Biometrics Identification and Privacy Rights

Biometric technology is promising to change the political, cultural and social landscape. This technology creates new possibilities which may be reassuring or raise serious concerns, depending on one’s views on the use of biometrics in society, stated the Platform on Ethics and Governance of Biometric Technology (EGBT)[i] at the Joint European Conference on Ethics and Governance of Biometrics and Identification Technologies[ii]. The conference was organized by the HIDE (Homeland Security, Biometric Identification and Personal Detection Ethics) and RISE (Rising Pan European and International Awareness of Biometrics and Security Ethics, an international initiative for promoting awareness on ethical aspects of biometrics and security technologies) projects.   . But where will this change lead us? Will it be a new Orwellian scenario or a world of increased public and individual safety?  This is the important discussion that took place at the aforementioned conference as well as in European forums, but still is not being meaningfully addressed in Serbia and the Western Balkan countries. The conference addressed a wide range of issues but here we would like to present the pending issue of biometric technologies and privacy rights.

In a world in which we are often exposed to disturbing news about the new ways that companies or governments of certain countries come into possession of private information and share it without consent or even our own awareness, understanding of biometrics, personal detection technologies and on-line surveillance is of great importance.

The wider implications of technologies like online surveillance, biometrics and personal detection are recognized as significant issues in modern society and should be approached with sensitivity and high ethical and legal standards.

All technologies can be used in an inappropriate manner, so the mere possibility of misuse should not prevent the development of a given technology. Although there is a concern that biometric data, for example retina scans, could be understood as invading a person’s bodily privacy, all databases containing personal details that have been used for decades could be seen as a threat to privacy if improperly used.

The Constitution of the Republic of Serbia guarantees the protection of personal data and the collection, storage, processing and use of personal data are regulated by law. In Serbia, the Law on Personal Data Protection came into effect on January 1^st  2009. It is important to stress that the Commissioner for Personal Data Protection provides opinions on data processing, especially in the case of new technologies. The Law allows the Commissioner to give opinions to the Government on the enactment of instruments governing data filing methods as well as safeguards for particularly sensitive data. This allows the Commissioner to have a true impact on the use of new technologies in this realm.[iii] As the Guidebook on the Serbian Law on Personal Data Protection highlights, the Commissioner has an excellent opportunity that most other authorities do not have, as clearly stated in the laws, to create a new practice in the field of technology. The Law enables him to reduce the gap between existing legislation and new technologies.[iv]

The rise of biometric technologies should be followed by a commensurate rise in the legal framework targeting specific issues of social control and responsibility. In reality, it has almost always been the case that legislation lags behind technology—another reason to treat such sensitive issues with additional ethical responsibility.

“A sharp debate is emerging around biometric technology and whether it offers society any significant advantages over conventional forms of identification, and if it constitutes a threat to privacy and a potential weapon in the hands of authoritarian governments. There is no doubt, however, that technology needs democratic accountability and ethical scrutiny”, says the report on the joint HIDE/RISE-organised conference.[v]

The multi-stakeholder conference report calls for the joint efforts of various stakeholders–such as regulators, responsible agencies, lawmaking bodies, industry, third party privacy solution providers and consumer representatives—in setting technology security policy in Europe, as this is how policies can be insured to have biometric data processing handled with strong measures to prevent specific risks.

How are the security and safety of  citizens protected without jeopardizing their privacy? Some say our privacy is already irreversibly ruined, as Eric Schmidt, CEO of Google, pointed out in his speech at the 2010 Techonomy Conference: “Show us 14 photos of yourself and we can identify who you are. You think you don’t have 14 photos of yourself on the Internet? You’ve got Facebook photos!” But as most law enforcement agency representatives and security and defense experts state, we feel relatively safe in the society in which we live in spite of various terrorist, criminal and health threats, because the aim of responsible use of biometrics, online surveillance and similar technologies is protecting the public interest. It can be done only with a strong legal framework and education of users such as in airports and in public administrations. However, there is another important concern Schmidt’s comment accents: citizens as individuals should also take their own responsibility in keeping their data safe.

Finding the balance between privacy protection and the public interest is a serious and thorough challenge, not to mention both technologically and legally demanding. For example, there are still debates on whether or not biometric data should be considered as ‘private’ or as ‘sensitive’ data and there are strong arguments for both views. At the Ethics and Governance of Biometrics and Identification Technologies Conference, many speakers agreed that the answer depends on the specific context, on the use of the data , on the specific reasons why the data is being processed, and how it is being done. Enshrining these considerations within a strong but flexible legal framework in order to bring more legal certainty to the benefit of both data controllers and individuals demands deep understanding of technological, procedural and ethical concerns and specifics.

One of the presenters at the Joint European Conference[vi], Ms. Els Kindt from the Katholieke Universiteit Leuven, said[vii] that a critical step in qualifying biometric data involved determining “whether the data is personal or sensitive from a legal point of view”. Ms. Kindt stressed that only then could biometric information be submitted to existing legislation and additional legislation be developed. She noted the ethical concerns of “using the human body as a barcode” because biometric technologies can lead to several privacy and identity risks related to, for example, ways in which information on health and ethnicity are collected, processed and stored.

The RISE conference report stated some major conclusions drawn during conference debate[viii]:

• There should be clear and verifiable limitations to the use of  biometrics within a specific system.
• Large-scale biometric applications need to be  registered, certified and monitored.
• There should be an open and transparent mechanism for providing checks and balances by the owners/operators  of large-scale biometric systems.

While the EU is in the final stage of the consultative process leading to a review of the 1995 Data Protection Directive, aimed at better regulation of ethical issues and privacy rights and trying to keep pace with the newest technologies, the Serbian Law on Personal Data Protection does not comply with even the existing EU directive. Let’s also be reminded that the security services are legally allowed to monitor private electronic communications with no court order, and those controversial provisions of the Serbian Law on Telecommunications are now awaiting a final decision of the Serbian Constitutional Court.

[i]  Issued in December 2010 by the Centre for Science, Society and Citizenship, Rome, Italy.

[ii] The Joint European Conference on Ethics and Governance of Biometrics and Identification Technologies was held in Brussels from 9-10 December, 2010

[iii] See the Serbian Law on Personal Data Protection, Article 44, paragraph 1, items 7 and 9.

[iv] See the Guidebook on the Serbian Law on Personal Data Protection, Nataša Pirc Musar (Vodič kroz Zakon o zaštiti podataka o ličnosti / Nataša Pirc Musar – Beograd. Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti, 2009 (Beograd: Dosije), page 97

[v] RISE Multi-Stakeholder Conference Report issued in February 2011 (Deliverable D 3.4)

[vi] Joint European Conference on Ethics and Governance of Biometrics and Identification Technologies, 9 -10 December 2010, Brussels.

[vii] RISE Multi-Stakeholder Conference Report issued in February 2011 (Deliverable D3.4), p. 9

[viii] Ibid, p. 10