D 2.1 Privacy, Data Protection and Ethical Issues in New and Emerging

Project acronym: PRESCIENT Project title: Privacy and emerging ﬁelds of science and technology: Towards a common framework for privacy and ethical assessment Project number: 244779 Programme: Seventh Framework Programme for research and technological development Objective: SiS-2009-1.1.2.1: Privacy and emerging ﬁelds of science and technology: ethical, social and legal aspects. Contract type: Collaborative project Start date of project: 1 January 2010 Duration: 36 months

Deliverable 2: Privacy, data protection and ethical issues in new and emerging technologies: Five case studies

Editors: Rachel Finn and David Wright, Trilateral Research & Consulting Authors: Rachel Finn, Michael Friedewald, Raphael Gellert, Serge Gutwirth, Bärbel Hüsing, Piret Kukk, Emilio Mordini, Philip Schütz, Silvia Venier, David Wright Dissemination level: Public Deliverable type: Report Version: 1.0 Due date: 30 September 2011 Submission date: 25 November 2011 Terms of use

This document was developed within the PRESCIENT project (see http://www.prescient-project. eu), co-funded by the European Commission within the Seventh Framework Programme (FP7), by a consortium, consisting of the following partners:

Fraunhofer Institute for Systems and Innovation Research (co-ordinator), • Trilateral Research Consulting LLP, • Centre for Science, Society and Citizenship, and • Vrije Universiteit Brussel • This document is intended to be an open specification and as such, its contents may be freely used, copied, and distributed provided that the document itself is not modified or shortened, that full authorship credit is given, and that these terms of use are not removed but in- cluded with every copy. The PRESCIENT partners shall take no liability for the complete- ness, correctness or fitness for use. This document is subject to updates, revisions, and ex- tensions by the PRESCIENT consortium. Address questions and comments to: coordinator@ prescient-project.eu Table of Contents

! Chapter 1, Introduction: Privacy, data protection and ethical issues in new and emerging technologies ...... 5! 1.1! Introduction ...... 6! 1.2! Methodology ...... 6! 1.3! Outline of the Report...... 6! Chapter 2, RFID-enabled contactless cards for public transport: security, privacy, ethics and legislation...... 10! 2.1! Introduction ...... 11! 2.2! Current status of RFID-enabled travel cards and expected progress in the near future.. 11! 2.3! Stakeholders (industry, etc.) and drivers driving the development of RFID-enabled travel cards ...... 14! 2.3.1! Beneficiaries of RFID travel cards ...... 16! 2.4! Privacy impacts and ethical issues raised by RFID-enabled travel cards ...... 16! 2.5! Extent to which the existing legal framework addresses the privacy impacts ...... 21! 2.6! Need for new legislation, codes of conduct, etc. to deal with privacy impacts not covered by the existing framework and how to deal with ethical issues ...... 25! 2.7! Conclusion...... 27! 2.8! References ...... 28! Chapter 3, Privacy, data protection and policy issues in RFID enabled e-Passports...... 31! 3.1! Introduction ...... 32! 3.2! RFID – State of the Art ...... 32! 3.2.1! RFID tags ...... 32! 3.2.2! RFID readers...... 33! 3.2.3! RFID backend systems and middleware ...... 34! 3.2.4! RFID functionalities...... 34! 3.2.5! The e-passport...... 35! 3.3! Stakeholders and drivers behind the development of the technology...... 38! 3.3.1! Governments...... 38! 3.3.2! International Organisations...... 38! 3.3.3! Industry Players ...... 39! 3.3.4! Non-Governmental Organisations ...... 39! 3.3.5! End users...... 40! 3.4! Privacy and security issues...... 41! 3.4.1! Shortcomings in the security of the passport ...... 41! 3.4.2! Security threats/data processing operations that threaten the privacy...... 43! 3.4.3! Privacy violations...... 45! 3.4.4! Privacy and securities issues with the e-passport: some additional thoughts ...... 46! 3.5! Extent to which the existing legal framework addresses the privacy impacts ...... 47! 3.5.1! Applicability of the e-directive ...... 48! 3.5.2! The Data Protection Directive ...... 49! 3.6! Need for new legislation, codes of conduct, etc...... 52! 3.7! Privacy legislation and RFID, what conclusions?...... 55! 3.8! References ...... 57!

Chapter 4, Privacy, Data Protection and Ethical Concerns in relation to New Technologies of Surveillance: ...... 60! 4.1! Introduction ...... 61! 4.2! Methodology ...... 61! 4.3! Body scanners, security and privacy ...... 61! 4.3.1! Introduction...... 61! 4.3.2! Current status of the technology and expected progress in the near future ...... 62! 4.3.3! Stakeholders and drivers driving the development of the technology...... 67! 4.3.4! Privacy impacts and ethical issues raised by the technology ...... 70! 4.3.5! Extent to which the existing legal framework addresses the privacy impacts ...... 73! 4.3.6! Need for new legislation, codes of conduct etc. to deal with privacy impacts not covered by the existing framework and how to deal with ethical issues ...... 78! 4.3.7! Discussion ...... 83! 4.4! Unmanned aircraft systems, surveillance, safety and privacy ...... 83! 4.4.1! Introduction...... 83! 4.4.2! Current status of the technology and expected progress in the near future ...... 85! 4.4.3! Stakeholders and drivers driving the development of the technology...... 92! 4.4.4! Privacy impacts and ethical issues raised by the technology ...... 95! 4.4.5! Extent to which the existing legal framework addresses the privacy impacts ...... 98! 4.4.6! Need for new legislation, codes of conduct etc. to deal with privacy impacts not covered by the existing framework ...... 101! 4.4.7! Discussion ...... 101! 4.5! Conclusion...... 102! 4.6! References ...... 102! Chapter 5 – Second-generation Biometrics ...... 111! 5.1! Introduction to the field...... 112! 5.2! Current status of second-generation biometrics and expected progress ...... 112! 5.2.1! Overview of biometric systems...... 112! 5.2.2! State of the art of second-generation biometrics ...... 115! 5.3! Drivers and barriers to second-generation biometrics...... 122! 5.4! Applications ...... 124! 5.4.1! Traditional biometrics...... 125! 5.4.2! Future biometrics: surveillance and ambient intelligence applications...... 127! 5.4.3! Online and on-the-cloud biometrics...... 128! 5.5! Privacy impacts and ethical issues of second-generation biometrics...... 129! 5.5.1! Human dignity and the informatisation of the body...... 130! 5.5.2! Function creep...... 131! 5.5.3! Privacy and data protection concerns ...... 131! 5.5.4! Profiling and surveillance...... 133! 5.5.5! Social inclusion/exclusion, risk of stigmatisation, discrimination, digital divide...... 133! 5.6! Extent to which the existing legal framework addresses the privacy and data protection impacts ...... 134! 5.7! Need for new legislation, codes of conduct to deal with privacy impacts ...... 136! 5.8! Conclusions ...... 137! 5.9! References ...... 138! Chapter 6, Privacy, data protection and policy issues in next generation DNA sequencing technologies...... 143! 6.1! Introduction to the field...... 144! 6.2! Current status of the DNA sequencing technology and expected progress ...... 145!

6.2.1! Introduction into DNA sequencing and sequence analysis...... 145! 6.2.2! The first wave of DNA sequencing – Sanger technique ...... 146! 6.2.3! State of the art of DNA high throughput sequencing technology...... 147! 6.2.4! "Third-generation" DNA sequencing...... 148! 6.3! Next and third-generation DNA sequencing applications...... 150! 6.3.1! High throughput sequencing uses in research ...... 150! 6.3.2! Next generation sequencing applications in health care ...... 152! 6.3.3! Forensics ...... 155! 6.4! Stakeholders and drivers behind the development and use of the technology...... 158! 6.4.1! Industry...... 158! 6.4.2! Stakeholders in research and research policy ...... 159! 6.4.3! Health care and direct-to-consumer genetic profiling...... 160! 6.4.4! Forensics ...... 161! 6.5! Privacy impacts and ethical issues raised by the whole DNA sequencing technology. 161! 6.5.1! Features of genomic information ...... 161! 6.5.2! Overview of data protection issues and possible privacy infringements ...... 162! 6.5.3! Privacy issues in research...... 164! 6.5.4! Health care and direct-to-consumer genomic profiling...... 165! 6.5.5! Privacy issues in forensics ...... 166! 6.6! Extent to which the existing legal framework addresses the privacy impacts ...... 167! 6.6.1! Current regulations in forensics ...... 168! 6.7! Conclusions ...... 168! 6.8! References ...... 171! Chapter 7, Technologies for Human Enhancement and their impact on privacy ...... 175! 7.1! Introduction ...... 176! 7.2! Human enhancement – An overview ...... 177! 7.2.1! Attempts to categorise “Human Enhancement” ...... 177! 7.2.2! Various fields of applications...... 179! 7.2.3! Actors and beneficiaries of human enhancement...... 185! 7.3! Risks to data protection and privacy ...... 188! 7.3.1! Different impacts on data protection and privacy ...... 188! 7.3.2! Different levels of data protection...... 192! 7.4! Regulation strategies ...... 193! 7.5! Conclusion...... 194! 7.6! References ...... 195! Chapter 8, Legal Uncertainties ...... 199! 8.1! Methodological Remarks ...... 200! 8.2! Whole genome sequencing...... 201! 8.2.1! The nature of genetic data, and the ensuing consequences for the applicability of the data protection Directive and the ECHR...... 201! 8.2.2! Data protection Principles...... 202! 8.2.3! Privacy and biobanks ...... 206! 8.3! Unmanned Aircraft Systems ...... 207! 8.3.1! UASs and the right to privacy ...... 207! 8.3.2! Data protection perspective ...... 209! 8.4! Body Scanners...... 210! 8.4.1! Do they constitute an interference with the right to private life? ...... 210! 8.4.2! Data Protection perspective...... 211! 8.5! RFID: biometric passport and Travel cards ...... 213!

8.6! Second-generation biometrics: behavioural and soft biometrics and human enhancement technologies ...... 214! 8.6.1! Second-generation biometrics...... 214! 8.6.2! Human enhancement technologies...... 215! 8.7! Conclusions ...... 216! 8.8! References ...... 218! Chapter 9, Synthesising privacy and data protection considerations ...... 220! 9.1! Introduction ...... 221! 9.2! Privacy, Data Protection and ethical issues in case studies...... 221! 9.2.1! RFID 221! 9.2.2! New surveillance technologies ...... 224! 9.2.3! Second-generation biometrics...... 227! 9.2.4! Second-generation DNA sequencing technologies ...... 229! 9.2.5! Human enhancement ...... 232! 9.3! Synthesising types of privacy, case studies and privacy impacts ...... 234! 9.3.1! Privacy of the person ...... 234! 9.3.2! Privacy of thoughts and feelings ...... 235! 9.3.3! Privacy of location and space ...... 236! 9.3.4! Privacy of data and image ...... 237! 9.3.5! Privacy of behaviour and action ...... 238! 9.3.6! Privacy of personal communication...... 239! 9.3.7! Privacy of association, including group privacy ...... 240! 9.3.8! Synthesising aspects of privacy ...... 240! 9.4! The existing legal framework and potential privacy implications ...... 242! 9.5! Considering ethical and social issues ...... 242! 9.6! Policy recommendations ...... 244! 9.7! References ...... 246!

Chapter 1, Introduction: Privacy, data protection and ethical issues in new and emerging technologies

Rachel Finn and David Wright Trilateral Research & Consulting, LLP

1.1 INTRODUCTION

The first PRESCIENT deliverable examined the legal, social, economic and ethical concep- tualisations of privacy and data protection. It discussed these two legal concepts and explored how they might be balanced against other values or rights such as security. The report also made general suggestions about how both privacy and data protection might be challenged by new and emerging technologies, particularly in relation to ICT and surveillance technologies. This report develops these ideas further through the use of five different case studies to spe- cifically examine how gene