Recently, a selection of retailers around the country have been trialing a biometric security tool that takes security footage to the next level — your face gets scanned upon entry and run through a database comparing you against the stored identities of previous offenders.
This tool is known as Facial Recognition Technology (FRT). Considerations around the use of FRT and whether the current methods of informing those it impacts are adequate, have sparked some controversy.
To help address some of these considerations, an exposure draft of a new Biometric Processing Privacy Code (the Code) has been released and is available for public consultation until 8 May 2024.
The proposed Code sets out a number of specific Rules on how businesses and organisations can collect, use, store, and disclose biometric information, as well as transparency requirements around its use.
Collection of biometric information
Rule 1 of the Code proposes safeguards for collection of biometric information, including that biometric information must not be collected unless:
(a) the information is collected for a lawful purpose connected with a function or an activity of the agency;
(b) collection of the information is necessary for that purpose;
(c) the agency has adopted or implemented such privacy safeguards as are reasonable in the circumstances (if any); and
(d) the agency believes, on reasonable grounds, that the biometric processing is not disproportionate in the particular circumstances.
Transparency obligations
Rule 3 of the Code proposes specific transparency and notification requirements. An agency that collects biometric information must take steps to ensure that affected persons are aware of:
(a) the fact that biometric information is being collected; and
(b) each specific purpose or purposes for which the information is being collected.
It also sets out a proposed range of matters that affected persons are required to be notified of if the agency is collecting biometric samples, including for example who the intended recipients are, the consequences of not providing the biometric information, and any alternative options to biometric processing that may be available.
It is interesting to consider these proposed safeguards and requirements in light of the current FRT trial that some retailers are undertaking.
Purpose and necessity: It can be argued that the implementation of FRT in retailers has the dual purpose of supporting store owners to uphold their duty to ensure their store is safe for its employees and consumers from violence and assaults, while simultaneously reducing the risk of theft by repeat offenders. This may be a real life example of ‘using a sledgehammer to crack a nut’. In the assessment, each purpose is considered in light of whether FRT is an essential tool to achieve its objective. If FRT is not deemed essential to achieve the agency’s purpose, the agency should consider whether there are alternative means to achieve the desired purpose.
Privacy safeguards: We foresee some limitations, particularly relevant to the collection of biometric information from children as they are unable to provide informed consent. Presumably biometric information collected from FRT would need to have additional safeguards in place and it would be interesting to see how this is managed in practice when stores are collecting and holding a range of different types of information from individuals.
Proportionality: This involves an assessment of whether the implementation of FRT is proportionate to the harm or risk that it is intended to reduce. For example, whether instances of trespass, shoplifting and assaults occur sufficiently regularly enough to be deemed “not disproportionate” to the collection of the sensitive information of millions of consumers who visit the retailers. It will be interesting to see if the outcome of the trial demonstrates a significant reduction in instances of any of these occurrences, which support a proportionality assessment.
Notification Requirements: Developments associated with what is to be deemed sufficient notice are also intriguing. Whether a boilerplate clause contained in the store’s updated terms of its loyalty program will be appropriate for the collection of biometric information or whether a more deliberate approach will be required to ensure that the public is sufficiently informed. Potentially, a more informative approach may encounter a large sign at the entrance of the store’s premises, it could then be said by entering the premises it is implied that the consumer has consented to the collection of information. Or will notification be something entirely different? Should a deliberate form of acceptance be required given the sensitive nature of the information collected?
Food for thought
(a) Whether FRT will have a local or national database? There may be various issues if a national database is adopted, such as the right to freedom of movement.
(b) What other stores or services will require FRT?
(c) Dependent on the widespread adoption of FRT, whether New Zealanders will continue to enjoy a reasonable expectation of privacy in public places?
With the consultation period ending on 8 May 2024, we will vigilantly watch this space!
For any questions or advice on this matter, please contact our Business & Commercial Law Team.