In a world where your heartbeat can be used to open doors and DNA can be used to verify your identity, the line between privacy and security is getting blur. Imagine walking into a bank, hospital or airport without needing to show an ID, let alone keys or even speaking – your walk, your iris scan, your voice is enough to identify you. Biometrics of the next generation are not the future anymore; they are already here, and they are transforming the concept of identity.

But here is the question: while these technologies provide unprecedented security and convenience, are we really ready for the legal and ethical issues that come with it? What if our most intimate characteristics – things we can't control like our fingerprints or DNA - become the basis of our identity? This article looks at the exciting yet problematic biometrics field, and whether we are entering a new, secure world or a privacy nightmare.

What are Biometrics?

Biometrics is the use of different physical and behavioral characteristics of your body to identify you.^[1] Your fingerprints, iris scan, face recognition, and even your voice features are part of this. These qualities are personal and are used for safe identification. Here are some of the common types of biometrics which you must know:

• Fingerprint Scanning: This is one of the earliest and most popular biometric technologies that have been used.
• Facial Recognition: It compares facial shapes to confirm the identity of an individual.
• Iris and Retina Scanning: Use patterns in the eye to identify a person.
• Voice Recognition: Your vocal patterns and speech are used to confirm your identity.
• Behavioral Biometrics: Monitors your typing, walking, and even the mouse movement behaviors.

You are now familiar with the basic idea of biometrics, so now allow me to introduce you to the Next Generation Biometrics. Owing to the development, other forms of biometric identification such as DNA analysis, vein pattern recognition, and behavioral biometrics (for example, the way you walk, the way you sit, the way you use a mouse) are being introduced. These new forms of biometrics, together with their advantages and disadvantages in terms of accuracy, security, and privacy issues, have emerged.

The Legal Landscape: Current Regulations on Biometrics

As it happens with any idea, innovation and law, no matter how perfect they are, there is always a risk. However, in the case of biometric technology that is supposed to increase security; there are major issues regarding individual rights. This is not just the plot of a sci-fi movie; it has become the biggest dilemma of the real world. But then, various countries of the world have also framed laws to address this challenge. Whether it is India or America or the European Union, all of them have developed legal defenses to regulate biometrics in their own way.

India

One of the most populous countries in the world and a developing country that has witnessed much development in the last 76 years after the country's independence, biometrics has only been in use in India since 2009 when the Aadhar project that offers each citizen a unique identification number (UIDAI) was launched. Nevertheless, the collection and use of biometric data is still regulated by the current laws and policies in the data protection and privacy domain. Some of the laws are:

• The Information and Technology Act, 2000 (IT Act)
• Aadhar Act, 2016
• The Digital Data Protection Act, 2023 (DPDP)

The Information and Technology Act, 2000 (IT Act)

• IT Act, by way of Section 43A, mandates companies that deal with sensitive personal data including biometrics to ensure that reasonable security practices are observed. Where it fails to do so, it may be liable to compensate for any loss or damage that is suffered as a result of a data breach.^[2]
• It also has a provision regarding the disclosure of personal information, i.e., Section 72A, and it is an offence to disclose personal data (biometric data, to be precise) without the consent of the subject.^[3]

Aadhar Act, 2016

• Aadhar is one of the biggest biometric networks in India, capturing fingerprints, photos and iris scans of more than 1 billion people for identification purposes.
• This Act is the legal framework for biometric and demographic data collection and use in the Aadhar system.
• The collection and use of biometric information is permitted only with the consent of an individual, except for national security or criminal purposes.

However, there is a concern about the use of biometric data in the Aadhaar system, and thus there was a Supreme Court decision in 2018 i.e. K.S. Puttaswamy V. Union of India, which established privacy of citizen's right and defined the use of Aadhaar data.^[4]

The Digital Data Protection Act, 2023 (DPDP)

• One of the biggest recent developments in India's data protection domain is the Digital Data Protection Act, 2023 (DPDP). This new bill is likely to define the trends of data privacy in India and has provisions to secure sensitive personal data like biometric identification.
• It provides for explicit consent for the processing of biometric data and has severe penalties for the violation of the rules on the use and management of the data.^[5]
• The bill also guarantees the right of data subjects to demand access to, correct, or even have their personal data deleted, including biometric one.

United States of America (USA)
There is no single federal biometric data protection law in the United States but such regulations are made at the state level and some of the states have enacted laws that address the collection, use and storage of biometric information. Among the United States, Illinois, Texas, and Washington have biometric privacy laws that are quite specific to the area.

Biometric Information Privacy Act (BIPA)
Illinois BIPA was enacted in 2008 and is the most extensive biometric data protection law in the United States. It requires that any entity in the state must obtain a written permission from an individual before capturing his or her biometric identifiers which include fingerprints, iris scans, face identification among others.[6] BIPA also has provisions that entail companies to share with client's information on how the biometric data will be applied or used, where the data will be kept, and for how long it will be kept before it is erased. Another important feature of the BIPA is that it enables people to file a legal complaint against a company for violations of the law, making it one of the most effective laws regarding protection of privacy.

Texas Biometric Privacy Law: Texas
The biometric privacy law in Texas was adopted in 2009 in the Capture or Use of Biometric Identifiers Act (CUBI). This law says that any company or organization has to have the customer's permission to collect and keep the biometric data of an individual which may include the fingerprint or the voice. As with BIPA, the Texas law provides that biometric data cannot be sold or shared and must be eliminated once it is no longer needed for its original purpose. However, unlike BIPA, Texas does not permit individuals to file a lawsuit on their own behalf. Instead, the Texas Attorney General is responsible for enforcing the law.[7]

Washington State Biometric Privacy Law
Washington's biometric privacy law was approved in 2017. The law also contains the same provisions that prohibit companies from using or collecting biometric identifiers without knowledge or consent of the subject and such identifiers include retina scans, fingerprints, and facial recognition. The law focuses on the legal framework regarding when and how companies can capture biometric data from an individual and use it or disclose it to third parties, as well as the rights of an individual to know the use of his or her biometric information.

BIPA is a unique law that does not only regulate the use of biometric data but also mandates certain provisions for notification, consent, and procedure that are not present in the Washington law. The Washington law does not have a provision that allows individuals to file a lawsuit, but the Attorney General of Washington is allowed to file the suit on behalf of the affected residents.[8]

There are other states in the United States including California (through the California Consumer Privacy Act (CCPA), New York and Arkansas that have enacted laws which offer some form of biometric data protection but they are not as wide or as stringent as those of BIPA, Texas or the Washington laws. These comprehensive privacy laws biometric data as a type of sensitive personal information that is part of the data privacy frameworks.

On the federal level, there is no comprehensive biometric law. Nonetheless, there are federal laws that address general privacy and data security issues for instance the Health Insurance Portability and Accountability Act (HIPAA) that addresses the biometric data used in the healthcare industry.

• European Union (EU)

The EU has some of the most stringent policies regarding the protection of biometric information. There is no one specific EU law that is aimed at biometrics, but any biometric data is covered by the GDPR.

• General Data Protection Regulation (GDPR)

The GDPR, which took effect in 2018, is a law that requires data protection standards to be met for the collection and use of personal data in all members of the European Union, including biometric data. The GDPR also has provisions on biometric data as part of the special category data that is processed in a way that is more stringent than the usual personal data. The GDPR in Article 9 prohibits the use of biometric data for identification purposes in any form unless certain conditions are met. These conditions include:

• Only with the consent of the data subject.
• For the purposes of employment, social protection, or legal compliance.
• In order to protect the vital interests of the data subject.

It is necessary that organizations should employ people to inform the individuals of the biometric data that they intend to collect and receive a positive consent from the individuals to be supplied with the data. Furthermore, biometric data should be secured in such a way that it is not kept for a longer period than is necessary for the purpose for which it is being held.

Ethical and Privacy Concerns
Biometric technologies are on the rise and this has brought a number of ethical and privacy concerns, especially as next generation identification methods come into play.

Privacy violations: Biometric data is very private. Whether it's your fingerprints, your face or even your iris scan, this is personal data. It's a cause for concern how companies or governments are able to store and use this information as well as share it without your knowledge. The majority of people are afraid of becoming powerless in relation to their most intimate details.

Data breaches and security risks: Biometric data can't be 'reset' like passwords if they are compromised. In case someone steals your fingerprint or facial data, there is no way of undoing that. Therefore, it is vital for organizations to make biometric data as secure as possible, but still, data breaches occur and do happen.

Consent and transparency: Another ethical issue is whether people really know what is being done with their data, a major issue in the use of biometrics. It is a fact that in most cases people are offering their biometric data to unknown use, for unknown period of time, and to unknown number of entities. Ethical use can only be guaranteed by transparent data policies and clear consent.

Surveillance and control: Biometric technology can be easily used for mass surveillance and make people feel like they are being watched by the 'Big Brother' and monitored. This technology can be employed by governments to monitor people in a manner that is inimical to their human rights, for example, through the identification of people of certain ethnicity or political affiliation.

Bias and discrimination: Biometric systems are not always accurate and can be biased. For example, the facial recognition technologies are known to perform worse for people of colour. This can lead to prejudice and unfair treatment especially if biometric data is used in critical fields like police.

Regulating Next Generation Biometrics
Customized data protection laws: Biometric systems are not always accurate and can be biased. As biometric technologies advances; we can no longer rely on general data protection regulations. There are growing specific laws that are required to cover the specific risks that are linked with biometric data. It is important that companies that collect biometric data must be very explicit on how they intend to use the data and consumers should have real rights to the data, whether that is the right to request to see it, correct it, or even have it deleted.

Global collaboration for the biometric security: With biometric systems being adopted across international borders, it is important to look beyond national regulations. What is needed is a collective effort to set up international security standards for the storage, transfer and protection of biometric data. This is because it is important that governments, companies or any other tech enthusiasts should be on the same page to ensure that the data is well handled.

Introducing extreme measures for data abuse: Establishing laws is one thing, but implementing them is another. To make sure that companies and government agencies comply with the biometric identification and surveillance policies, regulators must be able to monitor these entities and punish those that fail to comply. If biometric data is used or handled improperly, very severe penalties should be imposed to clearly show that there will be consequences for negligence.

Innovation and ethics: The next-generation biometrics could possibly be used for things like mass surveillance or profiling, which is quite an issue from the ethical stand. Some rules must be set to avoid the situation when people's rights and freedoms are violated while using new technologies. The focus of the laws should be on individual protection and the sustainable evolution of the system.

Case Studies: The Impact of Regulation on Biometrics
In the growing world of biometrics, it is not just the technological advancements that are important. The legal and ethical aspects of these innovations have recently been discussed a lot. Two important cases, one from the U.S. and one from India, explain the global problem of how to innovate while protecting privacy.

The Illinois BIPA case: A milestone in privacy rights
The Biometric Information Privacy Act (BIPA) was passed in Illinois in 2008 to govern the collection, use, and storage of biometric data by companies. Its necessity was because the use of biometric technology in the private sector was on the rise and there was the possibility of the abuse of the biometric identification information (fingerprint, facial images, iris scans etc.).

BIPA provided many rights to the individuals with regard to their biometric data. Thus, under this law, companies had to notify individuals of their intention to collect biometric data, the purpose for which the data would be used, and obtain written permission from the individuals before proceeding with the data collection. When companies break these rules, individuals can file suit.[10]

A famous case was of a tech giant Facebook. In 2015, a class action lawsuit was brought against Facebook for using user's facial recognition technology without their consent. [11] The company was using its biometric data to 'tag' people in photos without first obtaining the BIPA consent required. More than three years of legal back and forth, Facebook finally settled for $550 million historic settlement in 2020.[12] The settlement was a significant victory not only for Illinois residents but also for privacy advocates everywhere, including around the world, to show that even tech giants can be held to account under the right privacy laws like BIPA.

The Illinois BIPA case is significant. It established a benchmark. It revealed that biometric data, which had been viewed as novel and innovative, posed a real privacy threat when it was not properly handled. The case has been the subject of much debate in the U.S. The movement also initiated similar calls for similar legislation in other U.S. states and other countries, showing the need for biometric data regulation.

Aadhaar Controversy in India: National Security vs. Personal Privacy
On the other side of the world, in India, another major biometric controversy unfolded. The Indian government launched the Aadhaar card in 2009 with the intention of providing every citizen of the country a unique identification number. This number, associated with the person's biometric data of fingerprints and iris scans, was supposed to make service delivery of welfare schemes, banking etc. smoother and also make governance more effective and inclusive. But the size of the Aadhaar project, which has more than 1.2 billion subscribers, was a cause of concern from the privacy perspective. Critics said the system enables the government to spy into the private lives of citizens like never before and can amount to a tool for mass surveillance.

The authors of the paper highlighting recent issues in the biometric technology in its original form also point out that a large number of people in the world are unable to get access to essential services because they do not have access to identity documents. Concerns were further fuelled when reports of data breaches surfaced; crores of Aadhaar details were reportedly leaked online, creating fears of identity fraud and theft.

In 2017, the controversy boiled over for India when the Supreme Court had to step in. The Supreme Court of India in a landmark judgement in 2017 recognised privacy as a fundamental right under the Indian Constitution.[13] Although, the Aadhaar scheme wasn't abolished, the Court imposed some conditions for their use of Aadhaar, such as banning integrative use of Aadhaar for services like bank accounts and mobile numbers. It can be used for welfare schemes, the Court said, but only if biometric data is used in a manner secure enough that the measures are solid.

The Aadhaar controversy has been a prime example of the difficult balance to be struck between national security, technological advancement, and individual privacy. It has also brought into focus critical questions regarding how much personal data governments should be permitted to collect and store, and how that data should be protected from misuse.

Conclusion
Biometric technologies are changing the way of interaction between people and their environment and make everyone's life easier and more secure. Nevertheless, the development of legal systems that could control the application of these technologies has not keep up with the rate of technological development. As the new generations of biometrics like DNA based identification and behavioral biometrics coming into reality it is imperative that the lawmakers sit up and take note.

It is, therefore, important for regulators, tech companies and civil society to continue to work together in order to guarantee that these technologies are deployed properly and that any potential risks are managed. Thus, the potential of biometric technologies can be fully valued without infringing on people's rights if solid legal frameworks based on data protection, consent, and accountability are developed.

End Notes:

1. What Are Biometrics? - Geeksforgeeks
2. Section 43A In The Information Technology Act, 2000
3. Section 72A In The Information Technology Act, 2000
4. Justice K.S. Puttaswamy (Retd) Vs Union Of India On 26 September, 2018
5. Press Release: Press Information Bureau
6. Illinois Biometric Privacy Act: Key Provisions And Updates - Legal Clarity
7. Business And Commerce Code Chapter 503. Biometric Identifiers
8. Washington Becomes The Third State With A Biometric Law | Inside Privacy
9. Art. 9 GDPR – Processing Of Special Categories Of Personal Data - General Data Protection Regulation (GDPR)
10. Biometric Information Privacy Act (BIPA) | ACLU Of Illinois
11. Patel-V-FB-9th-Cir-Opinion.pdf
12. Patel V. Facebook: Facebook Settles Illinois Biometric Information Privacy Act ("BIPA") Violation Suit - Harvard Journal Of Law & Technology
13. Personal Privacy Of Citizens Vs National Security Of India | Law Column