You are here: Resources > FIDIS Deliverables > HighTechID > D3.10: Biometrics in identity management > 

D3.10: Biometrics in identity management

Quality factors of biometric systems  Title:
 Standards and regulations


Legal treatment and regulations of biometrics

In FIDIS deliverable 3.2. ‘Study on PKI and biometrics’, it was explained that the Directive 95/46/EC (hereinafter the ‘Privacy Directive 95/46/EC’) constitutes the general legal framework for the processing of personal data and that, although the Privacy Directive 95/46/EC does not mention biometric data as such, its legal provisions and principles also apply to the processing of biometric data. Although some have tried to argue that the Privacy Directive 95/46/EC does not apply in specific processing circumstances of biometric data, one has to acknowledge that biometric systems per se relate to identified or identifiable persons as they use personal characteristics and aim to identify the person to whom these characteristics belong or aim to verify that these belong to the same person.

In August 2003, the Article 29 Data Protection Working Party (hereinafter the ‘Article 29 Working Party’) established by the Privacy Directive 95/46/EC has provided specific guidelines for the processing of biometric data in a working document on biometrics. These guidelines are highly relevant for biometric identity management systems in general, whether used in the public sphere or for private commercial purposes. These guidelines will not be repeated in this deliverable as they were discussed in the aforementioned deliverable. The Article 29 Working Party has in the meantime further reflected on the meaning of biometric data in an opinion of 2007 on the concept of personal data. In this opinion, the functionality of biometric data as to establish a link with an individual and to function as identifiers was stressed (see also the discussion above, section ).

Furthermore, the use of biometrics in applications controlled by the government, such as in passports and travel documents and in large scale applications in Europe such as the Visa Information System (VIS) and the second generation Schengen Information System (SIS II), has received a lot of attention and was subject to some debate when in several opinions the Article 29 Working Party and the European Data Protection Supervisor (hereinafter the ‘EDPS’) pointed to the risks of the implementation of biometrics in these applications. Several countries planned or started to issue biometric passports in furtherance of the Council Regulation (EC) No 2252/2004 of 13 December 2004. The regulations and the legal aspects of the use of biometrics in ID documents and passports have been analysed in detail in FIDIS deliverable 3.6. ‘Study on ID Documents’ of 2006. The present deliverable will therefore not focus on the legal aspects of the use of biometrics for these purposes by governments in ID documents.

In the meantime, the national Data Protection Agencies (hereinafter the ‘DPAs’) of the Member States have been active in the interpretation of the data protection legislation applied to biometrics for use in the private sector. In most countries, the data protection legislation does not explicitly mention biometrics. The legal provisions which the DPAs apply, however, are in principle the national data protection laws, which have implemented the Privacy Directive 95/46/EC. National DPAs may in principle issue opinions and general recommendations with regard to the processing of biometrics. While recommendations of DPAs have strictly not the force of law, controllers often tend to follow the recommendations issued by DPAs on specific matters.  

Presently, the DPAs review the processing of biometric data in many cases upon request for a preliminary opinion by the data controller or sometimes upon notification of the processing. The DPAs, however, have many more important competences. These competences according to the Privacy Directive 95/46/EC include endowment with investigative powers, such as access to the (biometric) data processed by a controller and powers to collect all the information necessary, powers of intervention, including the competence to order the erasure of data or imposing temporary or definitive bans on the use of (biometric) data, and the power to engage in legal proceedings against controllers if they do not respect the data protection provisions. The DPAs can also hear claims of an individual who states that his/her rights and freedoms with regard to the processing of personal data are infringed or bring violations to the attention of the judicial authorities.

Appeal against the decisions of the DPAs is in principle possible before the national courts of the country where the DPA is established in conformity with the existing procedure for appeal against such (administrative) decisions in that country. In the United Kingdom, a specialist Tribunal (the ‘Information Tribunal’, formerly the ‘Data Protection Tribunal’) is set up to determine appeals against notices and decisions served by the Information Commissioner.  

In section below, we will first briefly touch upon some ongoing work relating to standards in the field of biometrics. In section , the situation of biometric applications (other than its use in ID documents) in some countries, including some opinions of DPAs, will be discussed. This review will show that the proportionality principle is a leading principle in the evaluation of biometric systems. This concept will be further addressed in section below.


Quality factors of biometric systems  Standards and regulations
10 / 40