UK’s tax authority forced to delete 5 million biometric records
‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
In the last few years, biometric technologies from fingerprint to facial recognition are increasingly being leveraged by consumers for a wide range of use cases, ranging from payments to checking luggage at an airport or boarding a plane. While these technologies often simplify the user authentication experience, they also introduce new privacy challenges around the collection and storage of biometric data.
In the US, state regulators have reacted to these growing concerns around biometric data by enacting or proposing legislation. Illinois was the first state to enact such a law in 2008, the Biometric Information Privacy Act (BIPA). BIPA regulates how private organizations can collect, use, and store biometric data. BIPA also enabled individuals to sue individual organizations for damages based on misuse of biometric data.
Though it is a decade old, BIPA has gained renewed recent prominence owing to a January 2019 Illinois Supreme Court ruling, Rosenbach v. Six Flags. In this case, parents of a minor sued the Six Flags Great America amusement park in Gurnell, Illinois, arguing that biometric data was collected without consent and violated BIPA. As a side note, amusement parks increasingly require individuals to scan their ticket, followed by a biometric scan at a turnstile. This process is primarily an anti-fraud measure — if you manage to lose your ticket/pass, you provide your biometric data at a customer service counter to obtain a new one. This process reduces fraudsters from trying to get a free pass by claiming it is lost.
The Illinois Supreme Court reversed the lower court rulings and ruled that Six Flags had violated BIPA. Importantly, the Illinois Supreme Court ruled that plaintiffs did not have to demonstrate damages or harm (such as identity theft) from the collection of biometric data. The improper collection of biometric data was enough to enable individual consumers to sue organizations under BIPA.
Related Topics:
Government – US
Security TV
Data Management
CXO
Data Centers