Legal aspects of biometric data processing : current state of affairs. Dr. E. J. Kindt MIPRO 2015

Similar documents
EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

Biometrics: The Future of Banking?

Law Enforcement processing (Part 3 of the DPA 2018)

Secretariaat. To European Parliament Civil Liberties, Justice and Home Affairs Committee Rue Wiertz BE-1047 BRUXELLES

5418/16 AV/NT/vm DGD 2

Biometrics from a legal perspective dr. Ronald Leenes

COMP Article 1. Article 1 Subject matter and objectives

EUROPEAN DATA PROTECTION SUPERVISOR

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

Meijers Committee standing committee of experts on international immigration, refugee and criminal law

16 March Purpose & Introduction

General Data Protection Regulation

Hong Kong General Chamber of Commerce Roundtable Luncheon 13 April 2016 Collection and Use of Biometric Data

Opinion 01/2014 on the application of necessity and proportionality concepts and data protection within the law enforcement sector

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

ARTICLE 29 DATA PROTECTION WORKING PARTY

Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit

PE-CONS 71/1/15 REV 1 EN

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April on the protection of natural persons

DATA PROTECTION (JERSEY) LAW 2018

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

Review of the Use and Retention of Custody Images

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 20 December /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Policy Framework for the Regional Biometric Data Exchange Solution

9091/17 VH/np 1 DGD 2C

Adopted on 23 June 2005

Public Consultation on the Smart Borders Package

Data Protection Policy. Malta Gaming Authority

EDPS respomse to the Commission public consultation on lowering tfiie fingerprinting âge for children in the visa procédure from 12 years to 6 years

AmCham EU Proposed Amendments on the General Data Protection Regulation

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 11 January /07 Interinstitutional File: 2004/0287 (COD) LIMITE VISA 7 CODEC 32 COMIX 25

Opinion 3/2012 on developments in biometric technologies

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 25 October /06 Interinstitutional File: 2004/0287 (COD) LIMITE

TO THE PRESIDENT AND MEMBERS OF THE COURT OF JUSTICE WRITTEN OBSERVATIONS

Council of the European Union Brussels, 8 February 2016 (OR. en)

With the current terrorist threat facing European Union Member States, including the UK

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

Data protection and privacy aspects of cross-border access to electronic evidence

ARTICLE 29 Data Protection Working Party

1. The Commission proposed on 25 January 2012 a comprehensive data protection package comprising of:

GDPR in access control and time and attendance systems using biometric data

The forensic use of bioinformation: ethical issues

6310/1/16 REV 1 BM/cr 1 DG D 1 A

13462/18 BN/cr 1 JAI.1 LIMITE EN

PUBLIC 14707/1/14REV1DATAPROTECT147JAI803MI806 DRS136DAPIX151 FREMP179COMIX569CODEC /1/14REV1 GS/np 1 DGD2C LIMITE EN

Opinion 07/2016. EDPS Opinion on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

DGD 1 EUROPEAN UNION. Brussels, 22 February 2017 (OR. en) 2015/0307 (COD) PE-CONS 55/16 FRONT 484 VISA 393 SIRIS 169 COMIX 815 CODEC 1854

Policy Framework for the Regional Biometric Data Exchange Solution

The EU Passenger Name Record System and Human Rights

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System

An overview of the European approach to the cross-jurisdictional and societal aspects of biometrics

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

closer look at Rights & remedies

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Commission regarding the database ARDOS

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Council of the European Union Brussels, 16 October 2017 (OR. en)

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Response to Consultation on Proposals for the Retention and Destruction of Fingerprints and DNA Data in Northern Ireland

Tony Bunyan May Interoperability: the point of no return 1

Council of the European Union Brussels, 1 February 2017 (OR. en)

Biometrics: primed for business use

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

Principles and Rules for Processing Personal Data

(Legislative acts) REGULATIONS REGULATION (EU) 2017/458 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 15 March 2017

Adequacy Referential (updated)

EXECUTIVE SUMMARY. 3 P a g e

JAI.1 EUROPEAN UNION. Brussels, 8 November 2018 (OR. en) 2016/0407 (COD) PE-CONS 34/18 SIRIS 69 MIGR 91 SCHENGEN 28 COMIX 333 CODEC 1123 JAI 829

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Developing a 'toolkit' for assessing the necessity of measures that interfere with fundamental rights Background paper

The High Contracting Parties to the present Treaty, Member States of the European Union,

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Annex - Summary of GDPR derogations in the Data Protection Bill

FOURTH SECTION DECISION AS TO THE ADMISSIBILITY OF

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Public Consultation on the Smart Borders Package

Review of the Identity-matching Services Bill 2018 and the Australian Passports Amendment (Identity-matching Services) Bill 2018

6153/1/18 REV 1 VH/np 1 DGD2

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

EUROPEAN DATA PROTECTION SUPERVISOR

Identifying Drug Labs by Analysing Sewage Systems. Bart van der Sloot, Tilburg University, TILT

Port Glasgow St Andrew s Data Protection Policy

Brussels, 16 May 2006 (Case ) 1. Procedure

14480/1/17 REV 1 MP/mj 1 DG D 2B LIMITE EN

Protection of Freedoms Act 2012

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

DATA SHARING AND PROCESSING

The Impact of Surveillance and Data Collection upon the Privacy of Citizens and their Relationship with the State

CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA [ETS No. 108] DRAFT EXPLANATORY REPORT 1

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

Transcription:

Legal aspects of biometric data processing : current state of affairs Dr. E. J. Kindt MIPRO 2015

Overview Introduction Biometric data and the legislator o legal qualification o Consent and biometric data o PbD: Pseudonymous biometric identities Recent case law Some conclusions 2

Face facts? 3

Face facts? Biometric data : allow to identify - but: laws usually specify identity controls Biometric data also increase risk of surveillance - de-identification very important where desirable Hence : biometric data processing is interfering? Under which conditions is it acceptable? 4

Face facts? Biometric data : Sensitive data? Current definition : Directive 95/46/EC: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, ( ) data concerning health or sex life ( ) intention? Compare: CoE: DNA use of only non-coding for identification 5

1.1 The nature of biometric data: legal qualification Biometric data : o The Netherlands: HR 23.3.2010 LJN BK6331: facial images reveal racial information o United Kingdom: Murray v. Express Newspapers & Big Pictures (UK) Ltd 2007 (UK) : photograph is sensitive personal data? 6

1.1 The nature of biometric data: legal qualification o Cons. Constitutionnel 22.3.2012 n 2012-652 (Loi protection identité) (France): 6. ( ) la création d'un fichier d'identité biométrique portant sur la quasi-totalité de la population française et dont les caractéristiques rendent possible l'identification d'une personne à partir de ses empreintes digitales porte une atteinte inconstitutionnelle au droit au respect de la vie privée ; ( ) Interference with fundamental rights to respect for privacy and data protection 7

1.1 The nature of biometric data: legal qualification Artikel 29 Working Party: are of a special nature. ( ) Art. 29 WP (WP80) - EDPS sensitive Art. 29 WP Very few EU Member States have data protection legislation which explicitly states that biometric data is sensitive data 8

1.1 The nature of biometric data: legal qualification New in Proposal 2012: data revealing racial or ethnic origin, political opinions, religious or (philosophical) beliefs, ( ) genetic data or data concerning health or sex life ( ) New in Proposal 2012: Biometric data in particular present specific risks EP amend. Proposal 2012: genetic or biometric data European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25.1.2012, 118 p. 9

1.1 The nature of biometric data: legal qualification EU Council: Art. 4 (11): 'biometric data' means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual of that individual, which allows or confirms the unique identification such as facial images, or dactyloscopic data EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 10

1.1 The nature of biometric data: legal qualification EU Council: Art. 33 (1): Where a type of processing in particular using new technologies, and taking into account the nature, their scope, context and or their purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, [breach of pseudonymity], loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller or the processor acting on the controller's behalf shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 11

1.1 The nature of biometric data: legal qualification EU Council: Art. 33 (2) : data protection impact assessment referred to in paragraph 1 shall in particular be required in the following cases: ( ) b) of personal data under Article 9(1) ( ), biometric data or data on criminal convictions and offences or related security measures, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 12

1.2 Consent and biometric data Dir. 95/46: Processing of sensitive data prohibited; But: exceptions: o explicit consent unless (!) MS prohibit Protection of Freedoms Act 2012 (UK), Chap. 2 ( ) must ensure a child s biometric information is not processed unless (a) at least one parent of the child consents ( ) (b) no parent of the child has withdrawn his or her consent, or otherwise objected, (..) (section 26 (3)) But: - informed consent? - Information about the risks? - accuracy? 13

1.2. Consent and biometric data New in Proposal 2012: Consent :1. burden of proof upon the controller 2. presented distinguishable 3. right to withdraw at any time - 4. no legal basis if there is a significant imbalance between the position of the data subject and the controller Cate, Cullen, Mayer-Schönberger, Data Protection Principles for the 21st Century. Revising the 1980 OECD Guidelines, december 2013 for reasons of substantial public interest by MS law or DPA decisions, subject to suitable safeguards Consent is not the solution 14

1.3. PbD: Multiple Pseudonymous Biometric identities Irreversible, revocable, unlinkable, multiple biometric identities o ISO/IEC 24745:2011 Information technology Security techniques - Biometric Information Protection, 15.6.2011 o Scientific research and deployment in practice EP amend. Proposal 2012: Pseudonymous data means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution Fingerprint without name?? Is not pseudonymous! 15

1.3. Turbine recommended Best Practices BP N 1. Functionality of the biometric IdM system Use of verification mode only Design and Architecture Enrolment Deployment BP N 2. User control BP N 3. Multiple identities en pseudonyms BP N 4. Revocation and reissuance BP N 5. Credential/Identity check BP N 6. Deletion of samples and original templates BP N 10. Organization, Security & Certification BP N 7. Use of privacy enhancing technologies BP N 8. transparency and additional information BP N 9. Accuracy, fall back procedure and appeal 16

2. Recent case law ECtHR P.G. and J.H. v. the United Kingdom (2001) : About recording of data and the systematic or permanent nature of the record A permanent record of a person s voice for further analysis is of direct relevance to identifying that person when considered in conjunction with other personal data. The recording of the applicants voices for such further analysis amounts to interference with the right to respect for their private lives ( 59-60) 17

2. Recent case law ECtHR S. and Marper v. UK (2008) : fingerprint records constitute ( ) personal data ( ) which contain certain external identification features ( 81) fingerprints objectively contain unique information about the individual concerned, allowing his or her identification with precision in a wide range of circumstances. They are thus capable of affecting his or her private life and the retention of this information without the consent of the individual concerned cannot be regarded as neutral or insignificant ( 84) 18

2. Recent case law ECHR S. and Marper v. UK (2008) : fingerprints were initially taken in criminal proceedings and subsequently recorded on a national database with the aim of being permanently kept and regularly processed by automated means for criminal-identification purposes. the retention of fingerprints constitutes an interference with the right to respect for private life ( 86) 19

2. Recent case law ECHR S. and Marper v. UK (2008) : Biometric data processing is interfering and requires balancing (law legitimacy proportionality) Use of modern scientific techniques ( 112) legislation allowing for their indefinite retention, despite the acquittal of the former and the discontinuance of the criminal proceedings against the latter. The Court must consider whether the permanent retention of fingerprint and DNA data of all suspected but unconvicted people is based on relevant and sufficient reasons ( 114) (legitimacy) 20

2. Recent case law ECHR S. and Marper v. UK (2008) : remains whether such retention and storage is proportionate and strikes a fair balance between the competing public and private interests (proportionality test sensu strictu) blanket and indiscriminate nature of the power of retention ( 119) the risk of stigmatisation - right to presumption of innocence the retention at issue constitutes a disproportionate interference with the applicants right to respect for private life and cannot be regarded as necessary in a democratic society ( 122-126) 21

2. Recent case law Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 ECJ C-291/12 decision Schwarz v. Bochum, 2013 : o o constitutes a threat to the rights to respect for private life and the protection of personal data. Accordingly, it must be ascertained whether that twofold threat is justified the contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU and are appropriate for attaining the aim of protecting against the fraudulent use of passports. 22

2. Recent case law Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 ECJ C-446/12-449/12 Willems e.a.16 April 2015 : 45: to be used only for verifying the authenticity of the document or the identity of the holder 47: does not provide a legal basis for. databases in MS 48 : It follows, in particular, that Regulation No 2252/2004 does not require a Member State to guarantee in its legislation that biometric data will not be used or stored by that State for purposes other than those mentioned in Art. 4(3) 23

2. More important recent (data protection) case law United Kingdom: Google v. Vidal-Hall 2015 EWCA Civ 311 tort for misuse of private information? (rather than confidential information) EU Charter rights were relied upon to strike down UK legislation limiting the ability to sue for non-economic losses United States : Ct Appeal 2 nd Circuit Civil Libert. vs NSA 7 May 2015 : Sect. 215 Patriot Act unlawful (bulk collection of telephone metadata) 24

Role for the legislator ECJ C-291/12 decision Schwarz v. Bochum, 2013 on preliminary questions: 46. ( ) Next, in assessing whether such processing is necessary, the legislature is obliged, inter alia, to examine whether it is possible to envisage measures which will interfere less with the rights recognised by Articles 7 and 8 of the Charter but will still contribute effectively to the objectives of the European Union rules in question ( ) Legislator shall take responsibility 25

Conclusions Need to acknowledge interfering and sensitive character of biometric data Consent not sufficient quid irreversible, revocable, unlinkable, multiple biometric identities? Need for legislative action with conditions and requiring safeguards for biometric data processing 26

Further reading European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25.1.2012, 118 p. EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015, available at http://www.statewatch.org/news/2015/apr/eucouncil-dp-reg-4column-2015.pdf ECHR S. and Marper v. UK (2008) ECJ C-291/12 Schwarz v. Bochum, 2013 ECJ C-446/12-449/12 Willems e.a.16 April 2015 and also : our Facebook report v. 1.2 (31.3.2015) See https://www.law.kuleuven.be/icri/en/news/item/icri-cir-advises-belgianprivacy-commission-in-facebook-investigation 27

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback