Biometrics and Data Protection Dr. Yue Liu Forum rettsinformatikk 2011
Agenda Introduction to Biometric Technology Privacy Concerns at Different Stages Major Legal Sources and Crucial Legal Problems Sample Cases in Norway Findings and Recommendations
Introduction to Biometric Technology Definition: The automatic recognition of individuals based on their behavioural and biological characteristics (ISO SC37 Harmonized Biometric Vocabulary)
Introduction to Biometric Technology Behavior: voice, keystroke, gait, signature… Physiological Fingerprint, iris, facial, retina, palm… DNA? Not externally observable
Introduction to Biometric Technology Verification (authentication): ◦ are you whom you claim to be? ◦ one to one match ◦ Central or decentralized database Identification: ◦ Who are you? ◦ One to many match ◦ Central database
Introduction to Biometric Technology Function process of biometrics Enrolment Matching Person Measuring Device Stored Template Matching Result Person Measuring Device Live Template
Introduction to Biometric Technology EU and Biometric applications EURODAC SIS II VIS European Biometric Passports Other: entrance control etc.
Privacy Concerns at Different Stages Enrolment : Quality: FR, FA purpose, awareness, consent, data, responsibility, unnecessary collection, scale, data controllers, Storage: How? location central/local token (irreversibility, link ability, security, cost, responsibility ), PET What ? raw image/template (health information,
Privacy Concerns at Different Stages Matching Access/user authority Updating Spoofing, stolen, security, fallback procedures
Major Legal Sources of Data Protection OECD Guidelines EC: Convention 108, Data Protection Directive (95/46/EC;97/66/EC;2002/58/EC) Regulation (EC) No 45/2001 EU: ECHR- Marper case
Crucial Legal Problems ECHR art 8 (2) Derogations: public and social interest; national security How to apply? S and Marper v. UK 1) Is there an interference with privacy? 2) In accordance with the law 3) Legitimate aim 4) proportional and margin of appreciation
Crucial Legal Problems P.G and J.H. v. UK “private life considerations may arise…once any systematic or permanent record comes into existence of such material from the public domain.” Peck v. UK “the relevant moment was viewed to an extent which far exceeded any exposure to a passer-by or to security observation…and to a degree surpassing that which the applicant could possibly have foreseen when he walked in [the street]”
Crucial Legal Problems Biometric as personal data (anonymization) ◦ Personal data any information relating to an identified or identifiable natural person (art2 a) ◦ An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity
Crucial Legal Problems Biometrics as sensitive personal data ◦ Health indication...which, how ◦ Racial related, ◦ linking and tracking ability. ◦ Context-various
Crucial Legal Problems it is not sufficient to consider the grading this data element has been given isolated, one must also take into account what information one thereby may connect to the nexus-person. This may provide a basis for data security deliberation the submission of the key resents in itself a threat to the protection of highly sensitive information, an increased risk of undesired access to personal information. ----Bing, 1972 p
Crucial Legal Problems Principle of proportionality (art ) ◦ Suitability, necessity and non-excessiveness ◦ Balancing test ◦ Least drastic means test ◦ Huber case: effectively applied -----nature of purposes, availability and effectiveness of other alternatives, loss of data subject, efficacy
Crucial Legal Problems Principle of proportionality European organizations’ opinion about proportionality and biometrics (consultative committee 108, WP29, EDPS)
Crucial legal problems Proportionality in biometric context: ◦ Biometric template/raw image ◦ Link with sensitive information ◦ Avoiding unnecessary storage ◦ Adequate, relevant and not excessive ◦ Storage length ◦ Type of biometrics ◦ Assessment of risks
Sample cases in Norway Principle of proportionality (DPAs) Article 12 of Personal Data Act of Norway National identify numbers and other clear means of identification may only be used in the processing when there is an objective need for certain identification and the method is necessary to achieve such identification.
Sample cases in Norway Reversed cases Case1: Tysvær Municipality Case 2: Esso Norge Upheld cases Case 3: Rema 1000 Case 4: Oxigeno Fitness
Sample cases in Norway Data inspectorate: 1.Actual objective need for ensuring identification and the method is necessary for such identification 2.Article 8,9 and Not meaningful to distinguish raw biometric image/template 4.Encryption is a measure for security but not decisive factor
Case analysis Identification and authentication Understanding the article PVN: interpretation of “identification method”: as a key, or used for authentication afterwards 2. Focus of article 12: necessary, “identification” in general sense 3. only identification is mentioned, does not indicate authentication is prohibited 4. Main purpose of the Personal Data Act
Case analysis Identification and authentication Is it necessary to differentiate the between identification and authentication when regulating biometrics? - What are the differences between identification and authentication when privacy is concerned? - What will be the legal value of regulatory differentiation based on such differences? (Line between identification and authentication )
Sample cases in Norway Necessity Data Inspectorate: The requirement of necessity in the first paragraph will only be fulfilled when other or less accurate identification measure such as name, address or customer number are not sufficient. It is also important to consider the importance of such accurate identification for the user and what kind of consequences a mistake can cause. In addition, social need can also be considered.
Sample cases in Norway Tysvær: Alternatives, smart card ESSO: Consent and alternatives Rema 1000: alternatives and trust, balance interest
Sample cases in Norway Storage: Tysvær: encrypted server and sensing device, authentication ESSO: central database too, live authentication Rema 1000: local terminal linked to network, identification and authentication Fitness: local database, identification
Sample cases in Norway Differ central storage and local storage? …storage of the biometric data by the data controllers is unfortunate, and should be avoided. Therefore it is unnecessary to differentiate between local or central storage ----Datatilsynet,2006 Avoiding unnecessary storage: portable token/central storage Length of storage
Sample cases in Norway Consent: It is still uncertain what kind of policy should be adopted concerning the notice and consent requirements in the biometric context ---Datatilsynet,2006 Informed consent Possible alternative Unequal Contract Suggestion: Grading system Proportionality and consent
Main findings and Recommendations Biometric data as a special category of personal data Article12 be reformulated. Proportionality in biometric context: benefits, risks, alternatives, inevitable need, choice of biometrics, storage location and length, purpose, identification and authentication, testing, quality control Informed consent, grading system
Other information: Best Practices in Privacy Guidelines: FIDIS BITE PRIME Article 29 Working Party CEPS OECD European Commission
Thank you for your attention!