1 / 0

Biometrics and Data Protection

Biometrics and Data Protection. Dr. Yue Liu Forum rettsinformatikk 2011. Agenda. Introduction to Biometric Technology Privacy Concerns at Different Stages Major Legal Sources and Crucial Legal Problems Sample Cases in Norway Findings and Recommendations.

kiri
Download Presentation

Biometrics and Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Biometrics and Data Protection

    Dr. YueLiu Forum rettsinformatikk 2011
  2. Agenda Introduction to Biometric Technology Privacy Concerns at Different Stages Major Legal Sources and Crucial Legal Problems Sample Cases in Norway Findings and Recommendations
  3. Introduction to Biometric Technology Definition: The automatic recognition of individuals based on their behavioural and biological characteristics (ISO SC37 Harmonized Biometric Vocabulary)
  4. Introduction to Biometric Technology Behavior: voice, keystroke, gait, signature… Physiological Fingerprint, iris, facial, retina, palm… DNA? Not externally observable
  5. Introduction to Biometric Technology Verification (authentication): are you whom you claim to be? one to one match Central or decentralized database Identification: Who are you? One to many match Central database
  6. Introduction to Biometric Technology Function process of biometrics Enrolment Matching Person Measuring Device Stored Template Result Matching Person Measuring Device Live Template
  7. Introduction to Biometric Technology EU and Biometric applications EURODAC SIS II VIS European Biometric Passports Other: entrance control etc.
  8. Privacy Concerns at Different Stages Enrolment : Quality: FR, FA purpose, awareness, consent, data, responsibility , unnecessary collection, scale, data controllers, Storage: How? location central/local token (irreversibility, link ability, security, cost, responsibility ), PET What ? raw image/template (health information,
  9. Privacy Concerns at Different Stages Matching Access/user authority Updating Spoofing, stolen, security, fallback procedures
  10. Major Legal Sources of Data Protection OECD Guidelines EC: Convention 108, Data Protection Directive (95/46/EC;97/66/EC;2002/58/EC) Regulation (EC) No 45/2001 EU: ECHR- Marper case
  11. Crucial Legal Problems ECHR art 8 (2) Derogations: public and social interest; national security How to apply? S and Marper v. UK Is there an interference with privacy? In accordance with the law Legitimate aim proportional and margin of appreciation
  12. Crucial Legal Problems P.G and J.H. v. UK “private life considerations may arise…once any systematic or permanent record comes into existence of such material from the public domain.” Peckv. UK “the relevant moment was viewed to an extent which far exceeded any exposure to a passer-by or to security observation…and to a degree surpassing that which the applicant could possibly have foreseen when he walked in [the street]”
  13. Crucial Legal Problems Biometric as personal data (anonymization) Personal data any information relating to an identified or identifiable natural person (art2 a) An identifiable person is one can be identified directly or indirectly in particular by reference to an identification number or one or more factors that specific to his physical, physiological, and mental(…) identity
  14. Crucial Legal Problems Biometrics as sensitive personal data Health indication...which, how Racial related, linking and tracking ability. Context-various
  15. Crucial Legal Problems it is not sufficient to consider the grading this data element has been given isolated, one must also take into account what information one thereby may connect to the nexus-person. This may provide a basis for data security deliberation the submission of the key resents in itself a threat to the protection of highly sensitive information, an increased risk of undesired access to personal information. ----Bing, 1972 p.107-108
  16. Crucial Legal Problems Principle of proportionality (art6.8.14.15) Suitability, necessity and non-excessiveness Balancing test Least drastic means test Huber case: effectively applied -----nature of purposes, availability and effectiveness of other alternatives, loss of data subject, efficacy
  17. Crucial Legal Problems Principle of proportionality European organizations’ opinion about proportionality and biometrics (consultative committee 108 , WP29, EDPS)
  18. Crucial legal problems Proportionality in biometric context: Biometric template/raw image Link with sensitive information Avoiding unnecessary storage Adequate, relevant and not excessive Storage length Type of biometrics Assessment of risks
  19. Sample cases in Norway Principle of proportionality (DPAs) Article 12 of Personal Data Act of Norway National identify numbers and other clear means of identification may only be used in the processing when there is an objective need for certain identification and the method is necessary to achieve such identification.
  20. Sample cases in Norway Reversed cases Case1: Tysvær Municipality Case 2: EssoNorge Upheld cases Case 3: Rema 1000 Case 4: Oxigeno Fitness
  21. Sample cases in Norway Data inspectorate: 1.Actual objective need for ensuring identification and the method is necessary for such identification 2.Article 8,9 and 11 3. Not meaningful to distinguish raw biometric image/template 4.Encryption is a measure for security but not decisive factor
  22. Case analysis Identification and authentication Understanding the article 12. PVN: interpretation of “identification method”: as a key, or used for authentication afterwards Focus of article 12: necessary, “identification” in general sense only identification is mentioned, does not indicate authentication is prohibited Main purpose of the Personal Data Act
  23. Case analysis Identification and authentication Is it necessary to differentiate the between identification and authentication when regulating biometrics? - What are the differences between identification and authentication when privacy is concerned? What will be the legal value of regulatory differentiation based on such differences? (Line between identification and authentication )
  24. Sample cases in Norway Necessity Data Inspectorate: The requirement of necessity in the first paragraph will only be fulfilled when other or less accurate identification measure such as name, address or customer number are not sufficient. It is also important to consider the importance of such accurate identification for the user and what kind of consequences a mistake can cause. In addition , social need can also be considered.
  25. Sample cases in Norway Tysvær: Alternatives, smart card ESSO: Consent and alternatives Rema 1000: alternatives and trust, balance interest
  26. Sample cases in Norway Storage: Tysvær: encrypted server and sensing device, authentication ESSO: central database too, live authentication Rema 1000: local terminal linked to network, identification and authentication Fitness: local database, identification
  27. Sample cases in Norway Differ central storage and local storage? …storage of the biometric data by the data controllers is unfortunate, and should be avoided. Therefore it is unnecessary to differentiate between local or central storage ----Datatilsynet,2006 Avoiding unnecessary storage: portable token/central storage Length of storage
  28. Sample cases in Norway Consent: It is still uncertain what kind of policy should be adopted concerning the notice and consent requirements in the biometric context ---Datatilsynet ,2006 Informed consent Possible alternative Unequal Contract Suggestion: Grading system Proportionality and consent
  29. Main findings and Recommendations Biometric data as a special category of personal data Article12 be reformulated. Proportionality in biometric context: benefits, risks, alternatives, inevitable need, choice of biometrics, storage location and length, purpose, identification and authentication, testing, quality control Informed consent, grading system
  30. Other information: Best Practices in Privacy Guidelines: FIDIS BITE PRIME Article 29 Working Party CEPS OECD European Commission
  31. Thank you for your attention! southhopeliu@yahoo.com
More Related