Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.10: Biometrics in identity management
 |
Title: PROPORTIONALITY |
 |
Proportionality is another very critical aspect of biometrics. It is often raised and referred to in general terms, without much further explanation. The question rises as to the meaning of the proportionality principle, how the review is done and which factors are taken into account. In this report, it is not the intention to describe in detail the proportionality check that is or should be made by each DPA in their national countries.
The proportionality principle refers to a general principle of law that requires in general a fair balance and reasonable relationship between the means requested or used, including the severity and the duration of the means, and the objective sought. The proportionality principle has its origin mainly in public law, where it, as developed in case law and legal doctrine, lays down some fundamental rules for justifying state interference with fundamental rights and freedoms of individuals. The proportionality principle is not only relevant for the right to privacy, but also to other fundamental rights (e.g., the freedom of expression), which are, for Europe, laid down in the European Convention of Human Rights of 1950 (‘ECHR’) and the Convention on Civil and Political Rights.
In case law and legal doctrine, there is in addition and in combination with the proportionality of the measure, also the requirement that the interference serves a ‘legitimate aim’ (finality principle) and that the interference shall be ‘prescribed by law’ (legitimacy principle). ‘Prescribed by law’ means that that there shall be either a written legislative act or a ‘rule of law’ which justifies the interference, to the extent this law is sufficiently precise and adequately accessible. The finality principle requires that restrictions are only imposed for lawful and legitimate purposes. The proportionality principle, which allows certain restrictions to fundamental rights and obligations, applies in addition to these two principles and requires that even if one has a legitimate purpose for such restriction, prescribed by law, the restriction needs to be in proportion with the aim sought and ‘necessary in a democratic society’. Legal scholars have written a lot about the meaning of this proportionality principle and requirement. One could summarise that the proportionality principle is a bundling of two requirements: (a) the restriction has to be relevant for the purpose sought (or there must be a ‘pressing social need’ to restrict) and (b) the restriction needs to be proportionate to the legitimate purpose pursued.
Traditional legal doctrine in principle proclaims that the fundamental rights and freedoms of the ECHR are only guaranteed to the individual in his relationship with the government. There is however an important evolution in that more and more scholars defend that the fundamental rights and freedoms shall also be valid and applied amongst private parties (‘Drittwirkung’). This implies that fundamental rights and freedoms, such as the right of privacy, can also be enforced amongst private parties. As a result and by analogy, private parties will also be confronted with limitations to these fundamental rights and freedoms, in accordance with the same principles of legitimacy, finality and proportionality.
If we now look at the framework relating to data protection, we notice that the principles of legitimacy, finality and proportionality, which clarify the criteria for restrictions to fundamental rights, are also expressly incorporated in Article 6 of the Directive 95/46/EC. They are set forth as the criteria and principles which should guarantee a certain data quality in relation with personal data processing.
(i) The legitimacy principle states that personal data shall be processed ‘fairly and lawfully’ (Article 6 of the Directive 95/46/EC). The notion of ‘fairly’ is quite general and refers to several observations. Some authors include in the notion a reference to the interests and reasonable expectations of data subjects, a requirement that a person is not unduly pressured into providing data about him-/herself and that the processing of the data is transparent. Bygrave states that the notion of ‘fairly’ in itself already contains a notion of balance and proportionality. ‘Lawfully’ implies that the processing is in accordance with the national data protection legislation, in accordance with other laws and statutory provisions, legally enforceable obligations (e.g., binding agreements) and legal competences. We see that for Type I government controlled ID model, the legislator will attempt to provide a legal basis for the collection and processing of biometric data. This is often criticised, as such law or other legislative measure is not always very balanced and is often incomplete in terms of providing sufficient guarantees to the data subject for security and integrity.
(ii) The purpose or finality principle. The second core principle of data protection that is relevant is that the data shall be collected for specified and lawful/legitimate purposes. This principle is in fact a cluster of three sub-principles, i.e., 1) the purposes of the data collection shall be specified, 2) the purposes shall be lawful / legitimate, and 3) further data processing shall not be incompatible with the original purposes. Owners of biometric systems hence need to specify the purposes for which the biometric data will be used. This is often a problem for the Type I government controlled ID model, and sometimes also the Type III Mixed model.
(iii) The proportionality principle. The third core principle requires that the personal data shall be adequate, relevant, and not excessive in relation to the purposes for which they are processed. There are no legal provisions on interpretation of this principle and there are very few guidelines on what criteria shall be used. The criteria for the application of the principle, even if the principle is embedded in a legal provision, are debated, in particular in the context of the enforcement of fundamental human rights (see also above). Therefore, it is necessary to see how this principle is applied by reviewing the decisions of the national courts and the European Court of Human Rights in relation with privacy rights and other rights, to see how it is applied by the national DPAs and courts in relation to biometric systems and to derive, if possible, conclusions for such systems.
The Article 29 Data Protection Working Party discussed in its opinion the use of biometric data for access control purposes, and stated in this context that the way biometric data could be stored, i.e., in a central way or on an object exclusively under the control of the data subject, will determine to what extent the fundamental rights of individuals are at risk. The central storage of biometric data poses more risks, in particular for so-called ‘function creep’ (the risk that the data are used for secondary purposes which are not compatible with the purposes for which the data were initially collected) and the linking of information in several databases. At the same time, the Article 29 Data Protection Working Party stated that such central storage could be permitted for high security installations. The Article 29 Data Protection Working Party touches other criteria, such as the kind of biometric (e.g., the outline of a hand as opposed to fingerprint is more proportionate) and the way biometric data are digitalised. The criteria for deciding upon the proportionality of the use of biometrics, however, are not stated in the Directive and remain therefore unclear.
Nevertheless, the DPAs apply the proportionality principle as a decisive criterion in their decisions. The French DPA (CNIL) stated it as follows in an opinion of 8th April 2004 : ‘It is in the light of the whole of these reflections that the Commission shall appreciate, in each case, if the use of biometric recognition techniques and the set up of a data base, because of the physical identification characteristics of biometric elements and the possible uses of the established data base, are fit and in proportion with the purposes’. The DPAs and the courts hence review whether the use of biometric identification techniques is lawful and in proportion with the purposes of the application based upon Article 6 of the Directive 95/46/EC.
The use of biometrics in private sector applications has until now received less attention than the intended use of biometrics in applications of the public sector, such as in passports and travel documents, visas and VIS and SIS II. The deployment of biometrics in this context has caused tumult as the legal texts which intend to introduce such use in the public sector were often too general with regard to the purpose specification and did not provide adequate safeguards for the individuals in relation to the (security) risks involved. The deployment of biometrics in private sector applications however also requires attention.
The advisory opinion of the Article 29 Data Protection Working Party of 2003 on the application of the data protection principles on biometrics in general, which is general in nature, remains relevant for an evaluation of this proportionality issue in the private sector. The Article 29 Data Protection Working Party pointed out in this opinion that in its view the principle of purpose and proportionality is a decisive factor in the legal review of biometric systems by the DPAs. The Article 29 Data Protection Working Party hereby also referred to Article 6 of the Directive 95/46/EC that requires that ‘(…) personal data must be (a) processed fairly and lawfully, (b) collected for specified, explicit and legitimate purposes (…)’ and that the data shall be ‘adequate, relevant and not excessive (..)’. The Article 29 Data Protection Working Party however did not further clarify how these principles are to be applied.
Proportionality means in practice that a biometric application is used to link the biometric sample with the necessary and sufficient attributes of the identity of an individual to allocate the rights or authorisations that the specific individual is entitled to in the application context. The term of proportionality can be explained in the triangle of a value transaction between two parties (see Figure 12). The requesting party undergoes an authentication process (e.g. biometric recognition), that identifies the identity attributes necessary and sufficient to define his rights in the context of the transaction. This enables the delivering party to give the requested allowance to the rights requesting party. Proportionality means that the allowance delivering party collects only the necessary and sufficient identity attributes to correctly define the rights of the allowance requesting party. It especially means that biometric recognition should not be used for any other purposes than for the specific application within which the individual delivered his biometric sample data. Any evaluation of biometric data outside the context of the immediate application potentially violates the request for proportionality. It is clear that the proportionality issue is a crucial point in any identification process that does not have the full approval of the individuals involved. Such an involuntary identification may violate the proportionality criterion. However, there are applications, especially in the context of fraud and forensics where individuals are not cooperative, where the notion of proportionality has to be extended to the basic purpose of the identification process. It is possibly not a violation of proportionality if passengers of an airline are screened against templates of known terrorists as long as the biometric data of the screening are not used for other purposes and there is a legal basis for this practice.
Figure : The triangle of a value transaction and the use of biometric recognition
One should know that the proportionality principle is also closely connected to the margin of appreciation doctrine. This doctrine finds its origin in administrative law of civil law jurisdictions according to which administrations are granted some ‘discretion’ or ‘freedom’ in taking decisions in application of a rule. If there is no clear answer as to which interest outbalances the other, the margin of appreciation for the court will increase. This means that if there are no concrete guidelines as how to apply biometrics, DPAs and courts have more freedom to decide whether the application is ‘fairly and lawful’ and ‘proportionate’.
The margin of appreciation of the national DPAs and the different interpretations by the DPAs of when a biometric system infringes the individual fundamental rights is now exactly the opposite of what the Article 29 Data Protection Working Party in its opinion of 1st August 2003 tried to establish. The Article 29 Data Protection Working Party said it as follows:
‘The purpose of the present document is to contribute to the effective and homogenous application of the national provisions on data protection adopted in compliance with Directive 95/46/EC upon biometric systems. (…) The Working Party intends to provide uniform European guidelines, particularly for the biometric systems industry and users of such technologies’.
The proportionality principle, a main principle in the evaluation of biometric applications and models, therefore leaves many open questions and provides no concrete guidance as how to design and implement biometric models.
Since the functionalities of biometrics (i.e. identification and verification) which serve a specific purpose (e.g., avoidance of ‘double dipping’, securing proper use of an employee card, etc) need to be clearly distinguished as explained above (see section ), we believe that a first step would be to clearly link these functionalities to a specific type of application.
The Council of Europe has set forth this idea in general terms in 2005 as follows:
‘In choosing the function of verification or identification, much depends on the purpose to be served by the biometric system and the circumstances under which it is to be applied. The function must serve the purpose for which data have been collected and not amount to an overkill. The same statement would be in legal terms : the instrument should not be disproportionate in relation to the purpose it has to serve. The choice of an identification system in cases where a verification system would be sufficient to serve the envisaged purpose needs special justification. Verification problems should not be solved by identification solutions.’ (underlining added)
| |
   |
|
| 18 / 40 |
