Abstract
Biometrics technologies have been spreading cross-sector in the public and private domains. Their potential intrusiveness, in particular regarding privacy and data protection, has called the European legislators, in the recent EU data protection reform, to introduce a definition of “biometric data,” and to grant biometric data specific protection, as a “special category of data.” Despite the reformed framework, in the field of border management, the use of biometric data is expected to increase steadily because it is seen as a more efficient and reliable solution. This chapter will look into the reformed data protection and border management legal frameworks to highlight discrepancies between the two, and ultimately assess to what extent the new data protection reformed regime for biometric data is satisfactory.
TopIntroduction
Biometrics technologies, and the consequent processing of biometric data, have been spreading cross-sector and across Europe in recent years, although the use of fingerprints in criminal and civil matters dates back to the 19th Century (Kindt, 2013). The word “biometrics” originates from the Greek “bios” (life) and “metron” (measurement) and indicates, roughly, a set of technologies that process biological or behavioral traits for purposes of recognition.1
A paradigmatic use case of biometrics in the public sector in Europe is that of border management, where processing biometric data for the identification and the verification of the identity of individuals is portrayed as a more secure, efficient and reliable solution, as it is shown by e.g. the “Smart Border Package” proposed by European Commission (EC) in 2013 and by the revision of the European Union (EU) large-scale information technology systems (IT systems) in the area of asylum and migration. Large-scale IT systems are just one of the many border management instruments to enable and facilitate the exchange of information between authorities within the EU. This is done through, inter alia, the processing of different types of biometric data on top of more traditional alphanumeric data (i.e. data represented by letters, digits, special characters, spaces, and punctuation marks).2
In recent years, new rules on EU large-scale IT systems were introduced or proposed, and in 2017 the EC proposed to make these information systems interoperable at the EU level. As a result, in early 2019, two regulations for large-scale IT systems interoperability were adopted, one for the EU information systems in the field of borders and visa, and one for the field of police and judicial cooperation, asylum and migration.3 In both frameworks, biometric data is expected to play a key role, to make these systems “interoperable” by, for instance, creating a common search portal and by establishing a common repository with biographic data of the persons whose data are stored in the different IT system (Fundamental Rights Agency [FRA], 2018, p. 20).
This chapter aims to show the discrepancy between the status of biometric data in these border management instruments and the new status granted to biometric data in the so-called data protection reform package, which includes the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) - other than the Regulation 2018/1725 on the protection of natural persons concerning the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR).
The chapter will argue that, despite the efforts to standardize the definition and legal regime of biometric data across the EU, and the safeguards that are in place to protect them in the GDPR, in the LED, and the EUDPR, this is not sufficiently reflected in the case of border management instruments. The main research question will be: to what extent is the new definition and status of biometric data introduced in the reformed data protection framework consistent with the legal framework on the interoperability of EU large-scale IT systems?
The scope of the article is limited to the European Union’s data protection framework, although the authors acknowledge the importance of the Council of Europe’s instruments for privacy and data protection such as the European Convention of Human Rights and the modernized Convention 108.
To support the argument, the structure will be as follows.
In the next section, the chapter will provide an overview of the reformed EU data protection landscape concerning biometric data. The section will briefly sketch the situation before the entry into force of the GDPR, the LED and the EUDPR, the reasons why the legislator took this initiative (high risks to rights and freedoms of data subjects) and then move to the new definition and the legal status of biometric data in those frameworks.
In the following section, the status of biometric data in border management instruments (i.e. large-scale IT systems and interoperability regulations) will be outlined. Afterward, a short comparison between the GDPR, the LED, and the EUDPR on the one hand and border management instruments, on the other hand, will be drawn, to pinpoint how the rigorous definition and safeguards of the former are less clear in the latter.
Key Terms in this Chapter
Biometric Data: In a technical sense, biometric data refer to technical processing that leads from biometric information or characteristics to a (digital) format (e.g. a template) that can be used to recognize individuals. In a legal sense, biometric data are a type of personal data extracted from physical, physiological and behavioral characteristics.
First-Generation Biometrics: First-generation biometrics are more traditional biometrics technologies that rely on physical features like fingerprints or facial image to recognize an individual.
Second-Generation Biometrics: Second-generation biometric technologies are those biometrics that require less human cooperation and can be run in a transparent and “invisible” way to the subjects. This has led to a shift from human eye performed identification (e.g. traditional fingerprint analysis) to increasingly automated, digital and “smart” biometrics. Examples are technologies that measure “motor skills”, electromagnetic body signals or human-computer interaction patterns ( Mordini & Tzovaras, 2012 , p. 9).
Data Protection Impact Assessment (DPIA): DPIA can be defined as “an evaluation technique used to analyse the possible consequences of an initiative for a relevant societal concern or concerns (i.e. a matter or matters of interest or importance), if this initiative could present danger to these concerns, with a view to supporting an informed decision on whether to deploy the initiative and under what conditions, and it constitutes in the first place a means to protect those concerns” ( Kloza et al., 2019 , p. 1).
Interoperability: Interoperability refers to the functionality of (large-scale) information systems to exchange data and to enable the sharing of information. In the context of border control, the goal of the EU is to improve its data management architecture by ensuring that border guards, customs authorities, police officers and judicial authorities have the necessary information at their disposal to perform their functions, by overcoming structural shortcomings that impede their work ( European Data Protection Supervisor, 2018 ). Biometric data are a key enabler of interoperability because they are seen as a much more reliable means to identify a person than alphanumeric data (i.e. “data represented by letters, digits, special characters, spaces and punctuation mark”).
Function Creep: The use of (biometric) data for another purpose than that for which it was originally processed.
Identification: Identification refers to the one-to-many process whereby the system compares the captured template with all the available templates to determine the individual’s identity.
Verification: Verification is the one-to-one process whereby a person claims an identity and the system compares the captured biometric template with the stored template corresponding to the claimed identity.