Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and Management

Education & Training

Data Privacy Law and Intellectual Property Considerations for Biometric-Based AI Innovations

By Ryan N. Phelan
SEC0620-Edu-Feat-slide1_900px
SEC0620-Edu-slide2_900px
SEC0620-Edu-Feat-slide1_900px
SEC0620-Edu-slide2_900px
June 12, 2020

Artificial Intelligence (AI) innovations that use biometrics data are on the rise. While the Intellectual Property (IP) potential for such innovations is vast, issues can arise with the use of biometrics data in view of newly enacted and developing data privacy laws and regulations.

 

What is Biometrics Data?

According to the International Organization for Standardization (ISO), biometrics data relates to physical characteristics of the human body or the behavioral traits of human beings, where “biometrics” refers to the “automated recognition of individuals based on their biological and behavioral characteristics.”  The term “biometric characteristic” refers to a “biological and behavioral characteristic of an individual from which distinguishing, repeatable biometric features can be extracted for the purpose of biometric recognition.”

If you have ever used your face to unlock your mobile phone, swiped your finger to unlock a computer, or used your voice as a password, then you are familiar with biometrics data. Biometric data can include measurements regarding fingerprints, DNA, face recognition, palm prints, iris recognition, hand geometry, retina, gait analysis, voice, body geometry and other such things that define human characteristics of an individual.

Importantly, biometrics data defines specific human characteristics for a given individual. For this reason, biometrics data is highly personalized data that provides a unique signature for each person. This allows biometrics data to be utilized in various security or personal identification applications. It also creates data privacy issues under new and developing data privacy laws and regulations.

 

An Overview of Intellectual Property Considerations

Biometrics data can be especially useful for AI innovations. This is because AI is fundamentally a data-driven technology that takes unique datasets as input to train task specific AI computer models. Biometric datasets, from various individuals, may be collected and used to train a biometric-centric AI model. Once trained, the biometric-centric AI computer model can take new data as input to predict, classify, or otherwise output results for use in a variety of applications, such as to provide security related decisions.

For example, a well-known AI application that uses biometrics data is Apple’s “Face ID” technology. Face ID collects biometrics by shinning and measuring more than 30,000 indivisible infrared dots onto a user’s face.  Face ID then constructs a dot map of an user’s face, which is then fed into a trained neural network (i.e., a type of AI model) to create a unique “fingerprint” that may then be used to unlock the user’s phone, authorize a purchase, etc.

With respect to IP, patents can provide broad protection for AI innovations that leverage biometrics data. For example, Apple has dozens of patents directed to its Face ID technology. Generally, a set of patent claims for a biometric-centric AI innovation can correspond to its work flow, which may include pre-processing collected biometrics data, training an AI model with the pre-processed biometrics data and using the AI model to provide a security or identification result (e.g., like Face ID).

U.S. copyright law may also be used to protect biometrics data, for example, biometrics data —as collected and then pre-processed or arranged in a unique manner for training an AI model — could be subject to copyright upon being fixed in tangible form (e.g., stored in a computer memory).

Further, AI algorithms and pre-processed data are generally entitled to state and federal protection as trade secrets.

Additional information regarding AI and IP rights may be found at the online article titled: Artificial Intelligence & the Intellectual Property Landscape.

 

Biometrics Data and the Data Privacy Regulatory Landscape

Given the highly personalized nature of biometrics data, such data is being drawn into the data privacy legal and regulatory landscape. This article addresses two such regulatory landscapes – those established by the European Union (EU) and individual states in the U.S.

 

General Data Protection Regulation (GDPR)

The GDPR is an EU regulation for “the protection of natural persons with regard to the processing of their personal data.”  Enforcement of the GDPR began on May 25, 2018, and applies to companies — operating within any of the EU member states (e.g., France, Germany, Italy, Spain, etc.) — that process the personal data of EU citizens.

While the GDPR is an EU regulation, it has a global reach. This is because the GDPR imposes obligations on companies, even those outside the EU, so long as they target or collect data related to EU citizens. For this reason, and given that the territories of the combined EU member states represent a large portion of the global economy, the GDPR is widely considered as an important regulatory framework, especially for companies established in, or hoping to expand in, Europe.

The GDPR includes specific provisions for biometric data. In particular, the GDPR covers the “processing of … biometric data for the purpose of uniquely identifying a natural person,” with the GDPR defining “biometric data” as “data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data [e.g., fingerprint data].”

If a company desires to collect biometric (or other prohibited data) of an EU citizen, the company must be able to demonstrate that it has met an “exception” to the GDPR’s general prohibition. A non-exhaustive list of these exceptions include:

  • showing that the EU citizen has given explicit consent for a specified purpose for the data;
  • showing that processing the data is essential to protect the vital interests of the individual and he or she is incapable of giving consent; or
  • showing that “processing the data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law, or pursuant to contract with a health professional” and subject to the conditions and safeguards referred to in the GDPR.

In addition to meeting one of the exceptions, a company must also comply with data protection requirements and obligations. For example, a company must provide EU citizens with “the right to be forgotten” — meaning that an individual “shall have the right to withdraw his or her consent [regarding storage of his or her personal data] at any time.” Failing to act upon notice of withdrawn consent can lead to severe penalties for the company for failure to comply.

Companies managing biometric information face sizable penalties if they do not take efforts to secure personal data. Such penalties could reach 20 million euros or four percent of the company’s annual worldwide revenue, whichever is higher.

If a company discovers a data breach of protected information, then the company must inform authorities within 72 hours of the discovery.

 

Data Privacy in the United States

In the United States, there is currently no standardized, federal law that regulates the aggregation or protection of biometric data. However, certain states have independently addressed biometrics data through data privacy laws and regulations. In particular, California, Illinois, Texas and Washington have enacted laws that cover biometrics.

For example, Illinois was the first state to pass a biometric privacy law – the Biometric Information Privacy Act (BIPA). Like the GDPR, the Illinois BIPA includes regulations requiring individual consent for the collection of biometrics data. It also includes provisions allowing consumers to sue for money damages for alleged violations. For example, in Rosenbach v Six Flags Entertainment Corporation, 2019 IL 123186 (January 25, 2019), the Illinois Supreme Court ruled that Six Flags must pay money damages to a boy for collecting his thumbprint without proper consent.

As another example, the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” Like the GDPR, the CCPA provides rights to California consumers for protecting personal information and biometric data. Such protections include: allowing the consumer to access his or her data (right of disclosure or access), the right to be forgotten, the right to be notified and opt out before a company can share the consumer’s data, and, similar to the Illinois BIPA, a right of action for consumers to sue for money damages.

 

Proactive Strategies to Mitigate Data Privacy Concerns

For the above reasons, companies involved in the creation of innovative products or services that use biometrics data, including AI-based inventions, will want to adhere to existing and developing data privacy laws and regulations for those states or jurisdictions where the company’s targeted customers are expected to reside. As exemplified here, such data privacy laws can include pitfalls for the unwary, resulting in money damages.

It is expected that the regulatory landscape governing biometrics data will continue to grow. Given this, companies, even those outside of states or jurisdictions with data privacy laws, should be cautious when developing new products or services that use biometrics data.

While data privacy laws may differ across territories, many of them share common regulatory themes. These include consumer-facing requirements, such as acquiring informed consent from an user before collecting biometric data, informing the user of the specific purpose or use of his or her biometrics data, and providing the user with a means to request destruction of his or her biometrics data (the right to be forgotten). Other requirements involve protecting personal data once received, which include securing the biometric data and setting up procedures for notifying authorities if a data breach occurs.

In view of these regulatory themes, a company utilizing biometric data could position itself for data privacy issues that may arise by developing written policies addressing how the company will collect, use, distribute and destroy biometric data; setting up systems to record informed consent received from employees and customers regarding the use of their biometric data; securing and encrypting biometric data; storing only the biometric data that is needed (e.g., less than 100 percent captured); limiting the access of biometric data to only those systems or individuals (need to know); reviewing and updating any consumer facing contracts to address biometric data; and/or reviewing any general commercial liability insurance and whether it provides adequate coverage for data privacy risks.

Companies developing innovative products and services that use biometrics data will also want to work with legal counsel knowledgeable about both IP and data privacy laws and regulations in order both to protect their innovations and to stay abreast of the growing data privacy landscape.

KEYWORDS: artificial intelligence (AI) biometrics data protection privacy concerns

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ryan N. Phelan is a registered patent attorney at Marshall, Gerstein & Borun, LLP, located in Chicago, who counsels and works with clients on intellectual property matters, with a focus on patents.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • data server

    CISO considerations for data privacy & compliance in 2023

    See More
  • sphere on black grate with purple and yellow lighting

    Data privacy among top concerns for workplace generative AI use

    See More
  • meta-facebook-freepik1170.jpg

    Meta fined $275m for breaking EU data privacy law

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products

Events

View AllSubmit An Event
  • November 14, 2024

    Best Practices for Integrating AI Responsibly

    ON DEMAND: Discover how artificial intelligence is reshaping the business landscape. AI holds immense potential to revolutionize industries, but with it comes complex questions about its risks and rewards.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing