The Australian court ruled that employees are allowed to refuse to provide biometric data to their employees. The ruling follows the lawsuit filed by Jeremy Lee getting fired from his previous job due to his refusal of providing his fingerprint samples for the company’s newly installed fingerprint login system.
Jeremy Lee from Queensland, Australia, won a landmark case after he was fired from his job at Superior Wood Pty Ltd, a lumber manufacturer, in February 2018, for refusing to provide his fingerprints to sign in and out of his work, citing that he was unfairly dismissed from the company.
“Mr. Lee objected to the use of the scanners and refused to use them in the course of his employment, as he was concerned about the collection and storage of his personal information by the scanners and Superior Wood,” reads the suit.
“On February 12, 2018, Mr. Lee was issued with a letter of termination dismissing him from his employment on the grounds that he had failed to adhere to Superior Wood’s Site Attendance Policy,” it added.
Lee filed a suit with Australia’s Fair Work Commission in March 2018, saying that he owns the rights to the biometric data that is included in his fingerprints and he has the right to refuse from providing them to his employer under the country’s privacy laws.
“Mr. Lee was employed by Superior Wood as a regular and systematic casual employee. It is not contested, and I so determine that he had a reasonable expectation of continuing employment with Superior Wood on a regular and systematic basis. Mr. Lee’s annual earnings were less than the high-income threshold amount. Mr. Lee is protected from unfair dismissal under s.382 of the Act,” the case file reads.
However, during the first assessment of the case by the commissioner who examined the complaint, Lee’s suit was denied, and the commissioner sided on Superior Woods.
“I’m not comfortable providing my fingerprints to the scanner so I won’t be doing it at this stage,” said Lee in a testimony.
“I am unwilling to consent to have my fingerprints scanned because I regard my biometric data as personal and private.
If I were to submit to a fingerprint scan time clock, I would be allowing unknown individuals and groups to access my biometric data, the potential trading/acquisition of my biometric data by unknown individuals and groups, indefinitely,” reads Lee’s affidavit.
The rejection did not stop Lee from pursuing his right as he took it upon himself to represent himself in an appeal to the commission on November 2018. The appeal made by Lee directly challenges the country’s privacy laws and has opened a discussion on biometric data.
Good news came May 1, 2019, when the commission ruled in favor of Lee’s petition, affirming that he has the right to refuse to provide the company with his biometric data and that his dismissal from his position was unjust.
“We accept Mr. Lee’s submission that once biometric information is digitized, it may be very difficult to contain its use by third parties, including for commercial purposes,” case documents state.
The case of Lee is a first in Australia. While it did not change the law, it opens a new perspective on the ownership of biometric information like fingerprints and facial recognition and reinterpreted privacy laws on how they will apply to data like these.
The news about Lee’s case and the Australian court’s ruling comes after a popular biometrics service company, Biostar, fell into a massive data leak that exposed data from enterprises, banks and other financial institutions, and even the Metropolitan Police in the UK.
The researchers, who disclosed the data leak on Wednesday, said that “huge parts of Biostar 2’s database are unprotected and mostly unencrypted.”
More than 27.8 million records that comprise more than 23GB of data were leaked through the Biostar 2 database. These data belong to all the clients of the security and biometric company and include one million fingerprint records, images of users and linked facial recognition data, records of entry to secure areas, confidential employee information, user security levels and clearances, personal data of employees like emails and home address as well as their mobile device records.
The data breach highlights the importance of biometric data and how massive the implication when these kinds of sensitive information are leaked.
“The fact that this biometric data was stored plainly and not in hashed form raises some serious concerns and is unacceptable. Biometrics deserve greater privacy protections than traditional credentials, they’re part of you, and there’s no resetting a fingerprint or face. Once fingerprint and facial recognition data are leaked or stolen, the victim can never undo this breach of privacy. The property that makes biometrics so effective as a means of identification is also its greatest weakness,” said Kelvin Murray, senior threat research analyst for Webroot in an email to Z6Mag.