In mid-March, NBC reported that IBM collected nearly one million photos from photo hosting site Flickr to use as data sets to help develop facial recognition algorithms. Although IBM claims the data set is designed to help academic researchers make facial recognition technology fairer, another entirely separate issue remains – did IBM have permission to collect and process this data in the first place?
As the range of data collection technologies continues to grow, so too does the ability to collect and store an increasing amount and variety of personal data sets. Biometric data, often understood as physical, physiological, or behavioral characteristics of a natural person, has come under increased scrutiny both for its value as a natural, convenient, and unique identifier, but also its immutable and inherently private nature. It should come as no surprise, then, that individual U.S. states continue to draft legislation governing biometric data. Passed in 2008, Illinois’s BIPA (Biometric Information Privacy Act) regulates the collection and storage of biometric information, and recent interpretation in court rulings has expanded both its territorial reach and financial impact.
Specifically, BIPA requires that organizations seeking to collect or obtain a person’s biometric information must first inform the subject, in writing, that their information is being collected, including the purposes for collection and respective storage periods for that information. The organization must also receive a written release from the subject, known as ‘informed consent’.
Thus, in order for a private entity to process biometric information lawfully under BIPA, the organization must have a robust consent mechanism in place to essentially demonstrate permission to process the data. However, given the ever-increasing scale of data collection technologies, lawful consent mechanisms are increasingly difficult to manage. Many existing technologies that rely on biometric information are now subject to increased scrutiny under BIPA – three federal court cases have been filed since 2016 alleging that various tech companies (Facebook and Google, among others) violated the law when scanning uploaded digital photos for facial recognition patterns without consent.
Is IBM’s case any different? It may actually be worse. More facts are needed, but on the face of it, it appears IBM violated BIPA. In its original report, NBC quoted users whose photos had been collected. “None of the people I photographed had any idea their images were being used in this way,” said Greg Peverill-Conti, a Boston-based public relations executive who has more than 700 photos in IBM’s collection. If users do not recall being contacted by IBM prior to the collection of their biometric information, it seems unlikely they were, or that they gave their consent to the collection.
The potential liability now faced by IBM is unclear. For example, there may have been agreements in place between IBM and Flickr that outlined who was responsible for consent collection. Under other data privacy laws, such as the EU’s GDPR (General Data Protection Regulation), there is often an understanding of responsibility based on who collects/controls the data and who acts as a processor. Under that framework, Flickr may have been obliged to contact affected individuals, advising them that their photos would be shared with IBM for a new purpose.
However, the Illinois law only states: “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first … informs the subject … [and] receives a written release.” In the absence of evidence to the contrary, both Flickr and IBM could face potential BIPA liability based on their actions. Considering private action damages under the law range from $1,000 for negligent violations to $5,000 for intentional violations (with no cap for class action), these organizations must prepare for a reckoning, and should start setting money aside.
Prepare your organization for data protection laws
BIPA is just one of many data protection laws in the U.S., and organizations often have a hard time keeping up with the different privacy regulations coming into play. A DPO (data protection officer) is a key player in facilitating regulatory compliance, with their appointment mandatory for all public authorities and many private organizations. Under the GDPR, some organizations are mandated to have a DPO, and those that aren’t are highly encouraged to. Many organizations, particularly smaller ones, may find the DPO responsibilities a challenge, given the breadth of knowledge required on data processing and data security operations, and the requisite familiarity with the legal aspects of data protection regulations.
Outsourcing your DPO is a practical and cost-effective solution for organizations that don’t have the requisite data protection expertise.