Biometrics from a legal perspective dr. Ronald Leenes

Similar documents
Hong Kong General Chamber of Commerce Roundtable Luncheon 13 April 2016 Collection and Use of Biometric Data

COMP Article 1. Article 1 Subject matter and objectives

Biometrics: The Future of Banking?

Legal aspects of biometric data processing : current state of affairs. Dr. E. J. Kindt MIPRO 2015

DATA PROTECTION (JERSEY) LAW 2018

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Opinion 3/2012 on developments in biometric technologies

Law Enforcement processing (Part 3 of the DPA 2018)

5418/16 AV/NT/vm DGD 2

Policy Framework for the Regional Biometric Data Exchange Solution

CPSC 467b: Cryptography and Computer Security

SUMMARY INTRODUCTION. xiii

Recommended Practice 1701 l

European Data Protection Supervisor Transparency in the EU administration: Your right to access documents

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

International Biometrics & Identification Association

16 March Purpose & Introduction

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

ARTICLE 29 Data Protection Working Party

Biometrics: primed for business use

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

An overview of the European approach to the cross-jurisdictional and societal aspects of biometrics

EUROPEAN DATA PROTECTION SUPERVISOR

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

LEGISLATION. The "BIOMETRIC AND SOCIAL SECURITY NUMBER RELIGIOUS EXEMPTION ACT"

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Data Protection Policy. Malta Gaming Authority

EUROPEAN DATA PROTECTION SUPERVISOR

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Fragomen Privacy Notice

T he European Union s Article 29 Data Protection

[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the , 2011]

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

LATEST IN BIOMETRIC TECHNOLOGY IN THE SERVICE OF TRAVEL SECURITY. Presented By: Cristian Morosan - University of Houston

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Why Biometrics? Why Biometrics? Biometric Technologies: Security and Privacy 2/25/2014. Dr. Rigoberto Chinchilla School of Technology

Adopted on 23 June 2005

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

PRESENTATION TITLE. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Identity Verification in Passport Issuance

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

DATA SHARING AND PROCESSING

EUROPEAN UNION. Brussels, 3 February 2006 (OR. en) 2005/0182 (COD) PE-CONS 3677/05 COPEN 200 TELECOM 151 CODEC 1206 OC 981

PRIVACY IMPLICATIONS OF BIOMETRIC DATA. Kevin Nevias CISSP, CEH, CHFI, CISA, CISM, CRISC, CGEIT, CCNA, G /20/16

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

Principles and Rules for Processing Personal Data

Adequacy Referential (updated)

The Act on Processing of Personal Data

ARTICLE 29 Data Protection Working Party

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

4/2/14. Who are you?? Introduction. Person Identification. How are people identified? People are identified by three basic means:

1. What sort of passenger information will be transferred to US authorities?

The public consultation consisted of four different questionnaires targeting respectively:

Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

1/10/12. Introduction. Who are you?? Person Identification. Identification Problems. How are people identified?

Personal Data Protection Act

8557/16 SHO/ra 1 DGD 2

6153/1/18 REV 1 VH/np 1 DGD2

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Opinion 07/2016. EDPS Opinion on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

13462/18 BN/cr 1 JAI.1 LIMITE EN

IDEMIA Identity & Security. Providing identity assurance to. secure & simplify lives N.A.

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

State Data Breach Laws

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

This tutorial also provides a glimpse of various security issues related to biometric systems, and the comparison of various biometric systems.

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

Constitutional Rights and New Technologies: (how to) keep the Constitution up-to-date

CCTV Code of Practice

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

Selection procedure at the European Ombudsman's Secretariat

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

PE-CONS 71/1/15 REV 1 EN

Data Protection Bill [HL]

1. Delete the words and registration. 3. Delete the word person and substitute therefor the word individual.

Machine Readable Travel Documents: Biometrics Deployment. Barry J. Kefauver

FOUR SEASONS HOTELS BOGOTÁ PERSONAL DATA TREATMENT POLICY HOTELES CHARLESTON BOGOTÁ S.A.S.

INTERPOL s face programme for a safer world. Mark Branchflower Monday 17th March 2014

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

DATA PROTECTION LAWS OF THE WORLD. Colombia vs Germany

Bali Process Ad Hoc Group Workshop on Biometrics for Identity Integrity in Immigration India April 2012

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

GDPR in access control and time and attendance systems using biometric data

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

TEXAS DEPARTMENT OF PUBLIC SAFETY 5805 NORTH LAMAR BOULEVARD POST OFFICE BOX 4087, AUSTIN, TX /

HOW CAN BORDER MANAGEMENT SOLUTIONS BETTER MEET CITIZENS EXPECTATIONS?

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

General Data Protection Regulation

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System

Transcription:

Biometrics from a legal perspective dr. Ronald Leenes TILT - Tilburg Institute for Law, Technology, and Society

outline introduction biometrics, use legal aspects privacy/data protection biometrics as a privacy safeguard PRIVIUM discussion

biometrics biometric indicator: any human physiological or behavioural feature that can be measured and used for the purpose of automated or semi-automated verification or identification

biometrics physiological height, weight, face iris, retina, fingerprint, facial image, ear geometry, behavioural voice, signature, gait, keystroke sequence, DNA? not externally observable

biometric uses verification are you who you claim to be? one-to-one centralised, decentralised identification who are you? one-to-many central database

secondary use screening are you on my watch list? one-to-many resembles identification

users, some examples fingerprint facial recognition private sector notebooks Axsionics card German banks public sector Eurodac NY State Ontario Super Bowl XXXV EU passports iris PRIVIUM PRIVIUM

legal requirements?

regulation little specific legislation on biometrics private sector: consent based public sector: mainly law enforcement DNA, fingerprints when obligatory > new legislation e.g. passports Ontario social security case

general frameworks European Convention on Human Rights ECHR Directive 95/46/EC on protection of individuals with regard to the processing of personal data and on the free movement of such data EU Data Protection Directive

legal aspects human rights physical integrity privacy & data protection biometrics as a threat biometrics as a solution

biometrics: a privacy threat?

biometrics as a privacy threat source what do biometrics reveal? facial image source: race, gender, age template:? template http://mehr.sharif.edu/~ipl/fingerprintidentification.htm

biometrics as a privacy threat source template what do biometrics reveal? fingerprints source: Down syndrome, Turner syndrome, Klinefelter syndrome intestinal pseudo-obstruction, breast cancer, Rubella syndrome homo-sexuality template: unlikely to reveal the above? http://mehr.sharif.edu/~ipl/fingerprintidentification.htm reported in: Hornung 2004

IRIS source: diabetes, arteriosclerosis, hypertension HIV misuse of alcohol and drugs race? template? http://www.kroeker.net/images reported in: Hornung 2004

do we need regulation?

privacy issues raw biometric data may reveal sensitive data biometrics are irrevocable identification requires central data storage some biometric data can be collected without the subject being aware

broader concerns power accumulation further use of existing data e.g. biometric passport do biometrics make the world safer? biometrics may lower privacy awareness trade fingerprints for faster burgers

hence, careful consideration: when and why to allow biometrics proper safeguards against misuse and requirements for use e.g. encrypted storage and transfer

privacy - The right to be left alone art. 8 (1) ECHR: Everyone has the right to respect for his private and family life, his home and his correspondence. dimensions spatial physical relational informational

article 8 (2) ECHR There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

95/46/EC EU data protection directive

regulating personal data usage 95/46/EC - EU Data Protection Directive defines rights and obligations with respect to processing of personal data

personal data art. 2 a: personal data any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental ( ) identity.

biometric personal data? is biometric data personal data? raw data - yes template - yes, unless: stored in a way that no reasonable means exist to identify data subject by data controller or any other person

95/46/EC - data protection directive concepts personal data principle of purpose principle of proportionality fair collection legitimate processing security measures sensitive data prior checking - notification

purpose and proportionality art. 6 (b) purpose/ finality personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes proportionality personal data must be adequate, relevant and not excessive in relation to purpose

purpose and proportionality test: can purpose be achieved in less obtrusive way? e.g. CNIL case - fingerprints excessive for school restaurant, hand shape is ok privacy preference: biometrics without leaving traces decentralised storage

fair collection art. 6 (a) personal data must be processed fairly and lawfully data subject must be informed of: purpose, identity of controller, further recipients of the data, whether reply is obligatory or voluntary, existence of access right to information exception: national security, defence

legitimate processing art. 7 data may be processed only if consent necessary for performance of a contract necessary for compliance with legal obligation protect vital interest of data subject performance of task in public interest legitimate interest of controller

security measures art. 17 appropriate security measures must be taken to protect personal data against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access especially where processing involves networks

security measures risks: enrolment data transmission raw data reversible templates profiling/monitoring id theft indisputable evidence

sensitive data art. 8 (1) member states shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life unless (2)

sensitive data art. 8 (2) consent obligations and right of controller (employment) vital interest of data subject (accident) organization members suitable safeguards

key points so far biometrics are compatible with 95/46/EC consider proportionality define purpose decentralized storage consent of data subject irreversible templates proper security measures

biometrics as a privacy safeguard

biometrics as privacy safeguard identification is privacy risk verification + credentials = privacy safeguard smart card for 18+ biometrics to verify requirement allows biometrics to be under constant control of data subject

cases PRIVIUM

cases: PRIVIUM Schiphol Airport Group priority services card convenient parking speed check in fast track border passage card contains card number, iris template, name, date and place of birth

border passage state function? border police (Koninklijke Marechaussee) performed by Schiphol Group card communicates date, time and personal data to border police on passage

enrolment Border Police employee checks passport Schiphol employee makes iris scan (2) issues card

compatible with 95/46/EC? proportionality purpose sensitive data fair information collection legitimate processing proper security measures prior checking with DP authorities

compliance with 95/46/EU? purpose and proportionality (art 6) fair collection (art 10/11) processing legitimate (art 7) security (art 17) stated border passage limited data set identity of controllers, purpose, address, recipients, right to access and rectify consent free and informed in writing encryption? enrollment in controlled environment prior checking (art 20) yes, even awarded price

questions is iris template only stored on card? which data is stored in the process? what data is communicated to border police? what is the legal relation between Schiphol Group N.V. Border Police?

discussion

do you subscribe to the privacy/data protection issues? can the requirements be met (in your context)? are the DP safeguards sufficient, or is additional regulation required?

Thank you for your attention dr. Ronald Leenes r.e.leenes@uvt.nl

reading list article 29 Data Protection Working party, Working document on biometrics, 12168/02/EN, WP80, http://europa.eu.int/comm/justice_home/fsj/privacy/docs/ wpdocs/2003/wp80_en.pdf JRC (IPTS), Biometrics at the Frontiers: Assessing the Impact on Society, report for the European Parliament Committee on Citizen s Freedoms and Rights, Justice and Home Affairs (LIBE), EUR 21585 EN, June 2005, http:// www.jrc.es Gerrit Hornung, Biometric Identity Cards: Technical, Legal, and Policy Issues, in S. Paulus, N. Pohlmann, H. Reimer (eds): Securing Electronic Business Processes, Vieweg (2004), 47-57 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23/11/1995, http:// europa.eu.int/comm/internal_market/privacy/law_en.htm

prior checking - notification central storage is discouraged member states can determine that processing operations likely to present risks to be examined by the data protection authorities

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback