Biometric Recognition Cases
“Biometric Recognition Cases,” that’s the subject of today’s ACTEC Trust and Estate Talk.
This is Ed Beckwith, ACTEC Fellow from Washington, DC. Personal privacy is a topic straight out of the headlines. To learn more about this most important subject, we will be hearing today from ACTEC Fellow Justin Brown of Philadelphia. Welcome, Justin.
Thanks, Ed. The gathering and use of biometric information and biometric identifiers has become a hot-button issue in the privacy world. Today, I’m going to talk about two recent cases that address some of the issues that we face with the protection of biometric information and biometric identifiers. But before diving into the cases, I want to briefly discuss the Illinois Biometric Information Privacy Act or BIPA.
BIPA was enacted in 2008 and was rarely used until recently. It is fundamentally a consumer protection law that’s designed to regulate the collection, use, storage, and safeguarding of biometric information. So, first, what is biometric information? Well, BIPA defines biometric information as any information, regardless of how it is captured, converted, stored, shared, all based on an individual’s biometric identifiers that are used to identify an individual. So, what are biometric identifiers?
BIPA defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint or a scan of a hand or face geometry. Biometrics are unlike any other unique identifiers, such as regular passwords, that are used to access finances or sensitive information. Passwords can be changed; social security numbers can be changed. But biometrics are biologically unique to the individual. You can’t change your face or your fingerprints. So, once your biometric information is compromised, the individual has no recourse and is at a heightened risk of identity theft.
Biometric Information Privacy Act or BIPA
The cases I’m going to talk about today focus on two sections of BIPA, Section 15(a) and Section 15(b). Section 15(a) of BIPA provides that a private entity in possession of biometric information and biometric identifiers must develop a written policy, which is made available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Section 15(b) provides that no private entity may collect, capture, purchase or receive, or otherwise obtain a person’s biometric identifier or biometric information unless it first informs the individual that the biometric identifier or biometric information is being collected and stored. Second, informs the individual on the purposes of collection and storage. And third, the individual provides a written release of the use of their biometric information. So, with that backdrop, let’s get into the cases.
Mutnick v. Clearview AI Inc.
The first case I want to talk about is from August of 2020. It’s the Mutnick v. Clearview AI Inc. case out of the U.S. District Court in the Northern District of Illinois, Eastern Division. In this case, Clearview AI scraped over 3 billion facial images from the Internet, scanned biometric identifiers from all of these images, and created a searchable database that would then allow people to instantly identify individuals through just the photograph from the Internet. Clearview AI’s database included the picture of the person and private information such as their name, their home address, and sometimes even their work address. And then, Clearview AI sold access to the database to various law enforcement and government agencies. The legal issue in this case was not necessarily about biometric identifiers. It was about personal jurisdiction over Clearview AI in the BIPA claim in federal court. And while the court ultimately concluded that there was personal jurisdiction, the court characterized Clearview AI’s actions as a clear violation of the privacy rights of individuals for whom they gathered biometric identifiers and biometric information. And ultimately, the court said in dicta that this is exactly what BIPA was designed to protect.
Bryant v. Compass Group USA, Inc.
The next case is Bryant v. Compass Group USA, Inc. from January of 2020. Also, out of the U.S. District Court in Northern District of Illinois, Eastern Division. In this case, Kristine Bryant worked at a call center in Illinois. And for the convenience of the employees, this center had vending machines that were owned and operated by Compass Group USA. The vending machine didn’t accept cash or credit card but instead, to purchase items from the machine, a user simply has to use his or her fingerprint. The fingerprint was then linked to their account and funds were automatically withdrawn from the account to pay for the item in the vending machine. When employees were hired, they were instructed to just scan their fingerprints into the system to create their account. So, Kristine Bryant voluntarily set up her account. She was fully aware that her fingerprint was being collected and stored, and she voluntarily gave her fingerprint over. Her claim, however, was not that they collected her biometric information, but that they collected it without her written consent. So this case, procedurally, dealt with issues regarding the removal of the case to federal court based upon diversity jurisdiction. So, in doing the analysis, there needed to be a determination of standing. And in determining the standing in personal jurisdiction, there needed to be a determination of whether or not there was an injury-in-fact to Kristine Bryant.
The court, here, looked to whether or not there was an actual harm in the disclosure of the biometric information or whether this was just a procedural violation of BIPA. So, in analyzing the case, the court looked at multiple cases that have dealt with the collection of biometric information versus those that were mere technical violations of BIPA, but there was no actual harm. So, for example, in the Miller v. Southwest Airlines case out of the Seventh Circuit, the court looked to airline employees who were required to give their fingerprints as identifiers. And in that particular case, if the employees refused to give their fingerprint, then there was a chance that they could be fired. And as a result, the court concluded that there was an injury-in-fact or at least a likelihood of a future injury-in-fact.
Similarly, in the Patel v. Facebook case out of the Ninth Circuit, Facebook created a user template that was designed to take pictures that were uploaded into Facebook and then based upon biometric identifiers then tagged the individuals in future pictures that were posted to Facebook. Now, here, the individuals had no idea that their biometric information was being used and the court believed that this was a great invasion of their privacy, and it was, therefore, an actual injury.
Contrast that with some of the other cases out of the Northern District of Illinois, where employees would voluntarily give their biometric identifiers and biometric information. And in those situations, the Northern District concluded that they’re just mere technical violations and there is no actual injury. So here, as you would imagine, the court–consistent with what the Northern District of Illinois had previously ruled–believes that because the information was never disseminated and there was no sharing of the fingerprints, and there was never any allegation of harm to Bryant, that it was a mere technical violation of BIPA and there was no actual injury-in-fact. So, while a technical violation of BIPA, no injury, no standing.
Now, this case went up to the Seventh Circuit Court of Appeals, and in May of 2020, the Seventh Circuit looked at it very differently. The court started its analysis based upon the Spokeo, Inc. v. Robins case out of the U.S. Supreme Court in 2006. And in that case, the court held that while a concrete injury must actually exist, the injury does not need to be a tangible injury. Simply, the mere risk of a real harm is sufficient. So here, the court believes that Bryant was asserting a violation of her privacy rights in her fingerprints. Each individual has a unique biometric identifier, and this was an invasion of her privacy. And that invasion alone is sufficient harm. The court looked to 15(b) and said, the whole purpose of Section 15(b) of BIPA was to ensure that consumers understand, before providing their biometric data, how the information is going to be used, who’s going to have access to it, and for how long it was going to be retained.
The court said that it was the legislature that determines that people must be given the opportunity to make informed choices about who and for what purposes they will relinquish their biometric information. And ultimately, because Bryant was denied the opportunity to make informed consent as to the use, storage, and dissemination of her biometric information, she suffered a concrete injury.
So, why do we as trust and estates attorneys care about all this? Because these issues are going to be impacting our clients. Are biometric identifiers and biometric information digital assets? Who can access one’s biometric identifiers and biometric information? How does one safeguard their biometric information? How do we know if others have accessed this information? And if others have accessed it, how do we right the wrong and reclaim our biometric information? These are just some of the issues facing trust and estates attorneys. And as technology improves and the use of biometric information increases, these issues will impact all of our clients.
Justin, thank you for updating us on the latest legal developments with regard to biometric recognition and our own personal privacy.
This podcast was produced by The American College of Trust and Estate Counsel, ACTEC. Listeners, including professionals, should under no circumstances rely upon this information as a substitute for their own research or for obtaining specific legal or tax advice from their own counsel. The material in this podcast is for information purposes only and is not intended to and should not be treated as legal advice or tax advice. The views expressed are those of speakers as of the date noted and not necessarily those of ACTEC or any speaker’s employer or firm. The information, opinions, and recommendations presented in this Podcast are for general information only and any reliance on the information provided in this Podcast is done at your own risk. The entire contents and design of this Podcast, are the property of ACTEC, or used by ACTEC with permission, and are protected under U.S. and international copyright and trademark laws. Except as otherwise provided herein, users of this Podcast may save and use information contained in the Podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing, of this Podcast may be made without the prior written permission of The American College of Trust and Estate Counsel.
If you have ideas for a future ACTEC Trust & Estate Talk topic, please contact us at ACTECpodcast@ACTEC.org.
© 2018 – 2021 The American College of Trust and Estate Counsel. All rights reserved.