Issues Concerning Biometric-Based AI Innovations in Terms of Data Privacy Law and Intellectual Property

In today's era of mobile devices and round the clock internet access, consumers are increasingly witnessing the phenomenon of biometric data replacing passwords and other forms of identification.

As technology advances, mobile devices are increasingly using fingerprints, iris scans, or even full-face recognition to unlock" locked devices. Unquestionably, biometrics based artificial intelligence (AI) technologies are on the increase. While the intellectual property (IP) potential for such developments is enormous, concerns about the usage of biometric data may naturally arise in light of recently adopted and growing data privacy laws and regulations.

For starters, let’s try and understand the meaning of biometrics data. According to the International Organisation for Standardisation, the word "biometrics" refers to the "automated recognition of individuals based on their biological and behavioural characteristics." Therefore, anything relating to measuring of a person’s bodily traits and attributes can be referred to as biometric data. This data is used to prove a person's uniqueness and verify that they are who they claim to be in terms of digital identification. Previously, biometric data was only used to get access to restricted areas or facilities, such as high-tech laboratories or classified government buildings. However today, a wide range of devices, including but not limited to cellular phones, mobile tablets, and laptop computers, make use of such technology.

As can be guessed, biometrics data is very valuable for AI advancements. This is because AI is primarily a data-driven technology that uses unique information to train AI computer models for specific tasks. Biometric datasets from a variety of people might be gathered and utilized to train a biometric centric AI model. Once trained, the biometric centric AI computer model may use new data as input to forecast, categories, or generate output findings for use in a range of applications, including security choices. Patents can therefore give wide protection to IP rights of AI technologies that use biometrics data. Apple, for example, has hundreds of patents covering its Face ID technology.

A set of patent claims for a biometric centric AI invention may generally correlate to its work flow, which may comprise pre-processing of biometrics data, training an AI model in using the pre-processed biometrics data, and employing the AI model to produce a security or identification result (e.g., like Face ID). Thus it is not difficult to see that biometrics data is being dragged into the data privacy legal and regulatory environment due to its highly individualized character.

While the General Data Protection Regulation (GDPR) is a European Union (EU) rule, it has worldwide implications. This is because the GDPR requires organizations who target or collect data about EU people to comply with certain obligations, even if such organizations are not based in the EU. As a result, and considering that the combined EU member states' territories account for a significant portion of the global economy, the GDPR is widely seen as a critical legal framework, particularly for businesses based in or looking to grow into the EU. The GDPR has influenced other countries’ privacy laws. While the number of nations affected by or taking notes from the GDPR is long, it's vital to remember that protecting consumer privacy when dealing with biometrics, and AI is a worldwide concern.

Needless to emphasize, AI and the use of biometric data in everyday life has had a wide impact on our society. AI may access a consumer's personal information, which is typically very sensitive and business firms can be held liable for misappropriation of such information. Governments all across the world are attempting to establish which, if any, restrictions to enact in order to safeguard AI, as well as the extent of any regulations.

There is no prizes for guessing that the regulatory framework controlling biometrics data is projected to continue to expand. As a result, businesses would do well to exercise caution, while creating new biometrics based goods or services, even if they are located outside of states or countries that have data privacy legislation. While data privacy laws vary by country, many of them have similar regulatory elements. Developing written rules covering how the organization will collect, use, distribute, and delete biometric data might help a corporation using biometric data prepare for data privacy concerns that may occur. Companies creating novel biometrics based goods and services would do well to collaborate with legal counsels who are familiar with both IP and data privacy laws and regulations to protect their inventions and keep up with the evolving data privacy landscape on use and development of biometrics data.

Lastly while data privacy is a part of consumer law and basic rights in the United States and England, respectively, in India data privacy is not strictly enforced as a legislation. However it can be safely argued that Article 21 of the Indian Constitution includes the right to "privacy" as well and gives the founding basis to promote data protection laws involving the use of biometric data.

Though true that India is currently grappling with a lack of legal framework to protect personal data and privacy, it is heartening to note that India has already begun the process of drafting a comprehensive set of codified data protection and privacy laws. This is a welcome step given that India undoubtedly requires a conducive climate in which to promote technological knowledge and foster collaboration between public and private organizations engaged in developing future technologies that embrace the usage of biometrics data.

Reference

· Bonington, C. (2012, October 12). Apple patent expands on biometric identification implementations. Wired. Retrieved November 6, 2021, from https://www.wired.com/2012/10/apple-patent-biometric/.

· Burgess, M. (2020, March 24). What is GDPR? the summary guide to GDPR compliance in the UK. WIRED UK. Retrieved November 8, 2021, from https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.

· ISO. (n.d.). Retrieved November 2, 2021, from https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:24741:ed-2:v1:en.

The Author, Arthita Halder, is a BBA LLB (HONS) student from Alliance University, Bangalore.