Els Kindt

Cogitas, Ergo Sum. The Role of Data Protection Law and Non-discrimination Law in Group Profiling in the Private Sector

This chapter focuses on the legal uncertainty regarding the applicability of data protection law in the case of profiling. This legal uncertainty stems amongst others from the definitions of personal data, data processing and data controller in EU regulations as well as from the possible exclusion of anonymous data from the applicability of data protection law. We will show that it is perfectly possible to construct and apply profiles without identifying the person concerned in the sense of data protection law. We will build our legal analysis gradually upon the three different steps that exist in the construction and application of profiles: the collection of personal data and other information to construct the profile; the construction of the profile upon personal and anonymous data and the application of a group profile to a group or an individual. For each level, we will analyse whether and how data protection law applies. We will use case law and legal doctrine in our analysis. As a result of the legal uncertainty that we find in data protection law, we will then try to find answers in privacy and anti-discrimination law, with a special focus on legislation and jurisprudence in the case of racial and ethnic profiling.

Best Practices for Privacy and Data Protection for the Processing of Biometric Data

Self-regulatory initiatives by data controllers can contribute to a better enforcement of data protection rules. This is especially important for the use of biometric data in identity management systems, because of risks of use as unique identifiers and identification. This chapter explains the Best Practices which were developed in the Turbine project. These Best Practices recommend inter alia the creation of multiple trusted revocable protected biometric identities, which are irreversible and unlinkable.

An Introduction into the Use of Biometric Technology

Biometric traits are being used since thousands of years – from prehistoric men in the Chauvet cave to the EU officials designing smart borders. They allow for identifying and recognizing human beings. The automated processing however is new and raises concern. For facilitating a discussion of the legal aspects of this new technology, this Chapter introduces the reader after a short introduction in the history, into the use of particular biometric characteristics, some technical aspects and the functioning of a biometric system as either a verification or identification system. It explains how errors are made and refers to technological developments, while deploying the ISO harmonized biometric vocabulary terms. The gradual expansion of biometric data use in the twenty-first century is illustrated by examples of the present use of biometric data, often in large-scale applications in the European Union. Because they were commented by the European Data Protection Supervisor and the Article 29 Working Party for example, and were subject of specific (often modified) regulations, they will prove to be useful for the legal analysis and later discussion also because they reflect some of the pitfalls which are typical and significant for biometric data processing.

Towards standardizing trusted evidence of identity

Evidence of identity (EOI), sometimes mentioned as breeder documents in a physical representation form, refers to a single or a set of evidence that can be used to provide confidence to the claimed identity. Trust of evidence of identity needs prudential assessment by an authority or a service provider before such evidence of identity can be accepted for identity verification or eligibility evaluation purposes. This is especially the case when such purposes have a high risk of cost, security, and other critical consequences. In this paper we analyze the status of deployed EOIs in the scope of ePassport issuance; and then attempt to define the implementation types, fraud scenarios, security objectives, and trust levels for EOIs, which have not been clearly defined in existing research and standardization societies. As a pilot survey work in this field, recommendations from policy and technology perspectives towards a highly-trusted EOI framework for standardization are shaped towards future ePassport issuance standardization and practice. Finally, a new design of birth certificate, compliant to the proposed recommendations, is presented as an example of trusted EOI.

Biometric Data, Data Protection and the Right to Privacy

Are biometric data always personal data ? Until today, this question is raised repeatedly, as well as whether biometric data are ‘sensitive’ data. The Chapter provides answers based on a detailed analysis of the concepts from a national and European law perspective. The guidance of the Article 29 Working Party on these questions is hereby commented in a critical way, also taking into account the opinions WP192 and WP193 of 2012. The author also suggests a definition of biometric data, indispensible for framing later proposals. Biometric data is further compared with biological material and DNA, for which more detailed regulation exists. Many esteem that DNA analysis will soon be possible in ‘real time’ as well. The author concludes with sketching the privacy and data protection framework, now also both fundamental rights as proclaimed in the EU Charter, in which biometric data processing shall fit in. Varying national approaches surface as an omen for diverging interpretations and guidance for processing biometric data.

Privacy and Data Protection Aspects of e-Government Identity Management

European Commission 2003, p. 7. E-Government initiatives are being witnessed at all levels of government (local and federal governments, including legislative bodies, the judiciary, the tax administration, in the health sector, etc.). These initiatives can be grouped into four main categories: (1) the disseminating (passive or active) of relevant general public information to citizens, for example through websites, (2) the use of electronic processing and networks to improve the management of activities inside and across governmental departments, (3) the use of ICT to increase citizen participation in decision-making processes (e.g., e-petitions), and (4) the use of ICT for interaction with the citizen and service delivery (e.g., filing of tax return, access to personal file at the National Registry or on an e-health platform, filing of declarations in social security, etc.). For this Chapter, we focus on the activities in group (2) and (4).

Privacy by Design – The Case of Automated Border Control

This book contains a range of keynote papers and submitted papers presented at the 9th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, held in Patras, Greece, in September 2014. The 9 revised full papers and 3 workshop papers included in this volume were carefully selected from a total of 29 submissions and were subject to a two-step review process. In addition, the volume contains 5 invited keynote papers. The regular papers are organized in topical sections on legal privacy aspects and technical concepts, privacy by design and privacy patterns and privacy technologies and protocols.

Legal Aspects: Biometric Data, Evidence Rules and Trusted Identities

Biometric characteristics could play an increasing role as means for binding electronic documents and transactions to a person and for identifying that person. However, one of the conditions for biometric methods to be used as an electronic signature is that spoofing vulnerabilities are adequately assessed and appropriate solutions are developed. Anti-spoofing measures are also crucial in electronic identity schemes which may include biometric characteristics. For these schemes, privacy and data protection issues remain to be solved as well.

A Legal Model for the Use of Biometric Data in the Private Sector

This last Chapter proposes various specific suggestions for a comprehensive regulation of biometric data processing operations in mainly the private sector. The author formulates seven general principles, based on the previous analysis, and makes detailed recommendations structured in nine domains for both the national and international legislator. One of the principles to be embedded in legislation is no hidden or secret collection of biometric data, while another is the availability of an alternative system if the biometric data processing relies on consent. The recommendations include distinct use by the private and public sector and enhanced rights for the data subjects. The recommendations are supported by the analysis of the law, decisions and the opinions of the data protection authorities made in the preceding Chapters, while including references to examples of other legal systems as well.

Introduction: Subject, Methodology and Structure

This Chapter explains the selection of the topics researched and the methodology used. The main research question was on the criteria which determine the proportionality of biometric data processing. To analyse and explain the variety of legal criteria, the method of evaluating existing legislation, in particular of the Directive 95/46/EC as implemented in national law, was deployed in combination with comparative law research. Three civil law countries, i.e. Belgium, France and the Netherlands, where the rule of law is important while sharing legislation as the main source of law, were selected for a detailed analysis of the law, decisions and opinions on biometric data processing. At the same time, relevant developments in other EU countries and abroad on regulation of biometric data processing were taken into account as well to formulate suggestions for legal criteria for biometric data processing.