There’s a new wave of class action lawsuits, and biometric data privacy is the target.
Biometric technology is the engine that powers things like the touch ID or facial recognition software on your cellphone, your fingerprint scans at the doctor’s office, and the voice recognition software in your Amazon Alexa or Google Assistant.
But convenience can come at the cost of privacy — consumers want to know how that data is being handled and stored. They want to know that it’s not being sold to third parties. Mostly, they want the opportunity to choose whether their biometric data is captured, and have the freedom to opt out. You’ll notice, for example, that virtual assistants like Alexa allow consumers to decide whether the device can listen to them at all times — and potentially stream information back to listening ears at Amazon. The newest generations of iPhones all employ face ID to unlock the phone. But users uncomfortable with having a face scan on record can opt to use a passcode instead.
What about cases in which an opt-out isn’t clear or easy? This is increasingly cropping up in the workplace, where questions about consent are arising as more employers use biometric time clocks and fingerprint scans. Some employees are alleging that their biometric information is being captured without consent, and they are taking this up with the courts.
Several cases are happening in Illinois, which requires employers to obtain informed consent from employees before collecting biometric data under the state’s Biometric Information Privacy Act. An American Airlines subsidiary, Envoy Air, is facing this issue in a proposed Illinois class action lawsuit, Abudayyeh v. Envoy Air, Circuit Court of Cook County No. 2020CH07436, alleging that the company deployed biometric time clocks without providing written notice to its workers and without obtaining their written consent. Enterprise Rent-A-Car is embroiled in similar litigation in the state in Wordlaw v. Enterprise Holdings Inc. et al., 1:20-cv-03200 (N.D. Ill).
Litigation is also popping up around the world, although not necessarily in class action form. In Australia, a first-of-its-kind case, Lee v. Superior Wood Pty Ltd., (2019) FWCFB 2946, wound its way through the courts after a worker successfully sued his employer for an unfair dismissal after he refused to clock in and out of work using his fingerprints. In the Netherlands, regulators hit an unnamed company with a record €725,000 fine in April 2020 for illegally using biometric time clocks when it did not have the authority to do so. Use of the clocks without authority violated EU General Data Protection Regulation (GDPR) rules.
MORE FOR YOU
The biometric opt-out issue is also rearing its head in the tax space. Some taxing authorities like the Australian Tax Office have long used biometric data to verify taxpayer identities — collections that inherently raise privacy concerns for some taxpayers. But the issue is compounded by the fact that some countries are issuing biometric ID cards to potentially cut down on ID theft and fraud, and ease administrative functions. Countries like India and the Republic of the Congo have launched large-scale biometric ID projects in which residents receive a biometric ID card to use for government benefits and applications. Estonia, a pioneer in digital governing, is creating a biometric ID program.
But these programs raise questions about whether and how that information will be used for tax purposes, whether residents can opt out, and how governments can reassure taxpayers that they will properly safeguard their information. By some accounts, it is an uphill battle. Several years ago, a U.K. House of Commons committee hosted a hearing on biometric data and technology in which lawmakers were “repeatedly told that public attitudes towards biometric systems were largely negative.”
That dynamic has been playing out in some of the first biometric-related tax litigation in the United Kingdom and India, and Mexico is about to join that list. Regulators are preparing to launch a Supreme Court challenge against new biometric data rules nestled in the country’s recent tax reform package.
In December 2020 Mexican lawmakers passed a new law allowing the country’s tax administrators to provide taxpayer verification services via biometric data. The move is raising the hackles of Mexican data protection regulators, who said that same month that they will lodge a complaint with the Supreme Court of Mexico over the measure’s constitutionality.
Identity theft has long been an issue in Mexico, which saw cases climb by some 600 percent between 2011 and 2015, according to Mexico’s National Commission for the Protection and Defense of Users of Financial Services. In response, lawmakers enacted a slew of financial services regulations including biometric data and database rules that include cross-checking with other government authorities that use biometric information. For example, Mexican banks now scan customers’ fingerprints when they open new accounts. But Mexican banking regulators believe the country needs more — a national biometric identity card.
The ID card could soon be in the works. In December 2020 Mexico’s lower chamber of Congress passed legislation enabling the Ministry of the Interior to build a national digital ID system and an eventual digital ID card containing personal and biometric information and a unique ID number, according to Forbes México.
Lawmakers also made changes to how the Mexican Tax Administration Service (SAT) can use taxpayer biometric data for verification. SAT already collects biometric data from taxpayers, like their fingerprints and irises for security uses. In December 2020 lawmakers passed a federal tax reform bill updating how the agency can provide identity verification services. Some critics allege it could enable the SAT to sell electronic signature services, according to Reuters.
Days after the reform bill passed, the country’s data protection agency, the National Institute of Transparency, Access to Information, and Personal Data Protection (INAI), evaluated the rule and found that two specific sections, articles 17-F and 137 “contravene some constitutional and legal provisions regarding the protection of personal data.”
INAI did not elaborate on what those specific violations may be. But article 17-F addresses certification procedures for taxpayer data — certifying electronic signatures, cross-checking identity verification, and maintaining ID records. The new law updates the second paragraph of 17-F and says individuals can ask the SAT to provide verification and authentication services for electronic signature certificates. The SAT will create rules determining when and how this service can be used. Likely at the heart of INAI’s concern is the fact that taxpayers must provide biometric data to the SAT, yet article 17-F could allow third parties to access that information for verification purposes without providing taxpayers the opportunity to opt out.
Article 137 addresses the SAT’s taxpayer notification and summons process and outlines how summonses may be left with individuals at the taxpayer’s residence or a neighbor, if the taxpayer is not present to collect. That also raises confidentiality questions for mandatory biometric information.
In India, taxpayers have challenged the country’s biometric tax regime for a different set of reasons. India runs the world’s largest biometric ID system, Aadhaar. For the past decade, Indian authorities have diligently registered, by some estimates, over 90 percent of the country’s adults for this free system, which requires biometric data like fingerprints, iris scans, and a facial photograph in exchange for a unique 12-digit ID number. The government mostly uses Aadhaar to provide welfare benefits. The idea is that the program will boost social inclusion. But it also hopes to streamline and simplify governance and help crack down on fraud while improving compliance.
In that vein, the government has now linked Aadhaar with tax return filing, after enduring several court challenges. Before Aadhaar, the government administered individual tax ID cards that did not contain biometric data. But authorities slowly phased out those tax ID cards because of fraud and evasion concerns.
Several petitioners who opted out of the Aadhaar scheme over data privacy and bodily sovereignty concerns argued that the government was trying to seize their bodily information without consent. Those petitioners scored a partial victory in 2017 when the Supreme Court of India found that the national constitution does in fact have a right to privacy embedded in its guarantee to the right to life and personal liberty. This overturned a roughly 50-year-old ruling that found no constitutional right to privacy.
Relatedly, the Indian Supreme Court ruled that taxpayers who had opted out of Aadhaar could not be forced to participate and could continue to use their tax ID cards. That changed after a subsequent 2018 Supreme Court ruling, Puttaswamy v. India, WP(C) No. 494 of 2012, that affirmed the government’s right to use Aadhaar for tax returns. The Court found that the government had a legitimate interest in linking the two and ruled that the government could make Aadhaar mandatory for tax returns. It has now done so.
In the United Kingdom, HM Revenue & Customs came under fire in 2018 for allegedly collecting biometric data from taxpayers without consent and failing to share how it would be processed. Under a voice ID program, the tax authority allowed taxpayers to sign up for voice identification services and registered about 7 million taxpayers. But a privacy rights group, Big Brother Watch, alleged that HMRC automatically collected voice data without allowing taxpayers to opt in or opt out of the scheme. Their findings prompted the U.K. Information Commissioner’s Office to launch an investigation into HMRC’s practices.
The issue is related to EU GDPR rules requiring explicit consent when biometric and other special personal data are collected for ID purposes. Also, under GDPR article 9, collection is allowed only under limited instances, like public health or reasons of substantial public interest.
The Information Commissioner’s Office found that HMRC didn’t have a lawful basis under article 9 for collecting the information and seemingly did not let taxpayers proceed with their calls unless they repeated into the phone the phrase “My voice is my password.” However, there was no option to bypass that step, according to the Information Commissioner’s Office. The organization further found that HMRC collected the biometric data before it publicly released a voice ID privacy notice and failed to tell taxpayers where they could find further information about its voice ID program. In response, HMRC circled back to taxpayers who had used the voice ID service and obtained consent from about 1 million of them. However, the agency was forced to delete records from 5.5 million taxpayers. Nevertheless, the voice ID program is still in operation.
Each of these countries highlight the different points of contention over biometric data and tax collection. These include potential misuse or sale of data, the right to privacy and bodily autonomy, and the sufficiency of opt-in and opt-out choices. But these cases also raise broader questions about how taxing administrations can use biometric data to achieve their administrative goals, while balancing the need to protect taxpayer privacy and security. It is still a work in progress and will continue to be so while governments adjust their rules. The issue is in its infancy, but it certainly will be one to watch in our evolving digital society, particularly as new countries adopt biometric regimes.