Legal aspects of biometric data processing : current state of affairs Dr. E. J. Kindt MIPRO 2015
Overview Introduction Biometric data and the legislator o legal qualification o Consent and biometric data o PbD: Pseudonymous biometric identities Recent case law Some conclusions 2
Face facts? 3
Face facts? Biometric data : allow to identify - but: laws usually specify identity controls Biometric data also increase risk of surveillance - de-identification very important where desirable Hence : biometric data processing is interfering? Under which conditions is it acceptable? 4
Face facts? Biometric data : Sensitive data? Current definition : Directive 95/46/EC: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, ( ) data concerning health or sex life ( ) intention? Compare: CoE: DNA use of only non-coding for identification 5
1.1 The nature of biometric data: legal qualification Biometric data : o The Netherlands: HR 23.3.2010 LJN BK6331: facial images reveal racial information o United Kingdom: Murray v. Express Newspapers & Big Pictures (UK) Ltd 2007 (UK) : photograph is sensitive personal data? 6
1.1 The nature of biometric data: legal qualification o Cons. Constitutionnel 22.3.2012 n 2012-652 (Loi protection identité) (France): 6. ( ) la création d'un fichier d'identité biométrique portant sur la quasi-totalité de la population française et dont les caractéristiques rendent possible l'identification d'une personne à partir de ses empreintes digitales porte une atteinte inconstitutionnelle au droit au respect de la vie privée ; ( ) Interference with fundamental rights to respect for privacy and data protection 7
1.1 The nature of biometric data: legal qualification Artikel 29 Working Party: are of a special nature. ( ) Art. 29 WP (WP80) - EDPS sensitive Art. 29 WP Very few EU Member States have data protection legislation which explicitly states that biometric data is sensitive data 8
1.1 The nature of biometric data: legal qualification New in Proposal 2012: data revealing racial or ethnic origin, political opinions, religious or (philosophical) beliefs, ( ) genetic data or data concerning health or sex life ( ) New in Proposal 2012: Biometric data in particular present specific risks EP amend. Proposal 2012: genetic or biometric data European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25.1.2012, 118 p. 9
1.1 The nature of biometric data: legal qualification EU Council: Art. 4 (11): 'biometric data' means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual of that individual, which allows or confirms the unique identification such as facial images, or dactyloscopic data EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 10
1.1 The nature of biometric data: legal qualification EU Council: Art. 33 (1): Where a type of processing in particular using new technologies, and taking into account the nature, their scope, context and or their purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, [breach of pseudonymity], loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller or the processor acting on the controller's behalf shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 11
1.1 The nature of biometric data: legal qualification EU Council: Art. 33 (2) : data protection impact assessment referred to in paragraph 1 shall in particular be required in the following cases: ( ) b) of personal data under Article 9(1) ( ), biometric data or data on criminal convictions and offences or related security measures, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015 12
1.2 Consent and biometric data Dir. 95/46: Processing of sensitive data prohibited; But: exceptions: o explicit consent unless (!) MS prohibit Protection of Freedoms Act 2012 (UK), Chap. 2 ( ) must ensure a child s biometric information is not processed unless (a) at least one parent of the child consents ( ) (b) no parent of the child has withdrawn his or her consent, or otherwise objected, (..) (section 26 (3)) But: - informed consent? - Information about the risks? - accuracy? 13
1.2. Consent and biometric data New in Proposal 2012: Consent :1. burden of proof upon the controller 2. presented distinguishable 3. right to withdraw at any time - 4. no legal basis if there is a significant imbalance between the position of the data subject and the controller Cate, Cullen, Mayer-Schönberger, Data Protection Principles for the 21st Century. Revising the 1980 OECD Guidelines, december 2013 for reasons of substantial public interest by MS law or DPA decisions, subject to suitable safeguards Consent is not the solution 14
1.3. PbD: Multiple Pseudonymous Biometric identities Irreversible, revocable, unlinkable, multiple biometric identities o ISO/IEC 24745:2011 Information technology Security techniques - Biometric Information Protection, 15.6.2011 o Scientific research and deployment in practice EP amend. Proposal 2012: Pseudonymous data means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution Fingerprint without name?? Is not pseudonymous! 15
1.3. Turbine recommended Best Practices BP N 1. Functionality of the biometric IdM system Use of verification mode only Design and Architecture Enrolment Deployment BP N 2. User control BP N 3. Multiple identities en pseudonyms BP N 4. Revocation and reissuance BP N 5. Credential/Identity check BP N 6. Deletion of samples and original templates BP N 10. Organization, Security & Certification BP N 7. Use of privacy enhancing technologies BP N 8. transparency and additional information BP N 9. Accuracy, fall back procedure and appeal 16
2. Recent case law ECtHR P.G. and J.H. v. the United Kingdom (2001) : About recording of data and the systematic or permanent nature of the record A permanent record of a person s voice for further analysis is of direct relevance to identifying that person when considered in conjunction with other personal data. The recording of the applicants voices for such further analysis amounts to interference with the right to respect for their private lives ( 59-60) 17
2. Recent case law ECtHR S. and Marper v. UK (2008) : fingerprint records constitute ( ) personal data ( ) which contain certain external identification features ( 81) fingerprints objectively contain unique information about the individual concerned, allowing his or her identification with precision in a wide range of circumstances. They are thus capable of affecting his or her private life and the retention of this information without the consent of the individual concerned cannot be regarded as neutral or insignificant ( 84) 18
2. Recent case law ECHR S. and Marper v. UK (2008) : fingerprints were initially taken in criminal proceedings and subsequently recorded on a national database with the aim of being permanently kept and regularly processed by automated means for criminal-identification purposes. the retention of fingerprints constitutes an interference with the right to respect for private life ( 86) 19
2. Recent case law ECHR S. and Marper v. UK (2008) : Biometric data processing is interfering and requires balancing (law legitimacy proportionality) Use of modern scientific techniques ( 112) legislation allowing for their indefinite retention, despite the acquittal of the former and the discontinuance of the criminal proceedings against the latter. The Court must consider whether the permanent retention of fingerprint and DNA data of all suspected but unconvicted people is based on relevant and sufficient reasons ( 114) (legitimacy) 20
2. Recent case law ECHR S. and Marper v. UK (2008) : remains whether such retention and storage is proportionate and strikes a fair balance between the competing public and private interests (proportionality test sensu strictu) blanket and indiscriminate nature of the power of retention ( 119) the risk of stigmatisation - right to presumption of innocence the retention at issue constitutes a disproportionate interference with the applicants right to respect for private life and cannot be regarded as necessary in a democratic society ( 122-126) 21
2. Recent case law Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 ECJ C-291/12 decision Schwarz v. Bochum, 2013 : o o constitutes a threat to the rights to respect for private life and the protection of personal data. Accordingly, it must be ascertained whether that twofold threat is justified the contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU and are appropriate for attaining the aim of protecting against the fraudulent use of passports. 22
2. Recent case law Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, as amended by Regulation (EC) No 444/2009 ECJ C-446/12-449/12 Willems e.a.16 April 2015 : 45: to be used only for verifying the authenticity of the document or the identity of the holder 47: does not provide a legal basis for. databases in MS 48 : It follows, in particular, that Regulation No 2252/2004 does not require a Member State to guarantee in its legislation that biometric data will not be used or stored by that State for purposes other than those mentioned in Art. 4(3) 23
2. More important recent (data protection) case law United Kingdom: Google v. Vidal-Hall 2015 EWCA Civ 311 tort for misuse of private information? (rather than confidential information) EU Charter rights were relied upon to strike down UK legislation limiting the ability to sue for non-economic losses United States : Ct Appeal 2 nd Circuit Civil Libert. vs NSA 7 May 2015 : Sect. 215 Patriot Act unlawful (bulk collection of telephone metadata) 24
Role for the legislator ECJ C-291/12 decision Schwarz v. Bochum, 2013 on preliminary questions: 46. ( ) Next, in assessing whether such processing is necessary, the legislature is obliged, inter alia, to examine whether it is possible to envisage measures which will interfere less with the rights recognised by Articles 7 and 8 of the Charter but will still contribute effectively to the objectives of the European Union rules in question ( ) Legislator shall take responsibility 25
Conclusions Need to acknowledge interfering and sensitive character of biometric data Consent not sufficient quid irreversible, revocable, unlinkable, multiple biometric identities? Need for legislative action with conditions and requiring safeguards for biometric data processing 26
Further reading European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, 25.1.2012, 118 p. EU Council, 15395/14, 2012/0011 (COD), consolidated version of 21.4.2015, available at http://www.statewatch.org/news/2015/apr/eucouncil-dp-reg-4column-2015.pdf ECHR S. and Marper v. UK (2008) ECJ C-291/12 Schwarz v. Bochum, 2013 ECJ C-446/12-449/12 Willems e.a.16 April 2015 and also : our Facebook report v. 1.2 (31.3.2015) See https://www.law.kuleuven.be/icri/en/news/item/icri-cir-advises-belgianprivacy-commission-in-facebook-investigation 27