Anonymisation stands as a commonly used method for ensuring data privacy. It involves removing personally-identifying information like dates, locations and demographics from a sample. In the case of biometric data, however, this approach fails to preserve its confidentiality. With advancing computing capabilities, merely eradicating markers from biometric datasets is an inadequate measure to prevent tracing back to the data subject. This inadequacy has sparked skepticism within data protection and privacy law circles, questioning the feasibility of truly anonymising biometric data.
Japan’s Act on the Protection of Personal Information recognizes the limitations, categorising biometric data as part of information that cannot be ‘anonymised’ or ‘pseudonymised data.’ This acknowledgment underlines the challenges in anonymising biometric information, signaling a need for reevaluation in data protection strategies for such sensitive data.
The absence of clear definitions and categorisations of biometric data within current legislation highlights the need for comprehensive frameworks that specifically define rules governing its collection, storage, processing and deletion. Established legislation like the Information Technology Act, which were supplemented by subsequent ‘Rules’ for various digital governance aspects, can be used as a precedent. For instance, the 2021 Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules were introduced to establish a robust complaint mechanism for social media and OTT platforms, addressing inadequacies in the Parent Act.
To close the current regulatory loopholes, a separate set of rules governing biometric data under the Digital Personal Data Protection Act, 2023 should be considered. These rules would define biometric data clearly and set forth unambiguous rules for its storage, deletion and protection. The ‘right to be forgotten’ must be a basic element of it, recognising people’s sovereignty over their biometric data. Such focused regulations would not just bolster the safeguarding of biometric information, but also ensure compliance and accountability among entities handling sensitive data. Ultimately, this approach aims to cultivate a more resilient and privacy-conscious ecosystem within our dynamic digital landscape.
Source: Barandbench
