Court ruling may revive biometric data security measures

By: - August 27, 2019 3:32 pm

Illustration by Mike MacKenzie | Flickr/CC BY 2.0

A recent 9th Circuit Court of Appeals ruling on a case brought by residents of Illinois against social media giant Facebook over its use of facial recognition software could reignite conversations at the Arizona Capitol on biometric data security in the Grand Canyon State. 

The ruling allows a lawsuit to proceed against Facebook for allegedly violating Illinois’ biometric data privacy law. The court affirmed that the case could become a class action suit. 

The residents of Illinois bringing the suit are using a law the state passed – one of only three of its kind in the nation – that provides additional protections for biometric data. 

The Biometric Information Privacy Act, or BIPA for short, became Illinois law in 2008 and has inspired similar laws in Texas and Washington. However, Illlinois is the only state whose law allows for private individuals to file a lawsuit for damages stemming from a violation of the law. 

A bill proposed earlier this year by the top Republican in the Arizona House of Representatives, House Speaker Rusty Bowers, sought to go further than the Illinois law. The measure, House Bill 2478, earned approval by a House committee but never received consideration by the full House. 

Bowers’s bill would have imposed fines up to $10,000 per violation, compared to fines ranging from $1,000 to $5,000 in Illinois. The Arizona proposal also would have allowed individuals to sue companies that fail to comply with the security standards, and would have given the Arizona attorney general the authority to investigate. 

In Arizona, there are already some protections on the books for residents, and the Attorney General Mark Brnovich has said he believes the state’s constitution has adequate protections. 

So what is the state of biometric data security in the state of Arizona? 

Constitutional protections 

Arizona’s own constitution may offer some protections to Arizona residents, due to provisions guaranteeing a “right to privacy” to residents.. 

“No person shall be disturbed in his private affairs,” the constitution says under the Right to Privacy section. 

The provision is written in a much broader way than in the U.S. Constitution, which alludes to a right to privacy in the First, Third, Fourth and Fifth amendments. That broadness in the Arizona Constitution is helpful to residents of the state, said local attorney Marc Lamber

Brnovich this month told Capitol Media Services that Arizona residents “have that right to privacy that provides us more protection than the Fourth Amendment does.”

However, he noted that it hasn’t been settled by the courts just how broadly that part of the Arizona Constitution can be interpreted, and said lawmakers can set limits on it. 

Brnovich’s office has been integral in trying to get lawmakers to do just that and have been mildly successful. 

Laws already on the books 

In 2018, House Bill 2154 won unanimous legislative approval. The bill, which Brnovich’s office helped champion, was sponsored by Rep. TJ Shope, R-Coolidge, and only faced opposition from insurance companies. 

The bill focused mainly on data breaches, but added information to existing state statutes to include biometric data. It created additional protections for consumers, requiring agencies or companies that store private information, such as biometric data, to notify consumers of data breaches. 

In some situations, companies are required to notify the attorney general of a breach. 

The bill also increased the maximum civil penalty for knowing or willfully violating the statute to $500,000 per breach from $10,000. 

Bowers’s Bill 

The bill proposed by Bowers last session was brought to him by Kristy Gale, who touts herself as a sports technology law pioneer. Gale has authored white papers on biometric data and its impact on the field of sports.

The bill left some with questions on to how it would be enforced and why some things were left out. A representative for Bowers told Capitol Media Services that he effectively killed his own bill so he could have further conversations about its provisions with stakeholders. 

“It doesn’t have a strong enforcement mechanism,” Bowers told the Mirror earlier this year, “which is probably why Apple and Google are not coming at me with a lead pipe in the parking lot right now.”

Bowers’s bill wouldn’t have applied to biometric data needed for financial transactions or biometric data used by third parties to complete transactions. However, it would have barred companies or individuals from using biometric data used for those purposes for any other reason. 

The bill also didn’t specify how interstate issues of biometric security would have worked. 

For example, it was unclear how it would have enforced its measures against data stored in another state even if the user harmed was in Arizona. 

Bowers did not respond to a request for comment for this story. 

What’s next? 

“The technology has moved so much more quickly than the law,” Lamber said of biometric data and specifically, facial recognition technology. 

Facial recognition was initially a technology used mostly by law enforcement, but is now creeping into other industries. Recently, singer Taylor Swift faced scrutiny after it was discovered she used the technology at her concerts to look for known stalkers.

Lamber’s advice to lawmakers like Bowers who may be looking to tackle this issue again next session is simple: “Don’t reinvent the wheel.” Lawmakers should build upon what Illinois, Texas and Washington have already done to find a solution that works for Arizona.

However, there is one problem. 

“Law and tech move at two different speeds,” Lamber said. 

The lawsuit from Illinois residents that the 9th Circuit court just ruled on was started in 2015 and has yet to even go to trial. 

Biometrics is not just about surveillance or consumer data – they have become the rage in the tech world. Some see it as a more secure solution to protecting one’s personal information, under the theory that a retina image, face or fingerprint is more unique and harder to recreate than a person’s password.

But biometrics don’t provide perfect security.

In 2017, security researchers in Japan showed that fingerprints could be lifted from photos of people giving the peace sign. Researchers recently were also able to bypass facial recognition by creating 3D printed copies of a subject’s head.

None of this is slowing down the use of the tech which is estimated to be used in up to $2 trillion in financial transactions by 2023, according to researchers.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.

Jerod MacDonald-Evoy
Jerod MacDonald-Evoy

Reporter Jerod MacDonald-Evoy joins the Arizona Mirror from the Arizona Republic, where he spent 4 years covering everything from dark money in politics to Catholic priest sexual abuse scandals. Jerod has also won awards for his documentary films which have covered issues such as religious tolerance and surveillance technology used by police. He brings strong watchdog sensibilities and creative storytelling skills to the Arizona Mirror.