Australia’s existing privacy laws are inadequate to deal with the myriad questions raised by the wholesale collection and use of biometric data, a legal expert has argued during an ACS panel session exploring the challenges posed by the proliferation of biometric systems.

The existing protections of the Privacy Act 1988 were primarily designed to protect data but the legislation “was never designed to address the fundamental right to privacy, which is broader than just data protection,” University of Sydney Law School professor Kimberlee Weatherall explained during the recent ACS Think Tank session: Passwords, Privacy and Power, the fourth in the series.

“One of our problems in relation to facial recognition is that we are trying to deal with this technology under a law that’s not designed for that purpose,” she explained.

Explicit controls around the collection and sharing of fingerprint, face recognition, and other biometric data – as well as the consent issues raised by use of the systems in public spaces like Bunnings and Kmart – should be addressed during the government’s ongoing Privacy Act review, Weatherall said.

“The Act was never designed to really address questions around surveillance – which is why we need recognition of a broader right to privacy where we can talk about what use of this technology is reasonable.”

Such discussions have generally only emerged after the discovery of cases of biometric overreach – but that approach has proved inadequate for firms like IBM, which withdrew from the facial recognition market in mid 2020 after CEO Arvind Krishna warned of the risks of “mass surveillance, racial profiling [and] violations of basic human rights and freedoms” and called for a national dialogue about the technology’s use.

“The position is that there needs to be precision regulation and laws that deal specifically with biometrics,” Deanna Gibbs, IBM ANZ Cybersecurity and Cloud practice lead Deanna Gibbs told the panel.

“There may well be particular use cases where that is appropriate, but there needs to be that regulatory framework that sits around the use, and it needs to be very tailored to particular circumstances.”

This reckoning needed to address “immediate and important” questions around biometric data, Weatherall added, including whether firms should be keeping this data, or whether they should be required to delete it once they no longer use it or need it.

“We need law reform to actually affirm a fundamental right to privacy,” she said, “to start to deal with some of these questions around surveillance. And we need to review data protection laws, particularly around things like minimising and deleting data.”

“There’s a lot of work to do.”

Looking for the red lines

Concerns over the adequacy of existing laws around biometrics are nothing new, but they have taken on a renewed urgency in the wake of the devastating breaches of Medibank, Optus, Medlab Pathology, and others – all of which have poured sensitive personal information onto the internet for public access and sale to the highest bidder.

The real-world inconveniences of such breaches can only compound concerns about the collection of biometric data – which, assistant secretary of the Department of Home Affairs Identity and biometrics Policy and Futures Branch Kavitha Kewal said, ranges from “non contentious” applications such as driver’s licenses or passports” to “more controversial” applications such as the use of face recognition in public places.

General-use face recognition had proven particularly problematic, with concerns about a China-styled surveillance system necessarily being balanced against the potential benefits of, for example, being able to quickly find and detain persons of interest.

Biometrics “is a great tool for national security and law enforcement purposes,” said Kewal – whose team has been leading the incident management response to the Medibank and Optus breaches – “but it needs to come with the appropriate legislation on oversight, transparency, and controls as well.”

“From a departmental perspective, it does need to have broader consultation around what is the appropriate ethical use of biometrics,” she added. “When is it OK for governments to use biometrics without somebody’s consent, and in what circumstances would we do that?”

Issues of trust are fundamental to the discussion, Christopher Radbone, chief operating officer of the Australia Medic Alert Foundation and a national board member of the ACS South Australian branch executive, pointed out.

Noting the government’s recent move to consolidate state driver’s license data into a single national database, Radbone said, “the question is: have we specifically as a consumer consented to that being the case? Probably not.”

“We’ve trusted that the government agencies are the right people to look after that information, and have rules and processes – but [as digital governments and companies] how do we generate the same level of trust?”

Although facial recognition could theoretically be helpful in finding people with dementia who go wandering – a constant issue in Radbone’s day job – the other complexities of widespread facial recognition have not been adequately addressed yet, he said, “and we’re a long way from there.”

Even as state governments rushed to reissue driver’s licenses and passports to head off potential use of stolen data for identity theft, the use of different forms of identity is now being openly discussed – and they will require technological enablement to become viable.

The use of “biometrically anchored identities”, for example, would reduce reliance on paper documents and enable the more instantaneous creation and reissuing of digital identities – “but we need to have the architecture to support that as well,” Kewal argued.

“There are a lot of positives in the use of biometrics, but it also needs to have the right governance arrangements in place.”

The ACS Think Tank series can be found at the ACS YouTube channel.