Data is the new oil, but drilling for it may have unintended consequences.

I read with interest Newmark Security’s CEO Marie-Claire Dwek’s post last week on data being the new oil and it led me to consider that if data is the new oil, biometric data must be the finest refined petrol [my American friends should read gas] money can buy.

“Biometric technology is playing an increasingly significant role in the lives of consumers.”

Lauren Stewart
Boston College Law

So says Lauren Stewart in a recent issue of the Boston College Law Review. Stewart goes on to say that whilst there are obvious benefits of increased data security and ease of access to the business’s services for consumers, there is a concerning lack of consistency of approach at a business and at a U.S. State level. She calls for U.S. Congress to enact a comprehensive statute and for those working in biometric data protection. This would be a welcome approach.

As an example of the challenge biometric data practitioners face in the U.S., the State of Illinois has recently introduced a comprehensive statute, called the Illinois Biometric Information Privacy Act (BIPA). This has caused huge problems for Human Capital Management (HCM) providers and end-users alike, as it is entirely inconsistent with the biometric statutes introduced by two other states (Texas and Washington). A useful employer’s guide to BIPA can be found here.

Fashion retailer H&M is currently facing a class-action for misuse of data collected on a time clock, in Cook County. Their process is currently acceptable in 47 other US States, but not Illinois. Two weeks ago Fillmore Hospitality, which owns a hotel chain, became the latest target of a proposed class action for similar BIPA violations. They are certainly not going to be the last.

Similar challenges present themselves in the UK too. Only last week has the Information Commissioners Office (ICO) issued an enforcement notice to Her Majesty’s Revenue and Customs (HMRC) for failing to adhere to the biometric requirements of the European wide General Data Protection Regulation (GDPR).

The most frustrating part of all of this is that technology-led solutions exist now to properly protect and encrypt data at the edge device at the point of collection before it is moved to a cloud-computing environment and securely disseminated. This, coupled with proper consent-seeking and compliance with specific users’ preferences, would keep biometric data users on the right side of the most onerous local legislature and regulatory requirements.

The most frustrating part of all of this is that technology-led solutions exist now to properly protect and encrypt data at the edge device at the point of collection, before it is moved to a cloud-computing environment and securely disseminated.