e-ID card and data protection: A field of controversy or the path for good governance? Athina Antoniou and Lilian Mitrou 4th International Conference on Informational Law Thessaloniki, May 20-21, 2011

Issues e-ID cards as a tool for e-government The qualitative differentiation of using biometrics as identifiers The legal concerns : e-ID cards and the holder’s right to privacy The applicable legal framework The Greek case Conclusions

e-ID cards as a tool for e-government Secure e-government transactions Enhanced security and public safety Supporting innovative forms of citizens’ participation: e- voting The potential of using unique identifiers for efficient e- government services

“I am identified via what I am” Biometrics The requirements Universality Uniqueness Permanency The permanent link Biometric features cannot be forgotten or lost The differentiation The person’s identification and authentication is based on physiology features “I am identified via what I am” The methods Fingerprints Digital face recognition Iris scan Hand geometry

e-ID cards and the holder’s right to privacy Do e-ID cards represent per se an actual interference in the holder’s rights? Linkability via unique identifiers Function creep Profiling and social sorting Collection of data beyond the necessary Central storage – deposits of data Biometrics vs. Privacy? The contravention with the principle against self – incrimination and the principle of proportionality The trust “gap” Do biometrics lie?

The applicable legal framework The principle of finality : requirement for specified, explicit and legitimate purposes The principle of proportionality : balancing the public interest and the person’s right to privacy The establishment on legal basis : the determination of the purposes

e-ID cards : the legal approach The principle of proportionality Collecting and storing only the adequate, relevant and necessary data No raw biometrics storage Template encryption Non- central storage Balancing for the less privacy – pervasive biometric in additional use with other identifiers Accurate and up- dated data for no longer than necessary The principle of finality No merging databases No vague purposes e.g. public interest in general Ex ante known purposes No proactive data collection and storage How? The use of domain - specific identifiers : different identifiers for different public sector aspects, The benchmark of the Austrian framework

e-ID cards : the legal approach The legal basis The legal basis of the individual’s consent: Is the consent necessary? The determination of the persons / institutions with access rights via the determination of the purposes Who : the persons / institutions with access rights Where : to which data Why : for which purposes

The Greek case Greece’s legal framework The approach The Constitutional right to data protection (Art. 9A) The Constitutional additional legal basis for data protection : - the respect for human dignity (Art.2 par.2) - the persons’ right to develop freely their personality (Art. 5 par. 1) - the persons’ right to protect private and family life (Art. 9) The use of domain – specific identifiers The framework with regard to the interconnection of files : the requirement for “interconnection permit” for using a single code number under the Article 8 of the Greek Data Protection Law (2472/97) The approach The issuance of e-ID card with domain – specific identifiers in compliance with the relevant framework

Is the framework adequate ? E-ID card and data protection: A field of controversy or the path for good governance? Non of the above, it depends on the framework! A adequate level of privacy protection : How ? Domain specific identifiers Collect and process only the necessary data Establishment on a legal basis Strong privacy policy and re-evaluation of technical and privacy standards Enhance trust by informing citizens

Thank you for your attention!