On 18 December 2024, the OPC announced its decision to press on with issuing a Biometrics Processing Privacy Code, regulating the use of biometric systems to process biometric information. This follows the release in April 2024 of an exposure draft of the code, on which the OPC received a large number of submissions.
The new draft code retains some core aspects included in the April 2024 consultation draft:
- It requires organisations to assess whether collection is necessary and proportionate — that is, the benefits to the organization, individual and/or public outweigh any privacy risk as well as the impact on Māori — before carrying out any biometric processing.
- It mandates that organisations notify people — through a clear and conspicuous notice before or at the time of collection — that they are carrying out biometric processing, for what purpose, and what alternatives are available.
- It restricts some uses of high-privacy risk biometric processing, such as using it to determine emotions, infer health conditions, or categorize people according to race, ethnicity, disability, gender or sexual orientation.
- The code will also be retrospective, with existing biometric processing to be compliant within nine months of it taking effect.
However, the new draft also includes several changes made to reflect submissions received on the exposure draft:
- The restrictions on using biometric information — fair use limits — are now targeted to the most intrusive and highest risk use cases.
- The OPC added a new requirement that organizations tell people where they can find a rundown of their assessment of the pros and cons of using biometrics, if they have already made this public.
- The code commencement period increases from 6 months to 9 months for organizations already using biometrics, to allow a longer lead in time to ensure compliance.
- The code has also been simplified to improve understanding of what processes are included and excluded, and some rules have been clarified.
The OPC expects the code to come into force in late 2025, and organisations and the public have until 14 March 2025 to submit comments on the new draft.
We believe a risk-based approach is needed for this issue, taking care not to over-regulate in a way that could prejudice beneficial and safe uses of biometric information or under-regulate in a way that could leave individuals and communities open to harm. This will require strong collaboration between regulators, technologists and privacy professionals, to ensure we strike the right balance.
We offer a few thoughts below that might help with crafting submissions or understanding what the code means for you:
- Think about how the code might impact on your current or future biometrics use cases. Are there beneficial or safe use cases that this code would prohibit? If so, it would be worth raising these with the OPC in your submission.
- If you currently use biometric technology, you will need to complete a proportionality assessment for each of your biometrics use cases. The earlier you can do this the better, as the OPC has stated clearly that the code will be implemented in some form, and you may need time to collect the necessary evidence of effectiveness.
- You will need to consider how each of your biometrics use cases complies with the additional requirements in the code, including reviewing your privacy notices to ensure that they meet the enhanced transparency obligations.
A version of this article originally appeared in the IAPP Asia-Pacific Dashboard Digest, on 23 January 2025.