In comments filed October 20th, EPIC urged the UK Information Commissioner’s Office (ICO) to make updates to its draft biometric data guidance. The guidance is meant to instruct organizations using biometric systems and vendors of these systems on good practice and legal obligations. EPIC recommends that the ICO expand the guidance to (i) address the pervasive ties between law enforcement and private companies’ biometric data and systems; (ii) establish baseline security standards for biometric processing, including a template risk assessment; and (iii) detail the risks of scale and scope of harm present where AI is integrated into biometric systems.
The guidance explicitly does not cover law enforcement or security service use of biometric data and systems. The close ties between law enforcement and private companies in this area makes it impossible to address one group’s practices without acknowledging the other. EPIC recommends that the UK put in place robust biometric regulation that would address all public and private use of biometric systems. In the meantime, EPIC’s proposed revisions to the guidelines will prompt more privacy-protective practices from companies.
EPIC consistently works to protect against the spread of biometric surveillance and protect civil liberties and privacy rights. To that end, EPIC has called for a ban on biometric recognition technology and encouraged multiple states to implement biometric privacy laws and defend existing regulations. Recently, EPIC opposed DHS’s rollout of biometric systems including facial recognition for Biometric Entry/Exit and called on Amazon to suspend hosting a vast biometric database for DHS. EPIC also urged the White House OSTP to implement better protections for biometric data and address biometrics.