COVID-19: The Legality Of Biometric Technologies


A lockdown exit plan is due to be revealed by Prime Minister Boris Johnson on Sunday 10 May. The government has suggested that biometric technologies will play an important role in the strategy.

Through implementing a range of data-driven solutions, the government plans to monitor the spread of the virus. The primary technology solutions are currently smartphone contact tracing, data sharing and immunity passports.

Concerns have been raised regarding the legality of these technologies. Many civil rights groups have stated they will seriously infringe upon essential rights and freedoms. It has also been suggested that the government could face legal challenges if these biometric technologies do not satisfy data laws and human rights.

Biometric technologies to aid emergence from lockdown

The government argues that the introduction of biometric technology has the potential to help contain the spread of the virus. On Monday 5, Health Secretary Matt Hancock announced that the first digital contact tracing app was being tested in the Isle of Wight, with plans for a national roll-out by the end of the month.

The mobile phone tracing app works by utilising the Bluetooth capabilities within a smartphone. It creates a data trail by recording each person a user comes into contact with. It then alerts users if they have been in close proximity with an infected user and asks them to self-isolate. Ministers say they want at least 60% of the population to download the app for optimum effectiveness.

Meanwhile immunity passports, or “health passports” are also being developed. NHSX CEO Matt Gould recently said that the NHSX was in “the very early stages” of reviewing its options relating to such passports. However, the UK-based firm Onfido, which specialises in facial biometrics, is now reportedly in talks with the government and says it could roll out a system within months.

The company’s digital certificate would work through users downloading an Onfido app, and then creating a digital identity by taking a selfie. They would then have to match their selfie with a government-issued identification. Once their digital identity is created, a user would then need to test for COVID-19. After this, when they enter their workplace, they would have to take a picture of their face. This would generate a QR code. When presented to reception, this QR code would reveal whether or not they are healthy, and able to work.

In its proposal to the government, Onfido describes immunity passports as “the linchpin of a new normality”.

Legal basis of the software

Back in 2019, the then Immigration Minister Caroline Nokes said the government was “considering options” on how it would regulate biometric technology, such as facial recognition. She said the government would “develop options to simplify and extend governance and oversight of biometrics across the Home Office sector”. However, a year on and it seems little progress has been made in relation to developing biometric technology legislation.

Speaking about the urgency of developing these regulations, Hugh Milward, Director of Corporate, External and Legal Affairs at Microsoft UK, at a developing governance for biometrics at a Westminster eForum policy conference said: “Given that this technology is developing fast, we really do believe that there needs to be laws in place to help protect citizens and individuals as we step forward”.

Expanding existing surveillance economies of course brings with it a whole host of legal concerns. The introduction of new surveillance technologies even more so, and should be approached with caution. It is perhaps surprising then that the government has ignored the advice of the Information Commissioner’s Office and the legal opinion of a range of lawyers specialising in data rights.

Both have recommended that the government adopts a decentralised system to store data, such as the “DP3T” system. This would mean that collected contact tracing data remains on the user’s phone and cannot be matched by any central server. Alternatively, the use of a centralised system would mean that collected data would be held on an NHS database, whereby the NHS could identify who has been infected. The latter is the model the government has opted for. This is despite the legal opinion outlining that this would lead to “significantly greater interference with users’ privacy and require greater justification”.

Speaking to BBC Radio 4’s Today programme Matthew Ryder QC said that the government has not yet presented “the evidence or the material it would need to justify the course it is taking”. As a result, he warned that if the government continues ahead with this strategy, a legal challenge is “almost inevitable”.

There are also potentially further implications of the government choosing a centralised system. According to The Independent, the government’s decision to not use decentralised systems from Google or Apple apps means that citizens could potentially face up to 14 days quarantine when travelling abroad.

Additionally, when it comes to data sharing between healthcare organisations and private companies, the legal opinion states that there are a range of legal problems, some “resulting in potential illegality”.

Meanwhile others have argued that “health certificates” raise serious ethical questions.There are concerns that such certificates may encourage perverse incentives to contract the virus, and discriminate against those who cannot prove they are immune. Alexandra L. Phelan, SJD, LLM, LLB, writing in The Lancet has said that such passports would “create an artificial restriction on who can and cannot participate in social and economic activities”. Further to this, reflecting upon the possible discrimination of those without “immunoprivilege” she said: “Immunity passports would risk enshrining such discrimination in law and undermine the right to health of individuals and the population through the perverse incentives they create”.

Others share this sentiment too. Writing in the Spectator, Kate Andrews said: “If it turns out, as early research indicates, that some groups are inherently more susceptible to Covid-19 than others, how long would their genetic make-up be a determining factor in what parts of society they can rejoin? If you think the police have been overzealous with their drone usage and chocolate Easter egg crackdowns, wait until they can ask you to show your proof-of-virus”.

Infringing human rights

Speaking to the Commons, Matt Hancock recently stated that it will be the public’s “civic duty” to download its contact tracing app. However, this has not settled well with civil liberties groups such as Liberty. Fearing that downloading contact tracing apps may become compulsory, the campaign group has warned against possible “coercion”.

Clare Collier, the Advocacy Director at Liberty, said: “By presenting surveillance tools as a solution to lockdown, the government is drawing on the willingness we have all shown to make sacrifices in the face of this crisis while refusing to show it is taking seriously the enormous risks presented by invasive technology”.

Meanwhile, Amnesty International have said that through the introduction of these technologies, privacy could become “another casualty” of the virus. Speaking about these possible dangers Kate Allen, Amnesty International UK Director, said: “We’re extremely concerned that the Government may be planning to route private data through a central database, opening the door to pervasive state surveillance and privacy infringement, with potentially discriminatory effects”.

The legal opinion, instructed by Open Society Foundation, also found that two aspects of the current contact tracing proposal infringe on human rights. These aspects are the mandatory use of the app, and the processing of personal data. The document suggests that the government’s centralised system “would be sufficient to amount to an interference with Article 8,” the right to respect for one’s “private and family life, his home and his correspondence”.

Regarding “health passports,” the legal opinion states that it would significantly interfere with the rights under Article 8 ECHR, Articles 7 and 8 of the Charter and the EU/UK legislation

on the right to privacy and protection of personal data. On top of this, relating to “stigmatisation and indirect discrimination,” it states that such passports would also engage Article 21 of the Charter and Article 14 ECHR.

Professor Lilian Edwards of the University of Newcastle, has proposed The Coronavirus (Safeguards) Bill 2020 in response to these potential violations. The Bill subsequently recommends safeguards relating to contact tracing apps and potential “health certificates” being rolled out. Some of these recommendations include ensuring:

  • No one is penalised for not having a functioning phone;
  • No one is “compelled” to install an app
  • Personal data collected by the app or from an “immunity certificate” should not be shared outside of the NHS and COVID-19 researchers unless anonymised
  • Data collected from the apps and immunity passports should be deleted as soon as possible
  • A strict code of conduct should be created and implemented
  • Immunity passports must not become an uncontrolled internal passport or used to discriminate.

Ultimately, one thing is for sure, as digital innovation progresses, the government must implement stringent regulations to ensure that the personal data and privacy are not put at risk at the expense of containing the virus.

Article Created By Madaline Dunn