1. Introduction
1. On 5 October 2006, the Parliamentary Assembly decided
to refer to the Committee on Legal Affairs and Human Rights, for
report, the motion for a recommendation on the need for a global
consideration of human rights implications of biometrics (
Doc. 11066). At
its meeting on 27 January 2009, the committee appointed me rapporteur.
2. Following the events of 11 September 2001 and other terrorist
attacks, security issues have become a priority at the global level
and have led to an ongoing search for secure and reliable methods
of identification and verification using the intrinsic features
of each human being, such as fingerprints, retina, DNA, voice or, more
recently, body scans. In the absence of any specific legal framework
covering this issue, the rapid development of biometric technology
raises some concerns with regard to the protection of human rights
and fundamental freedoms.
3. “Biometrics” refers to systems that use measurable physical
or physiological characteristics or personal behavioural traits
to recognise the identity, or verify the claimed identity of an
individual.
In
comparison with other means of authentification, such as badges
and passwords, biometric data reduce the possibility of abuse because
they cannot easily be transferred to third parties and do not rely
to the same extent on verification or identification by security
personnel, which is the main weakness of current security systems.
Therefore, technologies using these biometric data to confirm an
individual’s claimed identity can both improve overall safety and
reduce the risk of fraud. Although the advantages of biometrics
in terms of security are indubitable, the proliferation of biometrics
presents challenges concerning fundamental human rights, and in
particular data protection. The collection and evaluation of biometric
data as such does not seriously interfere with an individual’s rights
given that taking pictures or fingerprints, etc. with today’s technology
is fast and non-intrusive. But mass processing and central storage
of personal data, as performed, for instance, in the Eurodac database for
asylum applications in the European Union member states,
may
interfere with the private sphere of individuals, since the integrity
of the human body and the way it is used in collecting biometric
data constitute an aspect of human dignity.
4. This report is intended to present the main issues concerning
biometrics, such as the meaning of this term, the collection and
conservation of biometrical data in practice and the concerns related
to the latter.
It will also refer to the existing European
regulations on data protection and will make some recommendations on
how to fill loopholes identified in the legislative framework.
2. What does the term “biometrics” encompass?
5. Biometric data are unique individual physical or
behavioural characteristics that differ from one human being to
another and that remain, in most cases, unaltered for life. Examples
of biometric data are DNA samples, fingerprint images, pictures
of the iris or the retina, but also voice recording, individual
gait or typing rhythm during logon.
6. Biometric systems are a highly reliable means of authentication
as they allow for proof of a strong connection between an individual
and his alleged identity through verification of his or her unique
physical biometric data. Furthermore, the convenience of such systems
makes them more acceptable. Instead of long identification and verification
procedures conducted by security personnel, iris/facial scans as
well as behavioural tracking allow for swift security checks even
of large crowds of people. Despite the initial investment in up-to-date
equipment, biometric technology is cost effective – avoiding for
example the costs of forgotten passwords.
7. The use of “first generation” biometrics (for example fingerprints
and iris scans) has given rise to limited controversy as regards
human rights, in particular as regards the conditions in which such
data can be collected and for which purposes they may be used. The
subsequent introduction of “soft biometrics” – which includes gender,
weight, height, age and ethnicity for automated classification –
has proved more contentious, evoking objections on the basis that
it could constitute or facilitate discriminatory social profiling.
“Second generation” biometrics aim to identify a person on the basis
of his or her actual behaviour or activities. They may include measurements
of the heart rate, body temperature, brain activity patterns and
pupil dilation, which calls into question what we understand by
“personal data”. Also, it may be necessary to determine to what extent,
if any, the (ab)use of body scanners ought to be dealt with in this
context. The fact that such data can be collected without the individual’s
knowledge merely adds to the controversy. Today’s video surveillance technology
is capable of tracing individuals from a distance and creating profiles
without the knowledge of the person concerned.
3. What are the different applications of biometric
data?
8. The use made of biometrics varies across Council
of Europe member states. Biometric systems will serve either one
or both of two main purposes: identification of an individual, by
which the identification is solely based on the biometric information,
or verification of an individual, where a verification template
is compared to an enrolment template. Identification requires a
one-to-many comparison, while verification requires a one-to-one
comparison. Different types of storage should be used depending
on the overall objective of the given system. Generally speaking,
identification poses a much greater risk to human rights than the
direct use of biometric data, since in identification procedures
such data are never under the strict and full control of the individual.
9. The most common applications of biometrics can be found in
the field of immigration control. Here, biometrics may be used for
passports, border control, visa applications and ID checks on asylum
seekers. Large-scale databases such as the European Union Visa Information
System and the Schengen Information System centralise and store
such data in Europe.
10. In addition, most if not all Council of Europe member states
allow the compulsory taking of fingerprints and cellular samples
in the context of criminal proceedings. At least 20 member states
make provision for collecting DNA information and storing it in
national databases or in other forms (Austria, Belgium, the Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland,
Italy, Latvia, Luxembourg, the Netherlands, Norway, Poland, Spain,
Sweden and Switzerland). This number is steadily increasing.
11. Due to its convenience, the private sector also drives the
rapid development of biometrics. Biometric data is used for access
control to private buildings such as casinos, discotheques or fitness
studios. Insurance companies have an immense interest in biometrics
since any information on their clients’ health status helps their
cost/risk analysis. The extended use of loyalty cards demonstrates
customers’ willingness to reveal personal preferences, though customers
are not always fully aware of the extent to which this involves
the revelation of personal data.
12. The need to identify individuals accurately in both the public
and private spheres makes the further development of these technologies
inevitable. In the public sector, biometrics have become a key instrument for
national and international security and immigration policies. The
fight against terrorism and organised crime also benefits from the
use of modern scientific techniques of investigation and identification.
As a result, in addition to employing biometric systems for border
control purposes, states are creating increasingly large central
databases holding biometric data such as computer-readable facial
photographs, fingerprints and DNA.
Meanwhile,
biometric systems are gaining importance as a product in the private
sphere as identity fraud becomes increasingly common in the growing
field of e-business.
4. Risk of falsification
13. Biometric data are considered to be very reliable
and, indeed, in most systems there is a high probability that in
using biometric data for identification purposes, one is dealing
with the correct individual.
14. But false positives or negatives remain possible due to the
technical imperfections of biometrics. An error rate of 0.5% to
1% is the norm, so there is no such thing as an absolutely certain
match or non-match. Poor light conditions or insufficient training
of operators increase the risk of false identification/verification.
Intentional manipulations are also possible.
15. Biometric characteristics, in principle, remain unchanged
for the duration of an individual’s life. There are, however, certain
exceptions where a change in biometric features may occur, such
as through surgery, accidents, or simply ageing. Studies on the
long-term viability of biometrical data have shown, for example,
that fingerprints may change as time passes.
16. Being affected by bodily growth, biometric features are not
fully developed until early adulthood. Using children’s fingerprints
for passports or access control methods as already practised in
some schools, increases the risk of mistakes. Until their biometric
features are fully developed, children should not be subjected to
the collection of biometric data, also in order to prevent premature
categorisation and discrimination.
17. Additionally, there is the important issue of the security
of stored biometric data. Biometric systems are vulnerable to hacking,
unauthorised modification or destruction, tampering, unintentional
loss, and improper disclosure. Falsification of biometric data,
particularly fingerprints, has been shown to be entirely possible. Furthermore,
the use of biometrics will not exclude identity theft or forgery,
as shown in the case of the new e-passports introduced in a number
of European Union member states.
5. Main human rights concerns concerning biometrics
18. Where personal data is dealt with, sufficient safeguards
are of key importance in order to guarantee the protection of human
rights. The technology of biometrics is capable of providing enhanced
security whilst protecting human rights. What raises concern is
the widespread unnecessary and careless use of such personal data.
19. The prospect of combining biometric data collected by public
bodies and exchanging them with private businesses poses a serious
threat to an individual’s human rights.
The
intense interest of the private business sector is caused by the
benefits of detailed knowledge of their customer’s physical features
and habits, for example for an insurer’s cost-risk-analysis or for
marketing purposes. As a result, personal data have become valuable
commodities.
20. The threat for individual rights is mainly posed by the danger
of collecting and combining the data without the consent or even
knowledge of those directly concerned and collecting more data than
necessary.
Cash-strapped
public bodies may be tempted to sell personal data as private businesses
offer large sums for such information. Due to the legal complexity
of the question of a possible effect of human rights among private actors
(
Drittwirkung), I will not
go into detail on this issue as regards the biometrics field.
5.1. Human dignity
21. Biometric data are collected or derived from the
human body and, as such, the question arises whether this may affect
a person’s human dignity. Whilst some may not feel so affected,
others may be uncomfortable with bodily scrutiny and resist collection
of their biometric data. This may be due to religious, sociocultural
or other personal reasons. Human dignity is the basis for human
rights and, therefore, lies at the heart of all potential human
rights violations.
5.2. Right to respect for private life (Article 8 of
the European Convention on Human Rights)
22. Clearly, the evaluation, but even more the collection
and storage of data touch upon the right to respect for private
life as guaranteed by Article 8 of the European Convention on Human
Rights (“the Convention”). Since personal information is capable
of revealing an individual’s identity to a great extent, it is necessary
to handle this information in a sensitive way.
23. Some data need to be collected in order to strike a fair balance
between security and privacy. But the technology in the field is
capable not only of collecting the data required for identification,
but also of revealing a person’s racial origin, medical status,
or other genetic information. Iris scans reveal known or even diseases yet
unknown to the individual. In combination with existing DNA technology
– which in a technical sense is not considered as biometrics, but
faces similar concerns regarding privacy – there is a very high
risk of the complete exposure of a person’s identity.
24. This poses a serious threat to sick and disabled individuals,
in particular in terms of job opportunities, insurance coverage,
etc., and also to an individual’s sexual identity. It contradicts
the right to respect for private life which includes the right to
self-determination in terms of public recognition. Individuals who
have changed their gender would not be recognised on the basis of
their choice, but by biometric data. Those concerned may be exposed
to discrimination and ostracism.
5.3. The prohibition of discrimination (Article 14
of the Convention)
25. The use of biometrics may also raise several concerns
as to its compliance with the principle of non-discrimination, as
set out in Article 14 of the Convention (and Article 1 of its Protocol
No. 12 (ETS No. 177)
. In this context,
we should, in particular, consider the implications of biometric
systems for those with physical disabilities or people whose physical
characteristics do not fit technical requirements. This may in itself
raise data protection concerns as the mere fact of being processed
under an alternative system reveals potentially sensitive information.
Deriving such information from biometrical data may go beyond acceptable
objectives of personal data collection. Increased use of biometrics
could in future lead to stigmatisation and social exclusion of those
who are disabled or those whose physical characteristics are not
easily measurable. Studies have shown longer processing times and
fewer possible methods for disabled individuals in almost all forms
of biometric methods.
26. Individuals are concerned that their biometric data is used
for purposes other than those for which it was originally collected
or other than what was consented to at the time of collection (so-called
“function creep”). The best-known example of this in the biometrics
field is the opening up of the Eurodac site to the police and other
law enforcement agencies. The opening up of large databases such
as this one may enable governments to secretly monitor the activities
of individuals. What is more, such creeping changes may involve
carrying out discriminatory research or sorting subjects into groups
for dubious reasons. The use of biometric data to identify ethnic
minorities for political purposes is a particular cause for concern.
27. The existence of creeping changes in the use of data collected
in the public sector can be explained by the recent tendency of
governments to focus on surveillance, control and fraud detection,
an attitude that is fed by the global fear of terrorism following
the events of 11 September 2001. This emphasis on controlling individuals
has reduced the focus on the need for minimising data collection
and on risk mitigation.
5.4. Right to a fair trial (Article 6 of the Convention)
28. Taking into account the risk of falsification (see
Section 4 above), the use of biometrical data may also put at risk
individuals’ right to a fair trial (as guaranteed in Article 6,
paragraph 1, of the Convention) and, in particular, the principle
of the presumption of innocence (Article 6, paragraph 2
).
An erroneous or manipulated result can have severe consequences
for the individual concerned, for example when a person is falsely
recognised as appearing on a list of wanted criminals. The practical
effect of this could be that the person ends up having to prove
his or her innocence. It is therefore vital that the probabilistic
nature of biometrics is kept in mind and the presumption of innocence
is respected; this principle being a core principle of a democratic
society, it must not – at any point – be turned into the contrary.
29. Taking fingerprints is mostly associated with criminal conviction
because the method has been used for a long time in this field.
Considering that many asylum seekers have already experienced persecution,
the biometric evaluation process may cause psychological trauma.
As the case of
S. and Marper v. the United Kingdom shows,
biometrics may also violate an individual’s right to a fair trial
by not properly differentiating between convicted persons and those
who have not been convicted of any offence.
This
stigmatisation may infringe the presumption of innocence.
5.5. Freedom of movement (Article 2 of Protocol No.
4 to the Convention)
30. At the European level, freedom of movement is guaranteed,
to a certain extent,
by Article 2, paragraph 1, of Protocol
No. 4 to the Convention, and Article 2, paragraph 2, of this protocol
provides for the right to leave any country, including one’s own.
Moreover, citizens of member states of the European Union enjoy
the right to freely move and stay within the member state’s territory
under Article 21 of the Treaty on the Functioning of the European
Union.
As
biometric technology is often used in the field of border controls,
the threat lies in the potential refusal of entry on illegitimate
grounds or due to system errors. If the subject is in addition not properly
informed of the procedures used, he or she may not be in a position
to redress the situation.
6. Legal regulations
31. At present, there is no worldwide instrument dealing
with biometrics. Existing legislation only addresses “personal data”
in general but rarely defines what biometrics actually are. Taking
into account that technology has developed rapidly over the last
few years, regulations must be adapted to achieve a fair balance
between security and human rights issues. The existing general coverage
through personal data regulations may be applicable to biometrics,
but second generation biometrics put human rights at a greater risk
than earlier technologies.
6.1. At the global level: the United Nations
32. Article 17 of the International Covenant on Civil
and Political Rights guarantees the right to respect for privacy.
The United Nations set up general Guidelines for the regulation
of computerized personal data files in 1990.
These
guidelines seek to avoid insecure, inaccurate, discriminating and
unlawful evaluation and processing of personal data. They stress
the importance of earmarked processing and the importance of consent
by the individual. An independent supervisory body shall control
the collecting and processing of data. The principle of proportionality
shall be taken into account and the transborder flow of personal
data shall be subjected to security provisos.
33. Nevertheless, it has to be stressed that the guidelines drawn
up by the United Nations do not specifically address biometric data,
only general personal data; they are therefore somewhat outdated.
6.2. At the regional (European) level
6.2.1. Organisation for Economic Co-operation and Development
35. The OECD advocates limitations regarding the collection of
data, including for legitimate purposes. Like the United Nations,
it stresses the importance of the consent of the data subject and
the need for an independent, strong control mechanism. In the above-mentioned
2004 report, it expressed concern that, even though biometrics can
enhance security when properly used,
there
was still a high risk of system failures.
6.2.2. Council of Europe
6.2.2.1. Article 8 of the Convention and the case law of
the European Court of Human Rights
36. The European Convention on Human Rights and its additional
protocols guarantee several rights and freedoms which may be directly
concerned by the use of biometrical data: right to respect for private
life, right to a fair trial and presumption of innocence, prohibition
of discrimination and freedom of movement. Among these rights, the
right to respect for private life, as stipulated in Article 8 of
the Convention, is of particular importance for individuals in this
context and has been at the origin of a rich case law of the European
Court of Human Rights (“the Court”). However, this right is not
an absolute right, as it may be subject to interferences that are
justifiable according to Article 8, paragraph 2, of the Convention.
Restrictions have to be “in accordance with law” and “necessary
in a democratic society”.
37. Under Article 8 of the Convention, the European Court of Human
Rights has dealt with data protection in numerous cases. However,
although the technology of biometrics is not new, there have not
been many cases explicitly addressing biometrics. This is due to
the fact that the technology has only recently entered into everyday
life.
38. The principle of proportionality plays a key role in the decisions
of the Court. The cases of
Kinnunen v. Finland, Van
der Velden v. the Netherlands, Rotaru v. Romania,
and
W. v. the Netherlands show that the question of privacy
violations have to be answered on a case-by-case basis.
39. The Court’s judgment of 2008 delivered in the case of
S. and Marper v. the United Kingdom stands as a landmark in the field of biometrics.
This case concerns fingerprints and DNA samples that had been collected following
the arrest of the complainants and retained even after their release,
even though the complainants had asked for the destruction of the
samples. The Court held that the long term retention of both fingerprints and
DNA samples interfered with the individuals’ rights to privacy and,
consequently, found a breach of Article 8 of the Convention. This
judgment should be applicable to other biometric data; the case
also highlights the importance of consent of the data subject and
the sensitivity of the data in question.
40. This judgment is also in line with the previous findings of
the Court concerning personal information in secret police registers
and
the taking, retention and determination of DNA samples.
Biometric data that have
been obtained in the course of criminal investigations tend to meet
the legitimate aims requirement for as long as there is a reasonable
suspicion against an individual. Legislation should generally be
precise and provide not only exact definitions of the data in question,
but also clearly state the legitimate purposes for collection, evaluating
and processing such data.
6.2.2.2. Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data
41. The main legal instrument emanating from the Council
of Europe and relevant for biometrical data is the 1981 Convention
for the Protection of Individuals with regard to Automatic Processing
of Personal Data (ETS No. 108) (“the Data Protection Convention”)
and its Additional Protocol regarding supervisory authorities and transborder
data flows (ETS No. 181).
42. The Data ProtectionConvention
has been ratified by 43 of the 47 member states to date. It aims
to set up better defined standards of privacy protection, and harmonise
and enhance privacy protection in the member states. It was the
first international legally binding document to address such issues.
It defines “personal data” as well as “controller” and “automatic
processing” and thereby follows the regulations which had been established
by the OECD a year before its adoption. It addresses the public
as well as the private sector.
43. Article 5 of the Data Protection Convention sets out the principles
of evaluating and processing personal data (lawful obtention, storage
and use, and accuracy). In terms of data security (Articles 7 and
8), its provisions are rather general (“appropriate measures”),
leaving much discretion to member states’ legislation. The same applies
to sensitive data such as health, sexual life, and political and
religious beliefs. Such data may not be processed automatically,
unless domestic law provides appropriate safeguards (Article 6).
44. Article 5.c requires “adequate, relevant and not excessive”
use of data – an expression of the principle of proportionality
which would benefit from being further strengthened in the light
of the new challenges.
45. Since personal data defines a person in terms of his or her
virtual existence, the right of self-determination has to play a
key role in any legal regulation. Self-determination calls for consent.
While the Data Protection Convention mentions the right of the data
subject to obtain erasure of the collected data (Article 8.c), it
is not clear whether the data subjects retain ownership of their
data and, therefore, whether they are entitled to decide about the
processing of it. Article 8.c thus reveals a certain weakness of
the Data Protection Convention, which is setting up the right instruments
whilst allowing for too many exemptions. Although keeping in mind
that the convention “only” sets out principles that the member states
have to implement, it should push member states towards stricter
regulation.
6.2.2.3. Additional Protocol to the Data Protection Convention
46. In 2001, an additional protocol to the Data Protection
Convention regarding the establishment of supervising authorities
was opened for signature. So far, it has been ratified by 30 member
states. According to this protocol, the Council of Europe member
states are required to put independent control bodies in place.
6.2.2.4. Progress report
47. In 2005, the Council of Europe issued a Progress
report on the application of the principles of Convention 108 to
the collection and processing of biometric data. This report was
prepared by the Council of Europe Consultative Committee of the
Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data. It contains an analysis of the specificities
of biometrics, a discussion on the criteria for choosing a system
architecture and guidance for the application of convention to biometrics.
In the first place, the problem was whether the convention applies
to biometric data as such,
since
it only addresses personal data. Doubts concerning its applicability
arise from the fact that identification and verification do not
work solely on the biometric information itself but always need
a match in order to identify or verify.
48. Nevertheless, as the process always involves a biometric trait
which is unique to the individual concerned why would it not be
considered as personal data? Considering name or date of birth as
personal data, which are facts relating to a person, one can conclude
a maiore ad minus that body traits
or behaviour are also personal data, since these are not given to
a person but rather are inherent or natural features of each person.
Therefore, there is no need to base the applicability of the Data
Protection Convention solely on the fact of automatic processing
as is done in the report,
but
it can be based on the fact of biometric data being personal data
as well as on the automatic processing aspect.
49. Acknowledging the fact that many aspects of biometrics are
not yet fully known, the report does not provide any final conclusions
and leaves open the possible need to revise the Data Protection
Convention in this respect. Biometric technology can strongly enhance
security, but the line towards human rights infringements may easily
be crossed. Many individuals are not sufficiently aware of the possibility
of losing their privacy in order to gain more convenience and are
willing to use new technologies without further reflection. Keeping
in mind that valid consent cannot be given without the knowledge
of its consequences, awareness of the consequences of the use of
biometric data must be raised.
6.2.3. European Union
6.2.3.1. Charter of Fundamental Rights
50. Whilst it has not been altered in content, an immense
change in the status of the right to privacy and personal data protection
has been brought about by the entry into force of the Treaty of
Lisbon, which has made the European Union Charter of Fundamental
Rights (“the Charter”) binding through Article 6, paragraph 1, of the
Treaty on European Union
and
by the reference to data protection in Article 16 of the Treaty
on the Functioning of the European Union. The Charter not only protects
private life in its Article
7,
but also guarantees
the protection of personal data in Article 8.
The
status of the rights set down in the Charter highlights the importance
of the need to protect such information.
6.2.3.2. Directive 95/46/EC
51. In 1995, the European Parliament and the Council
of the European Union adopted Directive 95/46/EC,
which
deals with protection of individuals with regard to the processing
of personal data and on the free movement of such data. This directive
builds on Article 8 of the European Convention on Human Rights and on
the provisions of Data Protection Convention. Like most of the existing
legislation it does not explicitly deal with biometric data but
more generally with personal data. It is upon this directive that
European Union member states have based their data privacy regimes.
Other instruments have also been adopted at European Union level
as regards personal data protection.
52. Directive 94/46/EC obliges European Union member states to
enact legislation that strikes the right balance between security
and privacy issues. Obviously, the directive does not cover data
protection in non-member states of the Union.
53. Due to globalisation and recent technological developments,
the European Commission, on 4 November 2010, proposed a strategy
to strengthen European Union data protection rules, including the
revision of Directive 95/46/EC. It envisages proposing, in 2011,
a new general legal framework for the protection of personal data
in the European Union,
which,
among other things, will strengthen individuals’ rights in the process
of data collection.
6.2.3.3. Council Regulation (EC) No. 2252/2004
54. Council Regulation (EC) No. 2252/2004
deals
explicitly with the standards for security features and biometrics
in passports and travel documents issued by European Union member
states. The regulation aims to enhance security by harmonising and
providing minimal security standards for biometrics in travel documents
in order to avoid identity fraud and falsification.
55. Privacy issues, however, are only minimally addressed by this
regulation, through the obligation to respect the principle of proportionality
and to state the purpose of evaluating and processing biometric
data. The question of proper storage is not even regulated but left
to the discretion of member states. Nor does the regulation contain
a definition of biometric features or biometric identifiers.
6.2.3.4. Article 29 Data Protection Working Party and the
European Data Protection Supervisor
56. Additionally, as a result of the Directive 95/46/EC,
the Working Party on Article 29 was created as a supervisory body
consisting of members from all European Union member states plus
the later established European Data Protection Supervisor (EDPS).
The working party is an advisory body which helps member states
to correctly set up the framework established by the directive and
to work towards a uniform legislation.
57. The European Data Protection Supervisor was established in
2001. The EDPS’ tasks are similar to those of the working party
and consist of supervision, co-operation with national supervisory
bodies as well as advising.
6.3. At the national level
58. At the national level, very few countries have enacted
general legislation regulating the processing of biometric data.
In most Council of Europe member states, national legislation does
not explicitly mention biometrics. This subject usually falls under
national data protection legislation.
59. Of the 47 Council of Europe member states, 34 have a provision
on data protection in their constitution. Furthermore, most have
specific national legislation covering personal data protection.
Whilst
many states outside Europe have adopted legislation addressing the
public and private sectors in separate laws (or rubrics within the
same legislative framework) covering both sectors separately, most
European states have adopted a single piece of legislation covering
both the public and private sectors.
7. Concluding remarks
60. According to the 2005 progress report of the Council
of Europe Consultative Committee of the Convention for the Protection
of Individuals with regard to Automatic Processing of Personal Data,
“The application of biometrics raises important human rights questions.
The integrity of the human body and the way it is used with regard
to biometrics constitutes an aspect of human dignity …”.
The main human rights problems
caused by the proliferation of biometrics concern the right to privacy,
the right to a fair trial, the presumption of innocence, the freedom
of movement and the prohibition of discrimination. Biometrics is
in its infancy and there is still little knowledge about possible
drawbacks. Once the technique is chosen on a larger scale, an irreversible
development is started with unforeseeable effects. The precautionary
principle requires a certain reticence under these circumstances.
In future, the collection of data might not even be noticed anymore.
Video surveillance programmes are already capable of tracking a
person from a distance. Therefore, whenever biometric data is collected,
this has to be announced clearly to those concerned beforehand,
for example by information signs in public places.
61. Five years after the adoption of the 2005 progress report,
it is time to look closely at biometrics again, bearing in mind
the technological progress made in the meantime. One should also
not forget that second generation biometrics extend their range
and increase their accuracy and intrusiveness. Moreover, it should
be noted that the information available on these issues is often
contradictory, in particular due to the blurring of boundaries between
potential (or future) and current capabilities of biometric applications.
Therefore, a systematic, constantly updated and forward-looking
analysis and assessment of the societal, economic and legal impact
of the increased application of biometrics is needed. The further
development of biometric technologies should be contingent on limiting
their potentially harmful consequences for human rights.
62. Studies have shown a need for clarification in terms of biometric
data since most of the existing legislation only addresses personal
data in broad terms.
Although
open to new developments, broad definitions enhance the risk of
inadequate implementation and legal loopholes. The example of the
European Union Council Regulation No. 2252/2004, which prescribes
the introduction of biometric data in passports, shows that it is
essential to clarify the terms and concepts used as soon as possible.
63. One of the key issues the Council of Europe has to work on
is raising awareness concerning the right to respect for private
life and its scope, including the rules on data protection. While
most Europeans know that they have a right to privacy, which is
most often also guaranteed by their national constitution, many
are not aware of its full extent. Private issues are often not regarded
as such unless the consequences of revealing private data are obvious.
For a little more convenience and a small gain of time, too many
people are willing to disclose personal information. Due to the
fact that data bases can easily be interconnected and combined to generate
a detailed identity profile, the right to privacy is highly at risk.
Regulations are also needed to cover the use of biometrics by the
private sector.
64. Thus the Council of Europe should update its Data Protection
Convention and carefully follow the development of biometric technology
in order to ensure that the legislation adequately meets new challenges. Clear
definitions have to be found in terms of what is biometric data,
what legislation covers such data and who is the data controller.
Whenever data protection legislation is adopted, it has to be guided
by the principles of transparency, consent and proportionality in
order to satisfy not only security interests but also the privacy
and dignity of the individual.
65. The importance of the proper balancing process cannot be stressed
enough. Unfortunately, states tend to collect and store more information
than is necessary, also for future, preventive use, as the recent
complaint by two NGOs against the French regulation of biometric
passports shows.
Therefore,
there is still a lot to be done in terms of legislation, awareness-raising
measures and scientific research.