Consumer NZ responds to how new rules will impact biometric use

What are biometrics?

Biometrics refers to a broad range of technologies, many of which we use every day. When our phone scans our face or fingerprint to unlock it, or when supermarkets use facial recognition to identify people who have previously been trespassed, it is biometric information that is being gathered and analysed.

New rules proposed for the use of biometrics

Biometrics pose a significant risk to privacy. If your email log-in details are compromised, it might be inconvenient, but at least you can change your password. If criminals get hold of biometric information about your face or fingerprints, your privacy could be compromised for life.

New Zealand has no specific laws about biometrics, but following a public consultation, the Office of the Privacy Commissioner has decided to create some. These new rules will sit in a code of practice under the Privacy Act.

The new rules address three key issues around use of biometrics.

• Proportionality: Businesses would be required to carefully consider the risks and rewards of using biometric information, whether less invasive alternatives can perform the same job, and whether there are impacts on Māori or other ethnic groups. If it’s too risky, they shouldn’t use it.
• Transparency: Businesses would be required to be transparent and open when they are collecting and using biometric information.
• Limits on use: Businesses would be limited in the type of information they are allowed to collect. This rule might prevent businesses from using biometrics to infer details about our emotional state or our health.

Consumer supports stronger regulation

Consumer strongly agrees that there needs to be further regulation of biometrics in New Zealand and supports the introduction of a code of practice for biometrics. Below, we expand on the three key issues outlined in the draft code and summarise our response.

Can businesses balance the risks and benefits of using biometrics?

The proposed rules would require businesses to carefully consider whether they should collect and use biometric information. If they conclude that it is too risky, or too intrusive, then they should not use it.

There is a risk that businesses will see the benefits of the technology but be less concerned about the potential negative impact on their customers.

To mitigate this risk, Consumer believes an assessment must take place before a business uses biometric technologies, and that these assessments should be documented. This process should be monitored, with penalties for failing to carry out assessments acting as an incentive.

Businesses must be transparent about biometrics

The proposed rules would mean that businesses using biometric data would need to make it clear to their customers that they are using this technology.

Consumer believes that transparency is a vital requirement in any proposed code on biometrics but is concerned that signs alone may not be enough to enable informed decision-making by consumers.

Limiting the use of biometrics

This part of the proposed code of practice would ban the use of biometrics to collect information regarding an individual’s health, or about their “inner state”, such as their emotions.

Consumer agrees with the Office of the Privacy Commissioner that collection of biometric data should be restricted, and that the collection of biometric information that can be used to infer someone’s inner state raises human rights and Bill of Rights issues.

In June 2023, Consumer revealed that smart advertising boards, which can infer an individual’s emotional state were being used by Westfield shopping centres in New Zealand. Consumer believes that preventing the use of biometric information to infer individuals’ inner states would restrict the use of technology in this way.

The sophistication and availability of biometric technologies have developed rapidly in the past decade, and true transparency is likely to require a level of education for consumers on the finer details of biometrics. If a customer is unaware of how facial recognition technology differs from simple CCTV, for example, disclosing that facial recognition is being used might also require education on what it is, how it differs, and the different concerns its use might raise.

General comments

In addition to our responses on the three key issues, Consumer believes that because public understanding of the risks inherent in biometrics data is limited, simple transparency requirements do not go far enough in informing consumers about these risks.

Consumer questions whether existing uses of biometrics are complying with the Privacy Act, as it currently stands.

Consumer also believes that monitoring compliance around the use of biometrics is vital, as is enforcement. We think the Office of the Privacy Commissioner should seek greater powers within the Privacy Act to deter and punish non-compliance with the Act, and with any code of practice on biometrics.

More information about the Office of the Privacy Commissioner’s biometrics consultation, including the draft code of practice, can be found on its website.

You can also read Consumer’s full response.