New technology can make everyday functions in our life easier and more convenient but sometimes, it can open up a whole can of worms when it comes to our freedom and rights. Facial recognition technology is on the rise globally and with companies in Australia looking for ways to use it with customers, the lines between privacy and convenience can get a little murky.
Part of the reason behind this is that many of us aren’t particularly familiar with the laws that govern who can use invasive technology and when.
A recent introduction of facial recognition cameras to 7Eleven stores around Australia sparked controversy over what constituted as consent and whether a company could use a controversial technology for something as simple as rating customer experience.
We spoke to the Office of the Australian Information Commissioner (OAIC), the national data and privacy regulator, to find out.
What is facial recognition?
Facial recognition cameras capture data known as biometric. These are considered physical human features that can be used to identify you and can range from thumb or fingerprints to eye scans. In the case of cameras, however, they’re capturing facial features and using AI to match it to a database.
The Australian government has moved to employ this technology in airports around the country with the idea that it would eventually phase out the need for manual passport controls.
The capturing of biometric information is outlined by a federal law called the Privacy Act 1988.
“In most situations, an organisation that is covered by the Privacy Act must not collect sensitive information unless the individual consents to the collection and the information is reasonably necessary for its functions or activities,” an OAIC spokesperson told Lifehacker Australia.
That consent requires four elements to be ticked off in order to be sufficient, according to the OAIC. A person needs to be adequately informed about what it’s consenting to and needs to provide it voluntarily. It also can’t be given in perpetuity — it needs to be current and specific to the action. Finally, an individual has to have the capacity to understand and communicate their consent so asking a child would likely not meet this requirement. It also means a sign on a store front’s entrance is likely not enough.
Can I make a company delete biometric information?
If you do willingly hand over your biometric information, it can be a little tricky to get it removed from a database. The OAIC said a business or organisation governed by Australian Privacy Principles (APPs) will need to destroy or de-identify — remove your facial details from your personal details — after the information is no longer required.
“Organisations governed by the Australian Privacy Principles (APPs) are not required to delete information on request, but, under APP 11, the entity must be taking reasonable steps to destroy the information or to ensure that the information is de-identified once it ‘no longer needs’ the information for a lawful purpose,” the spokesperson said.
I want to complain about a case
If you think your biometric information has been unfairly captured, you have a few things you can do about it. First, the OAIC recommends you make a complaint to the company that you suspect has the data. Larger companies have workers that specifically deal with privacy complaints so this is a good first step to take. The OAIC also provides templates for the type of email or letter you could send them.
Failing that, you can complain directly to the OAIC.
Depending on the case, it could result in a company removing your data, issuing an apology, changing their policy, implementing extra training or providing compensation.
As always, the best superpower is being informed and it’s something even the most engaged of us can struggle with due to a wealth of complex information. Starting small by understanding what your rights are can help you weigh up those important decisions later on.