Why biometric regulation needs to be risk-based and proportionate to use-cases

Matt Peake, global director of public policy at Onfido, responds to the Ryder Review which calls for new laws to govern biometric data and to suspend the use of live facial recognition in public spaces until regulation is put in place.

Posted 10 August 2022 by Christine Horton

Biometric technology was first introduced in the 1960s as a way to analyse acoustic speech and phonic sounds, and later for fingerprint scanning and identification by the FBI. Today, it has evolved to encompass many more use cases spanning both B2B and B2C, from unlocking a smartphone in seconds to supporting registrations to a digital bank, and processing passengers quickly and accurately at border control.

But there is concern in some quarters that the rate of innovation, particularly the deployment of facial biometrics, has in some cases outpaced development of legal frameworks to govern it. In particular there are questions about the use of facial recognition on a mass scale in public spaces by law enforcement, and a perceived lack of regulatory accountability.

Introducing the Ryder Review

These concerns were explained in an independent legal review led by Matthew Ryder QC which highlights what many in the market have been attempting to address; a fragmented regulatory landscape under existing laws such as the EU’s General Data Protection Regulation (GDPR) which need to be defined and brought up to date.

The review calls for new laws to govern the use of biometric data, and to suspend the use of live facial recognition in public spaces until appropriate legislation has been passed. While it’s imperative that the findings in the report are given due consideration, there is an important caveat. Not all use cases involving biometric technologies present the same level of risk. For example the risk associated with using biometrics to verify new customers opening a bank account is very different from  law enforcement using it for public surveillance.

We must be careful not to conflate all use-cases with the same regulatory need. If the industry is to continue to evolve and progress as quickly as it has in the last 60 years, we need to establish a risk-based and proportionate approach to regulation that continues to promote innovation.

Understanding the case for further regulation

Done correctly, regulation can help to boost security, privacy and innovation. However it is important that frameworks are robust and proportionate, delivering outcomes that meet the needs of all parts of the ecosystem whether that’s the service provider, biometric specialist or end-user.

The review focused primarily on use of biometrics within the public sector. In this space, biometrics is regularly tied to security as part of law enforcement or national defence, while it is also used in our airports at border control. It is particularly important that use cases involving law enforcement, which might be considered higher risk, are subject to appropriate guidance and where necessary regulation governing their use. 

Regulation is not one-size-fits all

That said, it’s important to take a holistic view and consider the variety of biometric use cases. The review’s focus on public sector deployment, particularly by the police, is one of many instances where biometrics has been implemented. For instance, biometrics helps us unlock our smartphones and enables us to verify our identity to access businesses, services and products online. As we’ve also seen, the technology also plays a critical role in KYC and the fight against online fraud – with many citizens actively seeking it out to keep their online accounts safe.

We must not conflate very different use cases when thinking about the level and type of regulation that should apply to new technologies. The approach needs to be risk-based, proportionate and not duplicate existing legislation that, when applied appropriately, covers a lot of the legitimate concerns raised. A failure to distinguish between how biometrics can be deployed in low-risk vs high-risk scenarios can create distrust – even where it is used for the public good – like in age verification or anti-money laundering checks.

To that end, biometrics is already making digital access for online businesses and services more accessible, convenient and secure. For instance, low-risk deployment, like in digital identity verification, is now more accurate than in-person identity checks, which often succumb to human error and bias. Biometrics is also supporting faster, more accurate KYC and AML checks, PEP and sanctions checks and right-to-work verification – blending the physical and virtual worlds to keep citizens safe and participating in the digital economy.

Building on the review

Matthew Ryder and the Ada Lovelace Institute have laid the groundwork for further discussion on how biometrics is governed in the UK. This of course needs to take into account existing laws and regulatory guidance that govern biometrics, to ensure we do not duplicate existing practice, nor add in unnecessary complexity and cost for providers. The review has demonstrated the need for clear legal frameworks that provide certainty and consistency for both businesses and citizens alike, given how essential security, privacy and trust are for applications of biometrics to be successful.

While the review focused almost exclusively on the public sector, its findings are pertinent to the private sector too. It’s crucial that private industry is engaging regularly with the actions coming out of the review. I know that we, along with other forward-thinking private sector biometrics businesses, look forward to working closely with the Institute, and contributing our deep expertise to progress the next planned phase of work in this space.

Matt Peake is global director of public policy at Onfido.