Enforcing biometrics as intellectual property becomes more important as biometric technology develops. Biometric systems, which are essential for border control, immigration, and security, use automated measures of biological and behavioral characteristics to identify or authenticate identity. This technique raises serious privacy and intellectual property (IP) problems since it uses artificial intelligence (AI) to analyze biometric data.

The EU AI Act and state laws in the United States are two examples of current rules that attempt to control the gathering and use of biometric data, but the legal environment is dynamic and ever-changing. This paper examines the relationship between IP laws and biometric data, highlighting the importance of ethical AI deployment and strong data protection.

What is Biometric Data and Biometric Systems?

Biometric systems use automated measurements and analysis of biological (Fingerprints, face and Iris) or behavioral traits (voice, signatures, body movements) to identify or validate identity. Governments and businesses are increasingly interested in biometric technology, for primarily two functions of theirs: Identification and Verification. The architecture and design of biometric systems can be complex, and therefore consensus is needed on the functions and meanings of biometrics.

At the moment, biometric technologies play a leading role in security, immigration and border control policies of the State. And the biological and behavioral traits that are used by the systems to measure and analyze form the Biometric Data. This Biometric data can be used to identify the individuals by their race, ethnicity, health, and also alert on any possibility of identity theft. However, storage, analysis and usage of biological data, specifically DNA, is regulated and considered risky.

How is Biometric Data driven by AI?

Artificial Intelligence (AI), a branch of computer science, significantly impacts national and international privacy laws due to restrictions imposed by the countries where it operates and the source of data used in Artificial Intelligence (AI) algorithms. AI has been defined as a computer science branch that aims to create devices and systems that require human intelligence without human assistance. The ongoing debate about inventorship and ownership is significant, as AI may follow the trend of computer-implemented inventions where the inventor is still human.

WIPO emphasizes the need for discussing the underlying data used in AI algorithms to prevent copyright infringement, considering biometrics, personal information usage, and “deep fakes.” While the Non-IP legal rights, such as privacy laws, are being established on a state-by-state basis in the United States; Trade secrets remain an appealing intellectual property option for inventors.

The role of Data Privacy Laws and AI laws to monitor Biometric Data and Biometric Systems

Data Privacy Laws:

As of right now, state laws are in charge of regulating the gathering and use of biometric data; federal legislation in this domain is lacking. Legislation pertaining to the gathering and application of biometric data by commercial organizations has been passed in Illinois, Texas, and Washington. For instance, organizations that gather, use, and keep biometric data must abide by rules and specifications set forth in the Illinois Biometric Information Privacy Act (BIPA). In the event that organizations that gather biometric data violate BIPA’s rules and specifications, people and entities may also pursue a private right of action to obtain damages from those organizations.

The California Consumer Privacy Act of 2018 protects consumer information from third-party practices. Customers have the right to request businesses to delete their personal data and opt-out of selling their information. This includes DNA, iris, retina, fingerprint, face, hand, palm, vein patterns, voice recordings, keystroke patterns, gait patterns, sleep, health, or exercise data, and physiological, biological, or behavioral characteristics.

The California Privacy Rights Act (CPRA) added new requirements to the CCPA, requiring for-profit companies in California to gather customer data. If a third party uses users’ information for other purposes, they must provide them with the option to opt out.

EU: The European Union AI Act focuses on the ethical and secure use of AI technology, categorizing systems into low, moderate, unacceptable, and high risk categories. Biometric systems are high-risk and subject to strict regulations, including risk management, data governance, openness, human supervision, and accuracy. The Act prohibits discriminatory social scoring and real-time remote biometric identification by law enforcement, with penalties of up to €30 million or 6% of annual global revenue. Compliance is mandatory, and noncompliance can result in severe consequences. The Act aims to reduce risks and ensure the appropriate use of biometric data, boosting public confidence in AI technologies.

Biometric data given IP Protection

The primary concern regarding IP protection for biometric data is whether it provides meaningful rights to data subjects, whether it offers greater protection than other methods, and if it restricts the data subjects’ ability to use their data for purposes other than public interest and economic gain, and their freedom of expression.

Biometric Data promotes private investments in the creation and distribution of intellectual property, and in return intellectual property law (IP Laws) seeks to prevent the misuse and abuse of personal data. Given that the public benefits from these expenditures, there might not be much of a motivation to make them without IP rights. IP laws have the potential to strengthen present data protection regulations by giving data owners a legal claim, promoting commerce, and safeguarding data tradability.

While property rights over personal data may compel companies to bargain with the people whose data is at issue IP rights enforced by the IP Laws acknowledge property rights that safeguard the rights of the data subject who will supposedly become an owner of such data, like copyright in data, and contract rights, like those derived from license agreements.

Trade Secrets

Under the trade secret framework, biometric data, which is frequently classified as intellectual property, could be modified. With this strategy, biometric data access would be restricted, who could access it and when, and there would be severe consequences for using it without authorization. Businesses could file a lawsuit for damages in the event that there is a breach or theft because of the perpetual nature of biometric data security. In addition, this would give people strong legal redress in the event that their biometric data is misused—a mechanism akin to trade secret protection.

Furthermore, there is a critical need for well-reasoned solutions regarding the extent of trade secret protection, taking into account the implications of such a proposed scope for other aspects at the intersection of trade secret and data protection, such as the balancing of rights between trade holders and departing employees and the rights of data anonymization and reverse engineering.

Trade secret protection and data protection laws apply to personal data, with trade secret protection reinforcing the protection of data from unauthorised use by third parties. However, there may be situations where the interests of those who own trade secrets and those concerned with data protection collide, such as when personal information is stored on digital platforms with multiple users, such as social media accounts.

While trade secret rights may not always take precedence over data protection rights, access to data should not negatively affect the rights and freedoms of others, including trade secrets or intellectual property. Member States have the authority to limit the extent of data protection, as per Article 23 Paragraph 1 of the relevant Union or Member State law. The restriction must uphold the core principles of fundamental rights and freedoms, be deemed necessary in a democratic society, and be proportionate in that society.

The way forward

A strong framework for safeguarding private investment, maintaining data integrity, and protecting personal information is provided by enforcing biometric data as intellectual property. IP laws strengthen current data protection safeguards by giving data subjects legal rights, which promotes the ethical use and commercialization of biometric data. The protection of trade secrets bolsters these measures by limiting unauthorized access and offering legal redress in the event of misuse. But it’s still critical to strike a balance between these protections, individual rights, and the requirement for openness. In order to balance data security, individual liberties, and intellectual property regulations and eventually promote public confidence and creativity in biometric technology, careful planning is required.

*Written by Gayathri S, Legal Intern @Intepat IP