The irreversible footprint: Biometric data and the urgent need for right to be forgotten

The absence of the right to be forgotten within Indian laws remains conspicuous, resulting in a substantial gap in protecting individuals’ privacy rights.
Right to be Forgotten
Right to be Forgotten
Published on
5 min read

In an era when personal data is everywhere on the internet, and our digital presence is deeply ingrained in our lives, protecting personal data has become crucial. Biometric data stands out as particularly sensitive.

‘Biometric data’ is defined as personal information such as fingerprints and face images that come from certain technological processes linked to a person's physiological, behavioral or physical traits, that helps uniquely identify that person. Employing biometric authentication serves as a convenient method for verifying one’s identity, eliminating the reliance on traditional identification methods like passwords and pins.

The widespread biometric data collection in routine tasks, such as workplace attendance and airport security checks, has contributed to the creation of comprehensive individual profiles. People are vulnerable to serious hazards such as identity theft, unauthorised monitoring and discriminatory actions as a result of this widespread accumulation. Given the unalterable nature of biometric data, compromised information like fingerprints or retinal scans cannot be rectified. Furthermore, the potential for function creep, wherein biometric technology and data are exploited for unauthorised secondary purposes, accentuates the enduring and severe consequences of breaches compromising biometric data.

Countries employ biometric data for law enforcement purposes, while private sector entities utilise this information for targeted advertising. However, the absence of stringent regulations in this domain raises concerns regarding human rights violations and privacy breaches due to data misuse, non-consensual usage and misidentification. For instance, Greece’s biometric policing initiative, initiated in 2020, faced scrutiny for discriminating against racial minorities and migrants. Similarly, Facebook encountered a $550 million settlement in a class action lawsuit due to the unauthorised use of facial recognition technology. Here, users’ pictures were scanned without consent, and permission was never sought for storing and prolonged utilisation of their biometric data. The misuse of biometric data in employer databases raises grave concerns. Covertly obtained facial recognition data, notably used for civil surveillance in Japan, underscores the intrusive nature of such practices.

In today’s dynamic digital sphere, the significance of biometric data surpasses traditional personal information, necessitating an intensified focus on safeguarding privacy rights.

Right to be forgotten - Global legal precedents and its status in India

Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights underscore the fundamental aspects of individual privacy rights. Within this evolving sphere, the ‘right to be forgotten’ emerges as a crucial legal principle, empowering individuals to request the removal of specific personal information from internet platforms.

Since the 1995 EU Directive on Data Protection, individuals in Europe have gained the right to have all associated personal data deleted upon leaving a service or closing an account. However, the interpretation of this right expanded after a pivotal ruling by the Court of Justice of the European Union (CJEU) in 2014. The landmark Google Spain case led to the CJEU affirming individuals’ right to delisting as an extension of their right to erasure. This ruling enables individuals to request search engines to remove certain links from their search index if the results contain personal information deemed ‘inadequate, irrelevant, or no longer relevant, or excessive.’ This acknowledgment by the CJEU recognizes the intrinsic connection between an individual's autonomy and dignity, intricately tied to their ability to control the dissemination of personal information within the digital landscape.

Since the 2014 ruling by CJEU, the ‘right to be forgotten’ has been integrated into the newly established EU General Data Protection Regulation (GDPR) and has gained increasing global recognition. The European Court of Human Rights (ECHR), in the case of Hurbain v Belgium, notably prioritised an individual’s right to be forgotten over others’ freedom of expression. In its verdict, the ECHR affirmed that the ‘right to be forgotten’ could be encompassed within the fundamental Article 8 rights, firmly entrenching it as an inherent facet of the basic human right to privacy.

Contrarily, the absence of the right to be forgotten within Indian laws remains conspicuous, resulting in a substantial gap in protecting individuals’ privacy rights, especially concerning biometric data. Although Section 43A of the Information Technology Act, 2000 addresses liabilities for mishandling sensitive personal data, it falls short of explicitly acknowledging and safeguarding the right to be forgotten. Despite the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 facilitating complaints to remove personal data from websites without consent, the legislation lacks explicit recognition of this right as a crucial human entitlement. The procedures for data removal subject victims to protracted and intricate processes, further highlighting the inadequacy in addressing this pivotal human right.

The Aadhaar Act of 2016 recognises that biometric information is deemed to be sensitive personal information. However, it only addresses biometric data related to identity verification and does not, in general, focus on data protection.

The introduction of the Digital Personal Data Protection Act, 2023 marks an important step towards recognising the value of safeguarding personal data, including biometric information. However, the Act does not provide clear definitions or detailed provisions regarding the various types of biometric data, their vulnerabilities and the requisite protections necessary to safeguard them effectively. Consequently, a crucial grey area persists.

The GDPR, on the other hand, defines biometric data in Article 4(14) and lays out ground rules in Article 9 for processing special categories of personal data. Overall, it increases protections for particular kinds of data, including biometric data. Article 9 states in part, “processing of personal data revealing racial or ethnic origin…genetic data, biometric data for the purpose of uniquely identifying a natural person…shall be prohibited.”

A call for clarity

Anonymisation stands as a commonly used method for ensuring data privacy. It involves removing personally-identifying information like dates, locations and demographics from a sample. In the case of biometric data, however, this approach fails to preserve its confidentiality. With advancing computing capabilities, merely eradicating markers from biometric datasets is an inadequate measure to prevent tracing back to the data subject. This inadequacy has sparked skepticism within data protection and privacy law circles, questioning the feasibility of truly anonymising biometric data.

Japan’s Act on the Protection of Personal Information recognizes the limitations, categorising biometric data as part of information that cannot be ‘anonymised’ or ‘pseudonymised data.’ This acknowledgment underlines the challenges in anonymising biometric information, signaling a need for reevaluation in data protection strategies for such sensitive data.

The absence of clear definitions and categorisations of biometric data within current legislation highlights the need for comprehensive frameworks that specifically define rules governing its collection, storage, processing and deletion. Established legislation like the Information Technology Act, which were supplemented by subsequent ‘Rules’ for various digital governance aspects, can be used as a precedent. For instance, the 2021 Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were introduced to establish a robust complaint mechanism for social media and OTT platforms, addressing inadequacies in the Parent Act.

To close the current regulatory loopholes, a separate set of rules governing biometric data under the Digital Personal Data Protection Act, 2023 should be considered. These rules would define biometric data clearly and set forth unambiguous rules for its storage, deletion and protection. The ‘right to be forgotten’ must be a basic element of it, recognising people's sovereignty over their biometric data. Such focused regulations would not just bolster the safeguarding of biometric information, but also ensure compliance and accountability among entities handling sensitive data. Ultimately, this approach aims to cultivate a more resilient and privacy-conscious ecosystem within our dynamic digital landscape.

Shlok Sharma is a 4th year B.A. LL.B (Hons.) student of NALSAR University of Law, Hyderabad.

Bar and Bench - Indian Legal news
www.barandbench.com