Data Privacy Law and Intellectual Property Considerations for Biometric-Based AI Innovations
Artificial Intelligence (AI) innovations that use biometrics data are on the rise. While the Intellectual Property (IP) potential for such innovations is vast, issues can arise with the use of biometrics data in view of newly enacted and developing data privacy laws and regulations.
What is Biometrics Data?
According to the International Organization for Standardization (ISO), biometrics data relates to physical characteristics of the human body or the behavioral traits of human beings, where “biometrics” refers to the “automated recognition of individuals based on their biological and behavioral characteristics.” The term “biometric characteristic” refers to a “biological and behavioral characteristic of an individual from which distinguishing, repeatable biometric features can be extracted for the purpose of biometric recognition.”
If you have ever used your face to unlock your mobile phone, swiped your finger to unlock a computer, or used your voice as a password, then you are familiar with biometrics data. Biometric data can include measurements regarding fingerprints, DNA, face recognition, palm prints, iris recognition, hand geometry, retina, gait analysis, voice, body geometry and other such things that define human characteristics of an individual.
Importantly, biometrics data defines specific human characteristics for a given individual. For this reason, biometrics data is highly personalized data that provides a unique signature for each person. This allows biometrics data to be utilized in various security or personal identification applications. It also creates data privacy issues under new and developing data privacy laws and regulations.
An Overview of Intellectual Property Considerations
Biometrics data can be especially useful for AI innovations. This is because AI is fundamentally a data-driven technology that takes unique datasets as input to train task specific AI computer models. Biometric datasets, from various individuals, may be collected and used to train a biometric-centric AI model. Once trained, the biometric-centric AI computer model can take new data as input to predict, classify, or otherwise output results for use in a variety of applications, such as to provide security related decisions.
For example, a well-known AI application that uses biometrics data is Apple’s “Face ID” technology. Face ID collects biometrics by shinning and measuring more than 30,000 indivisible infrared dots onto a user’s face. Face ID then constructs a dot map of an user’s face, which is then fed into a trained neural network (i.e., a type of AI model) to create a unique “fingerprint” that may then be used to unlock the user’s phone, authorize a purchase, etc.
With respect to IP, patents can provide broad protection for AI innovations that leverage biometrics data. For example, Apple has dozens of patents directed to its Face ID technology. Generally, a set of patent claims for a biometric-centric AI innovation can correspond to its work flow, which may include pre-processing collected biometrics data, training an AI model with the pre-processed biometrics data and using the AI model to provide a security or identification result (e.g., like Face ID).
U.S. copyright law may also be used to protect biometrics data, for example, biometrics data —as collected and then pre-processed or arranged in a unique manner for training an AI model — could be subject to copyright upon being fixed in tangible form (e.g., stored in a computer memory).
Further, AI algorithms and pre-processed data are generally entitled to state and federal protection as trade secrets.
Additional information regarding AI and IP rights may be found at the online article titled: Artificial Intelligence & the Intellectual Property Landscape.
Biometrics Data and the Data Privacy Regulatory Landscape
Given the highly personalized nature of biometrics data, such data is being drawn into the data privacy legal and regulatory landscape. This article addresses two such regulatory landscapes – those established by the European Union (EU) and individual states in the U.S.
General Data Protection Regulation (GDPR)
The GDPR is an EU regulation for “the protection of natural persons with regard to the processing of their personal data.” Enforcement of the GDPR began on May 25, 2018, and applies to companies — operating within any of the EU member states (e.g., France, Germany, Italy, Spain, etc.) — that process the personal data of EU citizens.
While the GDPR is an EU regulation, it has a global reach. This is because the GDPR imposes obligations on companies, even those outside the EU, so long as they target or collect data related to EU citizens. For this reason, and given that the territories of the combined EU member states represent a large portion of the global economy, the GDPR is widely considered as an important regulatory framework, especially for companies established in, or hoping to expand in, Europe.
The GDPR includes specific provisions for biometric data. In particular, the GDPR covers the “processing of … biometric data for the purpose of uniquely identifying a natural person,” with the GDPR defining “biometric data” as “data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data [e.g., fingerprint data].”
If a company desires to collect biometric (or other prohibited data) of an EU citizen, the company must be able to demonstrate that it has met an “exception” to the GDPR’s general prohibition. A non-exhaustive list of these exceptions include:
- showing that the EU citizen has given explicit consent for a specified purpose for the data;
- showing that processing the data is essential to protect the vital interests of the individual and he or she is incapable of giving consent; or
- showing that “processing the data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law, or pursuant to contract with a health professional” and subject to the conditions and safeguards referred to in the GDPR.
In addition to meeting one of the exceptions, a company must also comply with data protection requirements and obligations. For example, a company must provide EU citizens with “the right to be forgotten” — meaning that an individual “shall have the right to withdraw his or her consent [regarding storage of his or her personal data] at any time.” Failing to act upon notice of withdrawn consent can lead to severe penalties for the company for failure to comply.
Companies managing biometric information face sizable penalties if they do not take efforts to secure personal data. Such penalties could reach 20 million euros or four percent of the company’s annual worldwide revenue, whichever is higher.
If a company discovers a data breach of protected information, then the company must inform authorities within 72 hours of the discovery.
Data Privacy in the United States
In the United States, there is currently no standardized, federal law that regulates the aggregation or protection of biometric data. However, certain states have independently addressed biometrics data through data privacy laws and regulations. In particular, California, Illinois, Texas and Washington have enacted laws that cover biometrics.
For example, Illinois was the first state to pass a biometric privacy law – the Biometric Information Privacy Act (BIPA). Like the GDPR, the Illinois BIPA includes regulations requiring individual consent for the collection of biometrics data. It also includes provisions allowing consumers to sue for money damages for alleged violations. For example, in Rosenbach v Six Flags Entertainment Corporation, 2019 IL 123186 (January 25, 2019), the Illinois Supreme Court ruled that Six Flags must pay money damages to a boy for collecting his thumbprint without proper consent.
As another example, the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” Like the GDPR, the CCPA provides rights to California consumers for protecting personal information and biometric data. Such protections include: allowing the consumer to access his or her data (right of disclosure or access), the right to be forgotten, the right to be notified and opt out before a company can share the consumer’s data, and, similar to the Illinois BIPA, a right of action for consumers to sue for money damages.
Proactive Strategies to Mitigate Data Privacy Concerns
For the above reasons, companies involved in the creation of innovative products or services that use biometrics data, including AI-based inventions, will want to adhere to existing and developing data privacy laws and regulations for those states or jurisdictions where the company’s targeted customers are expected to reside. As exemplified here, such data privacy laws can include pitfalls for the unwary, resulting in money damages.
It is expected that the regulatory landscape governing biometrics data will continue to grow. Given this, companies, even those outside of states or jurisdictions with data privacy laws, should be cautious when developing new products or services that use biometrics data.
While data privacy laws may differ across territories, many of them share common regulatory themes. These include consumer-facing requirements, such as acquiring informed consent from an user before collecting biometric data, informing the user of the specific purpose or use of his or her biometrics data, and providing the user with a means to request destruction of his or her biometrics data (the right to be forgotten). Other requirements involve protecting personal data once received, which include securing the biometric data and setting up procedures for notifying authorities if a data breach occurs.
In view of these regulatory themes, a company utilizing biometric data could position itself for data privacy issues that may arise by developing written policies addressing how the company will collect, use, distribute and destroy biometric data; setting up systems to record informed consent received from employees and customers regarding the use of their biometric data; securing and encrypting biometric data; storing only the biometric data that is needed (e.g., less than 100 percent captured); limiting the access of biometric data to only those systems or individuals (need to know); reviewing and updating any consumer facing contracts to address biometric data; and/or reviewing any general commercial liability insurance and whether it provides adequate coverage for data privacy risks.
Companies developing innovative products and services that use biometrics data will also want to work with legal counsel knowledgeable about both IP and data privacy laws and regulations in order both to protect their innovations and to stay abreast of the growing data privacy landscape.