Facial recognition technology is becoming increasingly widespread in our society. You may have a phone which you unlock by looking at the screen. Or maybe you’ve gone through airport terminals that use cameras to match your face with your passport picture. In the near future, facial recognition technology is likely to become a completely ordinary part of many aspects of our lives. As convenient as it is, facial recognition technology also raises serious privacy concerns. Here, we’ll discuss these concerns and whether the current law adequately deals with these issues.
What is facial recognition technology?
Facial recognition technology is technology capable of identifying a person by analysing their facial features. It does this by ‘mapping’ a person’s facial features, such as the distance between their eyes and their eyes to their nose. It then matches this to images or footage of that person stored in its database.
Concerns with facial recognition technology
Facial recognition technology has been criticised as being highly intrusive on individuals’ privacy. Many fear that governments and corporations could use it to track people’s movements and behaviours, and potentially abuse it.
For example, it was recently revealed that US law enforcement uses facial recognition technology called Clearview AI. Through this software, one could could upload an image of a person. It would then search its database for pictures or videos with the person’s face, and links to where they appeared on the internet. Its enormous database includes images and videos uploaded onto social media sites such as Facebook and Youtube. The US police were able to catch a suspect by uploading a video recorded by a bystander of a gunfight. Such technology is of course extremely useful for police to catch suspects. However, the fact that the police could know exactly who you are and where you’ve been by merely running a picture through such software is indeed unsettling.
Get a free legal document when you sign up to Lawpath
Sign up for one of our legal plans or get started for free today.
Australian government keen on facial recognition technology
The Australian government has also sought to capitalise on facial recognition technologies. In 2019, Liberal MPs attempted to pass the ‘Identity-matching Services Bill 2019′ and the ‘Australian Passports Amendment (Identity-matching Services) Bill 2019’. These bills would allow federal and state governments to share biometric information. Most of the powers would accrue to the Department of Home Affairs, which would allow it to maintain a database of facial images from government documents. These include passports, driver licences and photos from visa applications. Government agencies would use this information for the purpose of immigration control and criminal investigations. The Parliamentary Joint Committee on Intelligence and Security rejected these bills, stating that they needed to redraft the bills to address privacy and transparency concerns. While they were rejected, it’s expected that the government will try again.
Facial recognition technology can therefore be highly intrusive, which governments and corporations have interests in using. What are the Australian laws governing facial recognition technology?
Laws on facial recognition technology
Despite the serious privacy concerns that facial recognition technologies raise, companies are of course currently legally developing them. However, Australian privacy laws have placed certain safeguards on the use of facial recognition technologies. These are found in the Privacy Act 1988 and the Australian Privacy Principles (APPs), which are included in the Act.
How do the Privacy Act and the APPs apply to facial recognition technology?
Facial recognition technology collects biometric information. Biometric information is information regarding a person’s physical characteristics, which include one’s facial features, as well as their voice, fingerprints and irises. So, the privacy laws that apply for facial recognition technology are those in relation to the collection and use of biometric information.
The Privacy Act defines biometric information ‘that is used for the purpose of automated biometric verification or biometric identification; or biometric templates’ as ‘sensitive information’. Basically, it’s when an entity uses information about a person’s physical characteristics in order to identify them. Organisations are likely to predominantly use facial recognition technology for this purpose.
The Privacy Act and the APPs require entities that use ‘sensitive information’, such as biometric information, to adhere to certain policies. These are stricter than policies for other types of information. These include:
Reasonably necessity
The APPs don’t allow organisations and agencies to collect sensitive information unless it’s reasonably necessary for or directly related to their functions or activities. For example, if there’s a secure way for employees to check into work, companies shouldn’t need to use facial recognition as a method of checking in.
Informed consent
Organisations or agencies that seek to use sensitive information must seek consent from individuals from whom they collect this information. Consent can be express (such as through written or verbal confirmation) or implied (inferred from circumstances). However, the Office of the Australian Information Commission has stated that organisations should seek express consent from individuals if they intend to use sensitive information.
Individuals should also give ‘informed’ consent. This means that an individual must be aware of all the consequences of providing or withholding their consent. The organisation or agency should clearly and transparently inform the individual about how their information will be used.
Lawful and fair means of collection
Organisations and agencies must collect sensitive information through ‘lawful and fair means’. For example, they should not collect information in a secretive manner or by misrepresenting the purpose for which they are collecting the information.
Taking reasonable steps to destroy and secure information
APP 11 requires organisations and agencies to protect sensitive information from misuse, interference, loss and unauthorised access (hacking). Furthermore, they must destroy or de-identify sensitive information that they no longer need to fulfil their purpose. The more sensitive the information is, the more careful and thorough the organisation must be in protecting the information and destroying it when no longer needed.
Exceptions
Notably, the APP 3.4 provides an exception to the requirement of obtaining consent from individuals for ‘enforcement bodies’. These can include the police and the immigration department. The exception can also apply to hospitals and courts.
Furthermore, under APP 11.2, agencies need not destroy sensitive information on a ‘Commonwealth record’, which is a record that is the property of Australian government institutions. This is even if they don’t need it for any purpose.
Issues with current privacy laws on facial recognition technologies
The Privacy Act and the APPs have erected some safeguards around the collection of sensitive information, which applies to facial recognition technologies. However, it’s questionable whether they are enough to protect people’s privacy.
Consent can be illusory
For example, the requirement of informed consent is often illusory. People may feel compelled to provide consent due to the inconvenience of not doing so, and their lack of bargaining power. For example, recently, 7-Eleven rolled out facial recognition technology in their stores. Many stores put up a sign stating that facial recognition technology is going to be used inside the store, and by entering the store, you agree to the store’s use of facial recognition technology. This is arguably consent. However, there may not be convenient alternatives to customers other than going into that 7-Eleven.
Exceptions too wide
Additionally, the Privacy Act and the APPs provide a wide exception for law enforcement for the use of sensitive information. When one of the fears regarding facial recognition technology is its use by government agencies to track civilian’s behaviour, this can be troubling. While privacy concerns resulted in the rejection of the Identity-matching Services Bill and the Passports Amendment Bill, a few tweaks to the bills may allow it to pass.
Threat of hackers
Finally, while there are policies guiding the protection and destruction of information, there’s always a chance that this information can be stolen by hackers. Biometric data is perhaps the most private information we have about ourselves. In the wrong hands, one could impersonate another person or uncover individuals’ private lives. It’s questionable whether such information should be collected at all.
Conclusion
Facial recognition technology can offer benefits to society. It can make life more convenient and reduce criminal activity. However, facial recognition technology, as well as other technologies that uses biometric information, raise serious privacy concerns. Here, we’ve explored the current privacy laws on facial recognition technology and some of the issues they raise. The hope is that more robust laws arise to ensure that governments and corporations don’t abuse facial recognition technology.
Get a fixed-fee quote from Australia's largest lawyer marketplace.
