Asian man is using facial recognition for payment Photo: Getty Images
Tougher rules around the use of biometrics such as facial recognition are being forecast by Privacy Commissioner Michael Webster.
He has opened consultation on a biometrics code he wants to issue next year.
He already received feedback earlier this year, which led to a draft code that aims to impose stronger transparency obligations, and more restrictions around the most intrusive and high-risk uses.
But it would also remove a proposed explicit ban on agencies using web-scraping to collect biometric information from publicly available websites.
"Biometrics needs special protections, especially in specific circumstances," Webster said in a statement on Wednesday.
"The code will help agencies implement the technology, while giving people confidence it's being done safely and fairly."
Facial recognition is the most common and intrusive form of biometrics, but it also includes fingerprintings, and iris scanning.
The consultation asks questions such as, "Should people know about the use of biometrics beforehand?" and should some uses of it be limited.
Consultation is open until 14 March.
The code as drafted would require any new use to run what is called a proportionality test, basically to weigh the benefits and risks - "think twice" would be the rule before high-risk systems were rolled out.
It should not be used if there was a reasonable alternative option, the code would state.
It would demand people get more of a heads-up when it was being used on them.
It would also limit facial recognition to gauge people's emotions, or mental state, or to categorise them on the basis of how they look, as to their politics or, say, criminal propensity.
This is not theoretical. In 2020, a US university sparked controversy saying it had developed software that was 80 percent accurate at predicting whether someone was likely going to be a criminal.
As for web scraping, unfair and unreasonably intrusive use is already off-limits. The code would no longer go even further, due to feedback and "our own analysis around the tension between the benefits of freely available information and expectations of privacy in publicly available information".
Webster released 100 pages of guidance, too, for agencies to know the rules and how to comply.
He expressed confidence: "The feedback we've gained, and our own analysis has helped us to develop a code that will help ensure biometric technologies are used safely and fairly."
But New Zealand is playing catch-up on rules around biometric systems and the allowable scope for surveillance by them, at the same time as they are rolled out further, notably this year in a trial in almost 30 Foodstuffs supermarkets.
Customs has also been adding new powers to its facial recognition technology built into airport border systems, while Internal Affairs plans to roll out a sector-wide online vertification tool that uses facial recognition to streamline access to public and other services.
The EU is much further ahead. Its AI Act imposes perhaps the world's strongest bans on "biometric categorisation systems", basically facial recognition systems that deduce or infer sensitive attributes such as race, political opinions, or sexual orientation, or infer emotions in the workplace or educational institutions.