facial-recognition-is-the-perfect-tool-for-oppression-bc2a08f0fe66

Microsoft: “Facial recognition: It’s time for action” – https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

Amazon: “Some Thoughts on Facial Recognition Legislation” – https://aws.amazon.com/blogs/machine-learning/some-thoughts-on-facial-recognition-legislation/

GAO Report on FRT – https://www.gao.gov/products/GAO-15-621