Civil liability of software using biometrics on the grounds of Polish jurisdiction

1. Introduction

We live in a smartphone era, almost every of the latest smartphone model includes a fingerprint reader. Some models feature facial recognition systems (such as the latest Apple iPhone 8 smartphone, that will use such system) or iris scan (for instance Samsung Galaxy S8 has that system incorporated). As you can see, the use of biometric security in the smartphone market has become a common practice. Earlier, before smartphone manufacturers began using biometrics, it was “present” at airports, state borders, or in security systems. It is already a noticeable part of our everyday life, which makes it clear that in the future biometric security will be an important part of our daily lives. The use of biometrics in computer science opens up a new sphere in the use of sensitive personal data. What is biometry? What are its types? What about the data that it holds? Who is responsible for possible system failures? Finally, what legal regulations can apply to it?

2. Biometrics – the future that has come[1]

Biometrics is a technique that deals with the measurement of living organisms, using their physical and behavioural characteristics. The operation of biometric security, in short, can be presented in three points:

• enrolment of specific physical or behavioural characteristics,
• storage of processed data mostly in code form,
• comparison of the stored pattern with the newly introduced pattern, e.g. comparing the reading from the fingerprint reader to the stored fingerprint pattern.

3. Types of biometric security[2]

Biometrics is used in a variety of security systems. Among them, we can distinguish a few basic types:

• handwriting – although it is not so difficult to forge someone’s writing, this is an effective verification method, because biometrics, in this case, focuses on how the person writes, including how much force a person presses on a pen how fast he writes when adds dots and commas, etc.,
• analysis of the voice sample, in particular the speed of speech, intonation,
• iris scanning,
• fingerprint comparison,
• vein geometry,
• gait analysis.

4. Is our personal data secure?

Biometric systems, in order to operate, store our data. Article 23 of the Polish Civil Code states that: “The personal interests of a human being, in particular health, freedom, dignity, freedom of conscience, name or pseudonym, image, privacy of correspondence, inviolability of home, and scientific, artistic, inventive or improvement achievements are protected by civil law, independently of protection under other regulations.” Due to the fact that it is a non-exhaustive directory, it is possible to include sensitive data to the personal interests  which are protected. Because even Polish Supreme Court judges point out that whether a particular good of man is his personal interests depends on many factors, among them listed i.a. level of technological development[3].

Above all, however, this data belongs to the so-called sensitive data. Article 27, para. 1 of the Polish Data Protection Act contains an exhaustive list of data considered sensitive: “The processing of data, which divulge racial or ethnic origin, political views, religious of philosophic beliefs, religious, party or trade union adherence, likewise data on the state of health, genetic code, addictions, or sexual life and data concerning sentencing, pronouncements on the imposition of punishment and fines and other pronouncements issued in court or administrative proceedings, is hereby forbidden.” Biometric data has not been included in this list, but it will soon change, because the General Regulation on the Protection of Personal Data of the European Parliament and of the Council (EU) in Art. 9 contains an exhaustive sensitive data list, in which i.a. biometric data are listed: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” Processing of sensitive data is only possible under certain circumstances and conditions specified in the regulation. What if the sensitive data is stolen? Who is responsible then?

5. Claims in case of violation of personal rights

Article 24 of the Polish Civil Code lists the means by which the injured party can claim in the case of a threat or violation of his personal interests. First of all, he may demand that the actions be ceased unless they are not unlawful. In addition, he may also demand that the person committing the infringement perform the actions necessary to remove its effects, in particular that the person make a declaration of the appropriate form and substance. On the terms provided for in this Code, he may also demand monetary recompense or that an appropriate amount of money be paid to a specific public cause. These regulations do not interfere with other rights under other acts, in particular copyright act and industrial property law.

            The role of the plaintiff (any end user who makes available his / her biometric data) is to prove the existence of personal interests and the threat or infringement of that good. In turn, the defendant (the person responsible for misuse of the biometric system) must prove that the infringement was not unlawful. In the case of unlawful infringement of personal interests, the aggrieved party may demand monetary compensation or that an appropriate amount of money be paid to a specific public cause. This provision refers to Art. 445 and 448 of the Polish Civil Code. Article 448 defines the protection of personal interests by assets states that in the case of infringement of personal interests, the court, as monetary recompense for the harm suffered, may award an appropriate amount or may, at his demand, award an appropriate amount of money to be paid for a social cause chosen by him. This redress is awarded irrespective of other means necessary to remove the effects of the infringement. This provision acts as a general rule for infringements of any personal interests in relation to the provisions of other laws on specific infringements. An exemplary regulation from other law is art. 83 of Polish Copyright Act and related to him art. 78 par. 1 of Polish Copyright Act. Article 83 contains regulations on claims for dissemination of images and dissemination of correspondence without the required authorization. Art. 78 par. 1 copyrights define how to enforce your rights. The redress under art. 448 of the Polish Civil Code is possible in the case where the harm has arisen, that is “(…) non-material damage caused by a violation of personal interests, consisting in physical ailments and psychological suffering of the victim[4].” To give an example: situation when during the fingerprint scanning, a failure occurred and we were burned or the iris was damaged while scanning it by security system using biometrics.

In the case of misuse of biometric data causing damage and in the situation of redress based on the general principles of civil law, based on the abovementioned right of protection of personal rights, the determination of the legal person responsible for unlawful use of biometric data (defendants) may be difficult to identify and depend on the individual case. This is due to the multiplicity of entities manufacturing a finished hi-tech product that processes biometric data. Responsibility for the infringement may therefore be borne by the entity creating the application, which processes the biometric data in the device; the entity responsible for marketing the finished device to the end-user. In this regard, the mechanisms to protect consumer trade may be helpful, but this is open, as unlawful processing of biometric data can also occur as a result of unlawful activity by third parties, i.e. unrelated to the marketing of such a device on the consumer market.

6. Definition of hazardous product in Polish law.

Both the definition and the regulations governing the issue of hazardous product in the Polish legal system can be found in the Act of 23 April 1964 Civil Code (Journal of Laws No. 1964 No. 16 item 93). More precisely, these are articles 449¹ to 449¹¹.

The legislator in the Civil Code states that a hazardous product in the Polish legal system can only be recognized as a movable good. This allows – a contrario – claim that a property, defined in art. 46¹, cannot be regarded as a hazardous product. A hazardous product may also be a movable good that has been combined with another thing, and also an animal or electric energy in relation to which the Code’s regulations, by analogy, applies.

Having already imagined what kind of thing can be considered as a hazardous product, it is necessary to determine the moment when the movable good is considered as hazardous. The product is unsafe if it is not able to provide, under the circumstances, the user required safety, even if it is used in accordance with its intended use. In the most simple of words, the product is hazardous when it is not safe for its normal user experience. A defect is a feature which de facto constitutes good as a hazardous product. A product which has a defect cannot fulfil its primary function for which it was manufactured. The inherent defect poses a risk of danger to the user.

In reference in abovementioned information it is worth mentioning that this defect cannot be understood colloquially, i.e. as a mechanical damage to a product resulting from its transport. The defect must be inside in the good when it is put on sale. This means that it had to be created during production. It is worth to note that the defect required to classify a product as hazardous does not need to be fully developed. It may happen that it will develop over time while using the product and only then the product will become hazardous to the user. Both doctrine and science distinguish three basic types of defects that a hazardous product may have. They are:

• An instructional defect – occurs when the production manager does not have the required knowledge of the good being manufactured,
• A production defect – is generated at the stage of production, it is a derivate of errors that occurred at this state, e.g. employee’s mistakes, inadequate selection of materials,
• A constructional defect – is created at the design stage, it is in the construction;

Analysing the problem of a hazardous product, it should be noted that the basis for recognizing a product as hazardous cannot be the launching of a similar, improved product. For example, launching a new improved model of mobile phone cannot be a reason to recognize a previous phone as a hazardous product.

7. Issues related to the classification of software products

Bearing in mind the above considerations, we may encounter a problem with classification of software, which is dedicated for computers or mobile devices, as a hazardous product. The most important obstacle to being able to qualify software as a hazardous product is its intangible nature. The Code’s regulations on liability for a hazardous product states explicitly that a dangerous product can only be a thing. Things are the material product which are isolated from the nature. In the case of software it is difficult to talk both about its separation from nature and about the material nature. Users can purchase a computer software which is available in the market in three forms:

• Fixed on data media,
• Installed on the device,
• As an integral part of the device;

In the first case, the software – theoretically – could be considered as a thing because in terms of functionality we have here to deal with material isolation of the product from nature as a data media (e.g. a CD). In the other two cases with such separation cannot be said.

Both doctrine and science assume that software which is installed on the device can be a source of risk to the user of the device. The classification of the device on which the software was installed as a hazardous product is not difficult. The current position of the doctrine is the rule that in the event of malfunctioning of software-using products, it is not relevant from the user’s point of view which product has a defect which presents a risk of injury. This means that the user does not have to wonder whether the defect has a device or software. The legal situation is simplified at this moment, which considered software-using product as a hazardous product.

8. The software-using product which uses a biometric data

The biometric data with the development of technology are becoming increasingly important. Their usefulness is visible especially in mobile devices such as smartphones and tablets. Their main use is to secure access to the device and to protect the various data stored there. The most popular biometric data used in mobile devices are: fingerprint and retinal scan.

A mobile device which uses the aforementioned biometric data can be hazardous to the user for two reasons. First, an application (software) which uses biometric data does not provide the required security for data protection. This means that user’s biometric data may be stolen from the application. Secondly, the process of reading biometric data through the device can be dangerous to the user. It may happen that during the collection of biometric data, due to a defect in the device, the user’s body can be injured (e.g. hand burn when taking fingerprints).

9. Product liability policies

It is assumed in Polish law that liability for a hazardous product is a tort liability, based on the principle of guilt. An illegal activity, that is a delict, will be the introduction to the trade of a good that has a defect and therefore a good that is dangerous to the user. The liability on the basis of guilt is based on the principle that the person who committed a wrongful act to deceased person, should bear the consequences and should be obliged to compensate the damage suffered by the user of the dangerous product

10. Who is responsible for the hazardous product?

The manufacturer is the most likely liability for a hazardous product. This principle is also expressed in the Civil Code in art. 449¹. He is responsible for the damage done to anyone by his product. To facilitate the investigation of manufacturer’s liability for liability for hazardous product, the legislator introduced in art. 449⁴ presumption that the hazardous product which caused the damage was manufactured and launched in the manufacturer’s economic activity. The proposed presumption excludes the need to prove this content by the victim. If hazardous product has not been manufactured by the manufacturer in the course of his business, then the manufacturer is obliged to prove that fact (art. 6).

The legislator in the Civil Code (Article 449⁵) also lists entities that will be responsible for the hazardous product in the situations indicated in the regulations. The liability of these entities will be analogous to the responsibility of the manufacturer.

As the first, analogous to the manufacturer, will be the producer of the material, the raw material or the component of the product. However, they may exclude their liability by proving that the cause of the damage was the defective product design or the manufacturer’s instructions. Similarly to the manufacturer will also be responsible the entity that pretends to be manufacturer. Being a producer of a thing can be based on putting your name, trade mark on it. Also an importer, if he acquires a product abroad and places it on the domestic market in his business, may be held to liable for the hazardous product.

The legislator also dispels doubts as to when a producer of goods or an importer cannot be identified. In this case, the person responsible for the hazardous product is the person who sold the product to the injured person as the last person in business. He may be released from liability if he / she advises the injured party the name and the address of the manufacturer, importer or person from whom he / she purchased the product within one month of the date of the injury notification.

11. Who is entitled to claim damages?

Compared to the person who is obliged to repair the damage, the problem of the entity which has the claim for compensation is much simpler. First of all it is worth pointing out that the claim for compensation for damage resulting from the use of a product that has been hazardous does not belong solely to its owner, and therefore to the person who purchased it. The circle of entities entitled to assert their rights is much broader. Of course, the owner of the product is most often cited as the person who can claim his / her claim, since it is assumed that he / she is most likely to come into contact with the product. However, the law provides that any person who, due to malfunction of the product, has suffered may has a claim for compensation for damage caused by the hazardous product. This means expanding the circle of entities that may be considered injured. Each victim is entitled, ex lege, to claim damages for the damage suffered as a result of the use of the hazardous product.

12. Exclusion of manufacturer’s responsibility

The manufacturer, as well as the other designated parties, may exclude their responsibility for the hazardous product. In order to do so, there must be legally defined circumstances governed by Art. 449³. First and foremost, the manufacturer will not be liable for damage caused by a hazardous product if it has not been placed on the market or when its placing on the market has fallen outside its sphere of business. An example of such a situation may be, for example, theft of products from the manufacturer’s production hall and the placing on the market by thieves. The exclusion of producer liability will also apply where the hazardous features of the product have arisen after placing on the market (unless they are the result of a defect in the product). The manufacturer’s liability will also be excluded if (given the current state of the art and technology, or where the product’s properties result from the application of the law), he could not have predicted that the manufactured product could be dangerous at the time of placing it on the market.

13. Damage caused by a hazardous product

Damage is one of the prerequisites for liability for a hazardous product. It is assumed that a hazardous product can cause two types of damage: personal injury and property damage (dichotomous division of damages).

Personal injury means that the product causes harm to the health, the body or life of the injured person. Liability for personal injury cannot be excluded or limited. The obligations imposed on the manufacturer for personal injury are governed by art. 444 and so on. First of all, his obligations may include:

• Coverage of medical costs,
• Coverage the costs of preparing for another occupation (in the case of invalidity),
• Paying the appropriate pension,
• Payment of appropriate compensation,
• Coverage of funeral costs,
• Observe the maintenance obligations imposed on him for the death of the victim.

Damage in property includes the liability of the manufacturer for damage victim’s property, such as the destruction of goods. The liability for damage to property, as compared to liability for personal injury, is limited. The manufacturer will be obliged to compensate for the suffered damage only if the damaged or damaged item was intended for personal use and was thereby used by the injured person (Article 449²). In addition, the manufacturer is not obliged to pay the injured person compensation for the destroyed hazardous product. An important limitation on the compensation payment is the value of the damage. Article 449⁷ §2 establishes the principle that the manufacturer is not obliged to pay compensation if damage to property does not exceed the equivalent of 500 euros.

14. The software-using product which uses a biometric data – most common damages.

As mentioned above, the software-using product which uses a biometric data is usually a smartphone or a tablet. In software considerations, i.e. in this case the operating system or application, it has been said that the victim is not obliged to guess what has fallen into his device – whether the product or software is defective. The victim has the right to directly claim his claims from the device manufacturer.

Analysis of the complaints, the actual situation allows to distinguish several problems encountered by users of mobile devices, and which can be considered as a sine qua non condition to recognize the product as hazardous.

The first example will be the unauthorized use of data by the third party for the fault of entity which was responsible for the data. Users on their mobile devices store different data. Technology development is increasingly used as a protection of this data using biometric data of the user. Each person has his own individual biometric data. Hence it would seem that such a security cannot be broken. It turns out that it is different. Biometrics often serves as a protection for many applications dedicated to mobile devices. Very often these are payment applications, banking applications. Biometric data replaces the PIN number. However, a defective application or device may not guarantee the integrity of our data. Hence, it may happen that, despite this security, a third party’s will gain access to content that in fact was to remain protected.

Another example that can be listed is the risk of downloading, copying the user’s biometric data. When using the application for the first time, it collecting our biometric data and saves it as a specimen for future verification. Incorrect storage of the specimen of our biometric data may involve the risk of being stolen by third parties. Stealing and use of biometric data by unauthorized persons is a detriment to the person whose data is stolen.

The personal injury will be the last of the examples is a personal injury. It may happen that during the collecting of biometric data the user will be harmed. This can also be due to both the application and the biometric data readers installed in the device. The risk of such damage, given the current state of science and technology, is small but still occurring. The most common personal injuries which are resulted from the biometric retrieval process are finger burns.

15. Claims limitation

The claim for compensation for a hazardous product, like any property claim, is time-barred. This means that after expiry of the deadline which is specified in the Act –the injured party will not be able to claim compensation from the manufacturer. Article 449⁸ distinguishes two limitation periods. The first is 3 years and runs from the date the injured party learned or with due diligence he could learn about the damage and the person required to repair it. The second term is 10 years and runs from the moment the product is placed on the market

16. Summary

In summarizing the current considerations, it can be concluded that from a customer perspective, the problem of liability of the hazardous software-using product which uses a biometric data is not too complicated. The injured person can directly claim his claims from the manufacturer of device. Victim does not need to analyse what has a defect – an application or a device. This situation is unfavourable for manufacturers of mobile devices. They must be aware of the risk that, due to a faulty application, their product may be considered hazardous. Hence, it is imperative that manufacturers will make every effort to ensure that both device and software are free of defects. 

[1] How stuff works, access online 14.08.2017 http://science.howstuffworks.com/biometrics.htm

[2] Biometrics Institute: access online 23.08.2017 online: http://www.biometricsinstitute.org/pages/types-of-biometrics.html.

[3] Resolution of the 7 judges of Supreme Court, 16 July 1993, I PZP 28/93, LexisNexis no 300642, OSNCP 1994, no 1, pos. 2.

[4] A. Olejniczak, Commentary to art. 448 of the Polish Civil Code [in:] Civil Code. Commentary. Tom III. Commitments – general part, wyd. II, red. A. Kidyba.

 

If you are interested you can READ the presentation or you can WATCH the YouTube video.