Biometrics Institute Asia-Pacific Conference 2024
Published 22 May 2024
Published 22 May 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the Biometrics Institute Asia-Pacific Conference on Wednesday 22 May 2024.
Introduction
- I have known the Biometrics Institute for some time, and appreciate the invitation to speak.
- I have seen first-hand how biometrics registration and identity systems can be used to great effect, for example, to assist in the registration of refugees who have had to flee their homes without paper identity documents.
The risks of biometrics
- However, I have also observed the range of risks and harms that can happen in the context of the use of biometrics systems, and heard first-hand from the public their concerns in this regard.
- Prior to taking on the role of Privacy Commissioner, I was the director of the Ada Lovelace Institute, and we undertook a large-scale public deliberation on biometrics technologies.
- Because, as we all know, there is something different about biometrics.
Intersection with the Privacy Act
- In Australia, we have an emerging picture of how biometric technologies can be used consistently with the Privacy Act.
- Facial recognition technologies and other automatic biometric identification technologies should only be used when it is reasonably necessary for, and the risks to privacy are proportional to, the functions or activity.
- The OAIC found that Clearview AI breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.
- The Australian Information Commissioner determined that the Australian Federal Police (AFP) failed to comply with its privacy obligations in using the Clearview AI facial recognition tool.
- Commissioner Falk found the AFP failed to complete a privacy impact assessment before using the tool, in breach of the Australian Government Agencies Privacy Code, which requires a privacy impact assessment for all high privacy risk projects.
Looking ahead – Privacy Act reforms
- The federal Attorney-General shared earlier this month that at the request of the Prime Minister, he will bring forward legislation in August to overhaul the Privacy Act.
- Privacy law reform will up the standards for consent, bring into scope a larger subset of the Australian economy, and expands the powers of the OAIC to enforce privacy law.
- Also of note for the biometrics sector are reforms around consent management and data deletion and retention.
Privacy at the forefront of Digital ID scheme
- While we wait for Privacy Act reforms, we will begin applying higher legislated standard to biometric information immediately, with the passage of the Digital ID Bill last week
The OAIC will be the privacy regulator for the Digital ID scheme and will use a range of regulatory powers to ensure that individuals’ privacy is protected when using the system. - The ‘additional privacy safeguards’ in the Digital ID legislation will operate in addition to the general protections under the Privacy Act (or equivalent state or territory privacy legislation).
- The OAIC’s regulatory role under the Digital ID legislation will include oversight of breaches of the additional privacy safeguards by all accredited entities, including state and territory agencies.