The growing demand for highly effective security systems is seeing the rapid uptake of biometric technologies in all industries. This is accelerating the growth of the biometrics industry with an increased focus on investment and innovation. At least one estimate expects the industry to grow from $32.48 billion in 2022 to $59.32 billion by 2026, with Asia Pacific expected be the fastest-growing region over this period.1
As biometric technology is dependent on use of biometric information comprising an individual's physical and/or behaviour attributes, and which is sensitive personal information, the industry is under intense scrutiny to ensure that use of such technologies is compliant with data protection and privacy laws, and more generally, consistent with stakeholder expectations regarding handling of personal information.
Inventors in the biometrics space often query how data protection and privacy laws intersect with their rights to register patents for new biometric technologies. A key concern is whether compliance with local data protection and privacy laws is a necessary precursor to secure registration of patents.
Considering Australian patent law, it is clear that inventors should be aware that patent applications can be refused in Australia if use of the invention is contrary to Australian data protection and privacy laws.
We consider the relevant legislative requirements, its application to biometric technologies and proposed approach to address potential risk of objections during patent examination on this basis, in further detail below.
Objections for being contrary to Australian data protection and laws
Section 50(1)(a) of the Patents Act 1990 (Cth) (Patents Act) provides that an application and specification may not be accepted, and a grant of a patent may be refused, for an invention the use of which would be contrary to law.
The Australian Patent Office's Examination Manual (Manual) states that refusal to accept patents that are "contrary to law" encompasses anything that would be unlawful under applicable statutes, regulations, ordinances or established case law. This would extend to Australian data privacy and protection laws.
Refusal under section 50(1)(a) of the Patents Act is a discretionary power and the Manual makes it clear that it should only be applied in the clearest of circumstances.
An objection to the grant of a patent can be raised on the ground that a claimed invention is illegal where the patent specification discloses the primary use for the invention as one which is unlawful. In practice objections are usually only taken where an unlawful use, but no lawful use, of an invention has been disclosed. Some examples where this has been applied in the past include:
- in the UK, an invention that was refused on this basis was for an explosive safe designed to kill or injure a burglar; and
- in Australia, an invention for a method of producing chimeric embryos by employing inter-species nuclear transplantation techniques with respect to humans only was refused on the basis that it was contrary to the Prohibition of Human Cloning Act 2002 (Cth) which made it an offence to intentionally create embryos of this type.
In both cases, the patent specifications under consideration did not reveal a lawful use of the claimed invention.
In light of the above, it follows that there may be a ground for objection to the grant of a patent for biometric technology where the claimed invention describes a primary use of the invention which is unlawful or contrary to Australian data and privacy laws (and any other local law relevant to the use of the technology).
Approach to reduce risk of objections
To address the risk of section 50(1)(a) of the Patents Act being relied upon as a ground for objection to a patent for biometric technology it would be important to be able to demonstrate a use of the invention that is compatible with law, notwithstanding that there may be ways in which the invention could separately be used unlawfully.
In the context of Australian data protection and privacy laws this would be by ensuring that the invention is described in the patent specification in a manner that could potentially have lawful applications under the applicable laws. Careful drafting has a role to play.
Below sections of this article summarise some of the data protection and privacy laws in Australia which could be relevant to the application of biometric technology. Based on these laws, some general observations can be made.
The primary drafting concern for patents where biometric data is involved in the context of data protection and privacy laws, is ensuring the specification does not describe an invention in a way that precludes compliance with law. Use of biometric information is not inherently incompatible with privacy provided the relevant data protection and privacy laws are able to be complied with in use of the invention.
The key privacy requirements that ought to be in the focus of the patent drafter so as to ensure they are consistent with the working of the invention include:
- seeking consent for the collection and use of information;
- maintaining the information collected securely and using it only for the purpose for which it is collected; and
- keeping the information within Australia unless consent is obtained for overseas processing or access.
It is important that the patent specification does not describe a working of the invention that would not allow compliance with the obligations described above.
For example, collection and use of biometric data could be in breach of Australia privacy laws if the invention or the disclosure in the patent specification contemplates the following action being taken:
- If the information is to be collected and used without consent.
- If the information is to be used for a different purpose than it was collected for.
- If the information is to be handled or disseminated in a manner without concern for information security.
- If the information directs the user to participate in covert or passive collection of individuals' biometric information without their consent, participation, or knowledge.
- If information is to be automatically sent out of Australia for processing or access without the individual's to whom the data relates providing consent or without the user's knowledge.
Australian data protection and privacy laws relevant to biometric technology
Federal Privacy Act
Most of the focus in Australia on the regulation of privacy and data protection is on the Privacy Act 1988 (Cth) (Privacy Act). There are special classes of data like health information, telecommunications activity, workplace and other surveillance, spent criminal convictions and the like which are separately regulated. For completeness we list additional relevant legislation below to give an indication of the broad class of legislation that relates to collection and use of data in Australia.
The Australian Privacy Principles (APPs), established under the Privacy Act provide guidance as to how entities handle, use and manage personal information. The APPs cover:
- an individual having the option of transacting anonymously or using a pseudonym where practicable;
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection;
- how personal information can be used and disclosed (including overseas);
- maintaining the quality of personal information;
- keeping personal information secure; and
- rights for individuals to access and correct their personal information.
Under the Privacy Act, biometric information (including biometric templates) will usually be considered to be sensitive information, for example where facial biometrics reveal information about a person's racial or ethnic origin, or biometric templates which are deemed to be "sensitive information" (See s 6(1) Privacy Act) for which higher protections relating to collection and use apply in comparison to other personal information for example, see APPs 3, 6 and 7 with several examples below:
- an APP entity may only solicit and collect sensitive information if the collection of the sensitive information is reasonably necessary for one or more of the entity's functions or activities and where the individual consents to the sensitive information being collected (APP 3.3)
- APP 7.4 provides that an organisation may use or disclose sensitive information for the purpose of direct marketing only if the individual has consented to the use or disclosure for that purpose.
In addition to the Privacy Act there is also state based legislation which may be relevant to biometric information.
By way of example, in New South Wales there are additional state-based laws relating to covert collection of information which may apply to a proposed use of biometric technology:
Surveillance Devices Act 2007
7 Prohibition on installation, use and maintenance of listening devices
(1) A person must not knowingly install, use or cause to be used or maintain a listening device—
(a) to overhear, record, monitor or listen to a private conversation to which the person is not a party, or
(b) to record a private conversation to which the person is a party.
Workplace Surveillance Act 2005
10 Notice of surveillance required
(1) Surveillance of an employee must not commence without prior notice in writing to the employee.
Other Australian laws that could impact on biometric technology include:
- Privacy Act 1988
- Telecommunications Act 1997
- National Health Act 1953
- Crimes Act 1914
- The Healthcare Identifiers Act 2010
- Personally Controlled Electronic Health Records Act 2012
New South Wales
- Privacy and Personal Information Protection Act 1998
- Health Records and Information Privacy Act 2002
- Criminal Records Act 1991
- Surveillance Devices Act 2007
- Workplace Surveillance Act 2005
- Telecommunications (Interception and Access) (New South Wales) Act 1987
- Crimes (Forensic Procedures) Act 2000
- Privacy and Data Protection Act 2014
- Health Records Act 2001
- The Charter of Human Rights and Responsibilities Act 2006
- Surveillance Devices Act 1999
- Telecommunications (Interception) (State Provisions) Act 1988
- Human Rights Act 2019
- Information Privacy Act 2009
- Right to Information Act 2009
- Criminal Law (Rehabilitation of Offenders) Act 1986Invasion of Privacy Act 1971
- Private Employment Agents (Code of Conduct) Regulation 2005
- Surveillance Devices Act 2016
- Listening and Surveillance Devices Act 1972
- Telecommunications (Interception) Act 1988
- Health Services (Conciliation and Review) Act 1995
- Spent Convictions Act 1988
- Surveillance Devices Act 1998
- Telecommunications (Interception) Western Australia Act 1996
- Personal Information Protection Act 2004
- Annulled Convictions Act 2003
- Listening Devices Act 1991
- Telecommunications (Interception) Tasmania Act 1999
- Information Act 2002
- Criminal Records (Spent Convictions) Act 1992
- Surveillance Devices Act 2007
- Telecommunications (Interception) Northern Territory Act 2001
Australian Capital Territory
- Health Records (Privacy and Access) Act 1997
- Human Rights Act 2004
- Spent Convictions Act 2000
- Listening Devices Act 1992
Inventors of biometric technology should be aware that under Australian patent law there is a basis upon which a patent application can be refused in Australia if use of the claimed invention is contrary to laws, including Australian data protection and privacy laws.
To reduce the risk of objection to the grant of a patent it would be prudent to draft the patent specification in manner that does not describe the use of the invention in a way that would preclude compliance with the relevant laws.
To be able to undertake this exercise, in the context of data protection and privacy laws, it is important to first determine which data protection and privacy laws are likely to be relevant to the application of the invention claimed. In the case of biometric information this will at the very least, include the Privacy Act.
Following confirmation of the applicable data protection and privacy laws, the drafter of the patent specification will need to ensure that the invention described in the claims can be used in a manner which enables the applicable Australian data protection and privacy laws to be complied with. This will, in itself, require an understanding of the relevant obligations contained in the applicable laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.