Biometrics and the Challenge to Human Rights in Europe. Need for Regulation and Regulatory Distinctions

Abstract

This report calls for regulation. With biometric applications gradually rolling out in the public and private sector, legislation, even detailed legislation, on the use of biometrics might make compliance to general data protection principles more likely than it is today. A regulatory distinction needs to be made between large scale information systems at EU level and others. The former are in need of tailor made data protection solutions and require (with every new system added or altered) a separate parliamentary and democratic debate. The latter are in need of guidance and best practices, which once found, should be better enforced. Today codification of best practices as developed by DPA’s and other regulatory or supervisory authorities becomes a possibility. We see no good reason not to affirm that public or private controllers of data should not store raw data (because it is unique and therefore dangerous), not collect fingerprints (because fingerprints leave traces and are not accepted by many), not store biometrics in a central database (there are alternatives), or should encrypt biometric data used for processing, should use multiple authentications, should offer alternative schemes of authentication when biometrics are asked on basis of consent, should in case of a rejection, as a result of a biometric system, be obliged to re-examine the case and should, where necessary, offer appropriate alternative solutions. It is true that the technical possibilities of biometrics make its assessment complex, but by making the right regulatory distinctions this can be overcome.

Keywords

Europe Leukemia Transportation Retina Marketing 

References

  1. 1.
    Adams C (2006) A classification for privacy technologies. University of Ottawa Law and Technology Journal (UOLTJ) 3(1):35–52 Google Scholar
  2. 2.
    Albrecht A (2003) BIOVISION: deliverable 7.4 privacy best practices in deployment of biometric systems Google Scholar
  3. 3.
    Alterman A (2003) A piece of yourself: ethical issues in biometric identification. Ethics and Information Technology 5(3):139–150 CrossRefGoogle Scholar
  4. 4.
    Androunikou V, Demetis D, Varvarigou T (2005) Biometric implementations and the implications for security and privacy. Journal of the Future of Identity in the Information Society 1(1):20–35 Google Scholar
  5. 5.
    Andronikou V, Demetis D, Varvarigou Th (2007) Biometric implementations and the implications for security and privacy, 1st in-house FIDIS journal issue, 2007-1. http://www.fidis.net/fileadmin/journal/issues/1-2007/Biometric_Implementations_and_the_Implications_for_Security_and_Privacy.pdf
  6. 6.
    Ashbourn J (2005) The social implications of the wide scale implementation of biometric and related technologies. Background paper for the Euroscience open forum ESOF (2006) in Munich. http://www.statewatch.org/news/2006/jul/biometrics-and-identity-management.pdf. Accessed 25 January 2010
  7. 7.
    Berthold S (2009) Epass 5.3. In: Sprokkereef A, Koops BJ (eds) D3.16: Biometrics PET or PIT? FIDIS, Brussels Google Scholar
  8. 8.
    Borking J (2008) Organizational motives for adopting privacy enhancing technologies. Data protection review. DPA, Madrid Google Scholar
  9. 9.
    Borking J (2008) The business case for PET and the EuroPrise seal. Europrise deliverable Google Scholar
  10. 10.
    Bray E (2004) Ethical aspects of facial recognition systems in public places. Journal of Information, Communication & Ethics in Society 2(2):97–109 CrossRefGoogle Scholar
  11. 11.
    Bromba M (2006) On the reconstruction of biometric raw data from template data. http://www.bromba.com/knowhow/temppriv.htm. Accessed 25 January 2010
  12. 12.
    Brussee R, Heerink L, Leenes RE, Nouwt J, Pekárek ME, Sprokkereef ACJ, Teeuw W (2008) Persoonsinformatie of Identiteit? Identiteitsvaststelling en Elektronische Dossiers in het Licht van Maatschappelijke en Technologische Ontwikkelingen. Telematica Instituut. Report TI/RS/2008/034, pp 1–98 Google Scholar
  13. 13.
    Camenish J, Leenes R, Sommer D (2008) PRIME deliverable the PRIME architecture, Brussels, February 2008 Google Scholar
  14. 14.
    Cappelli R, Lumini A, Maio D, Maltoni D (2007) Fingerprint image reconstruction from standard templates. IEEE Transactions on Pattern Analysis and Machine Intelligence 29(9):1489–1503 CrossRefGoogle Scholar
  15. 15.
    Cavoukian A, Stoianov A (2007) Biometric Encryption: a Positive-Sum Technology that Achieves Strong Authentication, Security and Privacy. Information and Privacy Commissioner’s Office, Ontario Google Scholar
  16. 16.
    Cavoukian A, Stoianov A (2009) Biometric encryption: the new breed of untraceable biometrics. In: Boulgouris NV, Plataniotis KN, Micheli-Tzanakou E (eds) Biometrics: Fundamentals, Theory, and Systems. Wiley/IEEE Press, London, pp 655–718 Google Scholar
  17. 17.
    Cehajij S, Sprokkereef A (2009) Case study Germany. In: Kindt E, Müller L (eds) D13.4. The Privacy Legal Framework for Biometrics. FIDIS, Brussels, pp 67–78. http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables3/fidis_deliverable13_4_v_1.1.pdf
  18. 18.
    Cehajij S, Sprokkereef A (2009) Case study United Kingdom. In: Kindt E, Müller L (eds) D13.4. The Privacy Legal Framework for Biometrics. FIDIS, Brussels, pp 100–114. http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables3/fidis_deliverable13_4_v_1.1.pdf
  19. 19.
    Charter of Fundamental Rights of the European Union (2000) Official journal C 364 of 18 December 2000 Google Scholar
  20. 20.
    Cho A (2008) University hackers test the right to expose security concerns. Science Magazine 322(5906):1322–1323 Google Scholar
  21. 21.
    Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD) of the Council of Europe (2005) Progress report on the application of the principles of convention 108 to the collection and processing of biometric data. http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/documents/reports_and_studies_of_data_protection_committees/2Biometrics_2005_en.pdf. Accessed 25 January 2010
  22. 22.
    Data Protection Commissioners 27th International Conference of Data Protection and Privacy Commissioners (2005) Resolution on the use of biometrics in passports, identity cards and travel documents. http://www.edps.eu.int/legislation/05-09-16_resolution_biometrics_EN.pdf. Accessed 25 January 2010
  23. 23.
    De Beer D, De Hert P, González Fuster G, Gutwirth S (2010) Nouveaux éclairages de la notion de «donnée personnelle» et application audacieuse du critère de proportionnalité. Cour européenne des droits de l’homme, Grande Chambre, S et Marper C Royaume-Uni, 4 décembre 2008. Revue Trimesterielle des Droits de l’Homme (RTDH) 19(81):141–162 Google Scholar
  24. 24.
    De Hert P (2009) Citizens’ Data and Technology. An Optimist Perspective. Dutch Data Protection Authority, The Hague, p 51 Google Scholar
  25. 25.
    De Hert P, Gutwirth S (2006) Privacy, data protection and law enforcement. Opacity of the individual and transparency of the power. In: Claes E, Duff A, Gutwirth S (eds) Privacy and the Criminal Law. Intersentia, Antwerp/Oxford, pp 61–104 Google Scholar
  26. 26.
    De Hert P, Gutwirth S (2008) Regulating profiling in a democratic constitutional state. In: Hildebrandt M, Gutwirth S (eds) Profiling the European Citizen. Cross-Disciplinary Perspectives. Springer, Berlin, pp 271–292 Google Scholar
  27. 27.
    De Hert P, Gutwirth S (2009) Data protection in the case law of Strasbourg and Luxembourg: constitutionalisation in action. In: Gutwirth S, Poullet Y, De Hert P, Nouwt S, De Terwangne C (eds) Reinventing Data Protection? Springer, Berlin, pp 3–45 CrossRefGoogle Scholar
  28. 28.
    De Hert P, Sprokkereef ACJ (2008) Biometrie en recht in Nederland. Computerrecht 25(6):299–300 Google Scholar
  29. 29.
    De Hert P, Scheurs W, Brouwer E (2007) Machine-readable identity documents with biometric data in the EU—part III—overview of the legal framework. Keesing Journal of Documents & Identity 22:23–26 Google Scholar
  30. 30.
    De Hert P, Scheurs W, Brouwer E (2007) Machine-readable identity documents with biometric data in the EU. Critical observations. Part IV. Keesing Journal of Documents & Identity 24:29–35 Google Scholar
  31. 31.
    De Hert P, Gutwirth S, Moscibroda A, Wright D, González Fuster G (2008) Legal safeguards for privacy and data protection. Working paper series REFGOV-FR-19. http://refgov.cpdr.ucl.ac.be/?go=publications. Accessed 25 January 2010
  32. 32.
    de Leeuw E (2007) Biometrie en nationaal identiteitsmanagement. Privacy & Informatie 2(10):50–56 Google Scholar
  33. 33.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ, L 281 Google Scholar
  34. 34.
    EBF (European Biometrics Forum) (2007) Security and privacy in large scale biometric systems. Seville: JRC/ITPS. http://is.jrc.es/documents/SecurityPrivacyFinalReport.pdf. Accessed 25 January 2010
  35. 35.
    ECJ (2003) 20 May 2003, Österreichischer Rundfunk and others, Joint cases, C-138-01, C-139/01 and C-465/00 Google Scholar
  36. 36.
    ECJ (2006) 31 January 2006, Commission v Spain, Case C-503/03 Google Scholar
  37. 37.
    ECJ (2008) 16 December 2008, Heinz Huber V FRG, Case 524/06, OJ C44/5 of 21.2.2009 Google Scholar
  38. 38.
    ECtHR (1986) Gillow vs the United Kingdom, 24 November 1986. Series A, vol 109 Google Scholar
  39. 39.
    ECtHR (2000) Rotaru vs Romania, 4 May 2000, Appl no 28341/95 reports 2000-V Google Scholar
  40. 40.
    ECtHR (2006) Segerstedt-Wiberg and others v Sweden, 6 June 2006, Appl no 62332/00 Google Scholar
  41. 41.
    ECtHR (2008) S and Marper v the United Kingdom, 4 December 2008, Appl nos 30562/04 and 30566/04 Google Scholar
  42. 42.
    European Commission (2007) A fine balance 2007: privacy enhancing technologies; How to create a trusted information society. Conference summary. ftp://ftp.cordis.europa.eu/pub/fp7/ict/docs/security/20080228-pet-final-report_en.pdf. Accessed 25 January 2010
  43. 43.
    European Commission (2009) Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification. SEC(2009) 585, C(2009) 3200 final. http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf
  44. 44.
    European Data Protection Supervisor (EDPS) (2005) Opinion on VIS, Brussels. http://www.edps.europa.eu/12_en_opinions.htm. Accessed 25 January 2010
  45. 45.
    Feng J, Jain AK (2011) Fingerprint reconstruction: from minutiae to phase. IEEE Transactions on Pattern Analysis and Machine Intelligence 33(2):209–223 CrossRefGoogle Scholar
  46. 46.
    Friedrich E, Seidel U (2006) The introduction of the German e-passport. Biometric passport offers first-class balance between security and privacy. Keesing Journal of Documents & Identity 16:3–6 Google Scholar
  47. 47.
    Gasson M et al (eds) (2007) FIDIS deliverable D.3.2.: a study on PKI and biometrics. www.fidis.net. Accessed 25 January 2010
  48. 48.
    González Fuster G, Gutwirth S, de Hert P (2010) From unsolicited communications to unsolicited adjustments. Redefining a key mechanism for privacy protection. In: Gutwirth S, Poullet Y, de Hert P (eds) Data Protection in a Profiled World. Springer, Berlin, pp 105–118 CrossRefGoogle Scholar
  49. 49.
    Grijpink J (2001) Biometrics and privacy. Computer Law & Security Report 17(3):154–160 CrossRefGoogle Scholar
  50. 50.
    Grijpink J (2005) Two barriers to realizing the benefits of biometrics. Computer Law & Security Report 21(3):249–256 CrossRefGoogle Scholar
  51. 51.
    Grijpink J (2008) Biometrie, veiligheid en privacy. Privacy & Informatie 11:10–14 Google Scholar
  52. 52.
    Hes R, Hooghiemstra TFM, Borking JJ (1999) At face value, on biometrical identification and privacy. Registratiekamer Achtergrond Studies en Verkenningen 15:1–70 Google Scholar
  53. 53.
    Hes R et al. (2000) Privacy-enhancing technologies: the path to anonymity. Registratiekamer Achtergrond Studies en Verkenningen 11:1–60. Revised edition Google Scholar
  54. 54.
    Hildebrandt M, Backhouse J (eds) (2008) FIDIS deliverable D7.2: descriptive analysis and inventory of profiling practices. http://www.fidis.net/resources/deliverables/profiling/int-d72000/. Accessed 25 January 2010
  55. 55.
    Hildebrandt M, Gutwirth S (eds) (2008) FIDIS deliverable D7.4: implications of profiling on democracy and the rule of law. http://www.fidis.net/resources/deliverables/profiling/int-d74000/. Accessed 25 January 2010
  56. 56.
    Hornung G (2005) Die digitale Identität. Rechtsprobleme von Chipkartenausweisen: Digitaler Personalausweis, elektronische Gesundheitskarte, JobCard-Verfahren. Nomos Verlagsgesellschaft, Baden-Baden Google Scholar
  57. 57.
    Hornung G (2007) The European regulation on biometric passports: legislative procedures, political interactions, legal framework and technical safeguards. SCRIPT ED 4(3):246–262 CrossRefGoogle Scholar
  58. 58.
    JRC (Joint Research Centre) (2005) Biometrics at the frontiers: assessing the impact on society. Technical report series, Institute for Prospective Technological Studies (IPTS), Seville Google Scholar
  59. 59.
    Kindt E (2007) Biometric applications and the data protection legislation (the legal review and the proportionality test). Datenschutz and Datensicherheit (DuD) 31:166–170 CrossRefGoogle Scholar
  60. 60.
    Kindt E (2007) FIDIS (Future of Identity in the Information Society). Deliverable 3.10: biometrics in identity management Google Scholar
  61. 61.
    Kindt E (2009) The privacy legal framework. In: Kindt E, Müller L (eds) D13.4. The privacy legal framework for biometrics, Fidis, pp 12–28. http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables3/fidis_deliverable13_4_v_1.1.pdf
  62. 62.
    Kindt E, Dumortier J (2008) Biometrie als herkenning- of identificatiemiddel? Enkele juridische beschouwingen. Computerrecht 25(6):202–298 Google Scholar
  63. 63.
    Kindt E, Müller L (eds) (2009) FIDIS deliverable D13.4: the privacy legal framework for biometrics. 134 p. http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables3/fidis_deliverable13_4_v_1.1.pdf
  64. 64.
    Koorn R et al. (2004) Privacy Enhancing Technologies. Witboek voor Beslissers. Ministerie van Binnenlandse Zaken, The Hague Google Scholar
  65. 65.
    Levi M et al. (2004) Technologies, security, and privacy in the post-9/11 European information society. Journal of Law and Society 31(2):194–200 CrossRefGoogle Scholar
  66. 66.
    Liu Y (2009) The principle of proportionality in biometrics: case studies from Norway. Computer Law & Security Review 25(3):237–250 CrossRefGoogle Scholar
  67. 67.
    Lodge J, Sprokkereef A (2009) Accountable and transparent e-security- the case of British (in) security, borders and biometrics. Challenge. http://www.libertysecurity.org/article2488.html. Accessed 25 January 2009
  68. 68.
    Meints M, Gasson M (2009) High-tech ID and emerging technologies. In: Rannenberg K et al. (eds) The Future of Identity in the Information Society. Challenges and Opportunities. Springer, Dordrecht, pp 129–185 Google Scholar
  69. 69.
    Michielsen P (2003) EU—working paper on legal protection of biometric data. Stibbe ICTlaw Newsletter 12:3 Google Scholar
  70. 70.
    Neuwirt K (2001) Report on the Protection of Personal Data with Regard to the Use of Smart Cards. Council of Europe, Strasbourg Google Scholar
  71. 71.
    OECD (2004) Background material on biometrics and enhanced network systems for the security of international travel working party on information security and privacy. http://www.oecd.org/dataoecd/16/18/34661198.pdf. Accessed 25 January 2010
  72. 72.
    Petermann Th, Sauter A (2002) Biometrische Identifikationssysteme Sachstandsbericht. TAB working report nr 76. http://www.tab.fzk.de/de/projekt/zusammenfassung/ab76.pdf. Accessed 25 January 2010
  73. 73.
    Philips D (2004) Privacy policy and PETs. New Media & Society 6(6):691–706 MathSciNetCrossRefGoogle Scholar
  74. 74.
    Rundle M, Chris C (2007) Ethical implications of emerging technologies: a survey (UNESCO, Information for All—IFAP). UNESCO, Communication and Information Sector, Paris Google Scholar
  75. 75.
    Schuit St (2008) Belgian commission issues advice on biometric data. Stibbe ICT Law Newsletter 31:5 Google Scholar
  76. 76.
    Sprokkereef A (2008) Data protection and the use of biometric data in the EU. In: Fischer Huebner S, Duquenoy P, Zaccato A, Martucci L (eds) The Future of Identity in the Information Society. IFIP International Federation for Information Processing, vol 262. Springer, Boston, pp 277–284 CrossRefGoogle Scholar
  77. 77.
    Sprokkereef ACJ, De Hert P (2007) Ethical practice in the use of biometric identifiers within the EU. Law, Science and Policy 3(2):177–201 Google Scholar
  78. 78.
    Sprokkereef ACJ, De Hert P (2009) The use of privacy enhancing aspects of biometrics: biometrics as PET (privacy enhancing technology) in the Dutch private and semi-public domain. Tilburg Institute for Law, Technology and Society, Tilburg. http://arno.uvt.nl/show.cgi?fid=93109. Accessed 25 January 2010
  79. 79.
    Sprokkereef A, Koops BJ (eds) (2009) FIDIS deliverable D3.16: biometrics: PET or PIT? http://www.fidis.net/fileadmin/fidis/deliverables/new_deliverables2/fidis-WP3-del3.16-biometrics-PET-or-PIT.PDF. Accessed 25 January 2009
  80. 80.
    SSN (Surveillance Studies Network) (2006) A report on the surveillance society—for the information commissioner by the surveillance studies network. Information commissioner, London (full report). http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf
  81. 81.
    Tavani H, Moor J (2001) Privacy protection, control of information, and privacy-enhancing technologies. Computers & Society 31(1):6–11 CrossRefGoogle Scholar
  82. 82.
    Thomas R (2008) The UK information commissioner: on funding in evidence to the house of commons Justice Committee on the protection of personal data report, H of C Justice Committee report: protection of private data, HC 154 Google Scholar
  83. 83.
    Turle M (2007) Freedom of information and data protection law: a conflict or a reconciliation? Computer Law & Security Report 23(6):514–522 CrossRefGoogle Scholar
  84. 84.
    Tuyls P et al. (eds) (2007) On Private Biometrics, Secure Key Storage and Anti-counterfeiting. Springer, Boston Google Scholar
  85. 85.
    van der Ploeg I (1999) The illegal body: ‘Eurodac’ and the politics of biometric identification. Ethics and Information Technology 1(4):295–302 CrossRefGoogle Scholar
  86. 86.
    van der Ploeg I (2002) Biometrics and the body as information, normative issues of the socio-technical coding of the body. In: Lyon D (ed) Surveillance as Social Sorting: Privacy, Risk, and Digital Discrimination. Routledge, New York, pp 57–73 Google Scholar
  87. 87.
    Wayman J (2006) Linking persons to documents with biometrics. Biometric systems from the 1970s to date. Keesing Journal of Documents & Identity 16:14–19 Google Scholar
  88. 88.
    WP29 (Article 29 Working Party) (2003) Working document on biometrics 12168/02, 1 August 2003 Google Scholar
  89. 89.
    WP29 (Article 29 Working Party) (2007) Opinion 4/2007 on the concept of personal data, 20 June 2007 Google Scholar
  90. 90.
    WP29 (Article 29 Working Party) (2009) Working party on police and justice. The future of privacy, joint contribution to the consultation of the European commission on the legal framework for the fundamental right to protection of personal data (WP 168), 1 December 2009 Google Scholar
  91. 91.
    Zorkadis V, Donos P (2004) On biometrics-based authentication from a privacy-protection perspective—deriving privacy-enhancing requirements. Information Management & Computer Security 12(1):125–137 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  1. 1.Vrije Universiteit Brussels (VUB- LSTS)BrusselsBelgium
  2. 2.Tilburg University (TILT)TilburgThe Netherlands

Personalised recommendations