FIDIS Future of Identity in the Information Society Title: “D13.4: The privacy legal framework for biometrics” Authors: WP13.4 Editors: Els Kindt (K.U.Leuven, Belgium), Lorenz Müller (AxSionics, Switzerland) Reviewers: Jozef Vyskoc (VAF, Slovakia), Martin Meints (ICCP, Germany) Identifier: D13.4 Type: Deliverable Version: 1.1 Date: 8 May 2009 Status: Final Class: Public File: Summary The present report reviews the fundamental right to privacy and data protection which shall be assured to individuals and the Directive 95/46/EC which provides more detailed rules on how to establish protection in the case of biometric data processing. The present framework does not seem apt to cope with all issues and problems raised by biometric applications. The limited recent case law of the European Court of Human Rights and the Court of Justice sheds some light on some relevant issues, but does not answer all questions. The report provides an analysis of the use of biometric data and the applicable current legal framework in six countries. The research demonstrates that in various countries, position is taken against the central storage of biometric data because of the various additional risks such storage entails. Furthermore, some countries stress the risks of the use of biometric characteristics which leave traces (such as e.g., fingerprint, face, voice…). In general, controllers of biometric applications receive limited clear guidance as to how implement biometric applications. Because of conflicting approaches, general recommendations are made in this report with regard to the regulation of central storage of biometric data and various other aspects, including the need for transparency of biometric systems. Copyright © 2004-09 by the FIDIS consortium - EC Contract No. 507512 The FIDIS NoE receives research funding from the Community’s Sixth Framework Program FIDIS D13.4 Future of Identity in the Information Society (No. 507512) Copyright Notice: This document may not be copied, reproduced, or modified in whole or in part for any purpose without written permission from the FIDIS Consortium. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All rights reserved. PLEASE NOTE: This document may change without notice – Updated versions of this document can be found at the FIDIS NoE website at www.fidis.net. Final , Version: 1.1 Page 2 File: fidis_deliverable13_4_v_1.1.doc FIDIS D13.4 Future of Identity in the Information Society (No. 507512) Members of the FIDIS consortium 1. Goethe University Frankfurt Germany 2. Joint Research Centre (JRC) Spain 3. Vrije Universiteit Brussel Belgium 4. Unabhängiges Landeszentrum für Datenschutz (ICPP) Germany 5. Institut Europeen D'Administration Des Affaires (INSEAD) France 6. University of Reading United Kingdom 7. Katholieke Universiteit Leuven Belgium 8. Tilburg University1 The Netherlands 9. Karlstads University Sweden 10. Technische Universität Berlin Germany 11. Technische Universität Dresden Germany 12. Albert-Ludwig-University Freiburg Germany 13. Masarykova universita v Brne (MU) Czech Republic 14. VaF Bratislava Slovakia 15. London School of Economics and Political Science (LSE) United Kingdom 16. Budapest University of Technology and Economics (ISTRI) Hungary 17. IBM Research GmbH Switzerland 18. Centre Technique de la Gendarmerie Nationale (CTGN) France 19. Netherlands Forensic Institute (NFI)2 The Netherlands 20. Virtual Identity and Privacy Research Center (VIP)3 Switzerland 21. Europäisches Microsoft Innovations Center GmbH (EMIC) Germany 22. Institute of Communication and Computer Systems (ICCS) Greece 23. AXSionics AG Switzerland 24. SIRRIX AG Security Technologies Germany 1 Legal name: Stichting Katholieke Universiteit Brabant 2 Legal name: Ministerie Van Justitie 3 Legal name: Berner Fachhochschule Final , Version: 1.1 Page 3 File: fidis_deliverable13_4_v_1.1.doc FIDIS D13.4 Future of Identity in the Information Society (No. 507512) Versions Version Date Description (Editor) 0.1 11.01.2008 Suggested Table of Contents for Country Contributions (Els Kindt) 0.2 15.03.2008 First draft of privacy legal framework and country reports for Belgium and France (Els Kindt and Fanny Coudert) 0.3 15.05.2008 Updated draft of privacy legal framework for biometrics in the European Union (Els Kindt) 0.4 16.02.2009 Updating draft and country reports for Belgium and France and integration of draft country report for Switzerland (Els Kindt) 0.5 12.03.2009 Collection of country reports for Germany and United Kingdom and providing comments (Els Kindt) – Drafting introduction, conclusions and recommendations (Els Kindt) 0.6 24.03.2009 Finalizing first draft and internal posting (Els Kindt) 0.7 01.04.2009 Collection of the country report for the Netherlands and providing comments (Els Kindt) and integration of country reports for Germany, the Netherlands and the United Kingdom 0.8 04.04.2009 Finalizing first completed draft ; review and finalizing introduction, conclusions, and recommendations (Els Kindt) Internal posting for review and input contributors on recommendations (Els Kindt) 0.9 22.04.2009 Finalizing completed draft and internal posting for internal review (Els Kindt) 1.0 08.05.2009 Final draft including comments of reviewers and submitted to the Commission for external review (Els Kindt) Final , Version: 1.1 Page 4 File: fidis_deliverable13_4_v_1.1.doc FIDIS D13.4 Future of Identity in the Information Society (No. 507512) Foreword FIDIS partners from various disciplines have contributed as authors to this document. The following list names the main contributors for the chapters of this document: Chapter Contributor(s) Executive Summary Els Kindt (K.U.Leuven) 1 Introduction Els Kindt (K.U.Leuven) 2 The Privacy Legal Els Kindt (K.U.Leuven) ; Suad Cehajic & Annemarie Sprokkereef Framework (TILT) (section 2.3 (pp. 28-29) and section 2.4) 3. Belgium Els Kindt (K.U.Leuven) 4. France Els Kindt (K.U.Leuven), Fanny Coudert (K.U.Leuven) (section 4.3.4 and section 4.5 (p.63)) 5. Germany Suad Cehajic & Annemarie Sprokkereef (TILT) 6. The Netherlands Paul De Hert & Annemarie Sprokkereef (TILT) 7. Switzerland Emmanuel Benoist (VIP) 8. The United Suad Cehajic & Annemarie Sprokkereef (TILT) Kingdom 9. Conclusions and Els Kindt, Jos Dumortier (K.U.Leuven), with review and input by Recommendations Lorenz Müller (AxSionics, Switzerland) and Emmanuel Benoist (VIP) Bibliography & Els Kindt (K.U.Leuven) Glossary Final , Version: 1.1 Page 5 File: fidis_deliverable13_4_v_1.1.doc FIDIS D13.4 Future of Identity in the Information Society (No. 507512) Table of Contents Executive Summary ................................................................................................................. 9 1 Introduction ....................................................................................................................10 2 The privacy legal framework for biometrics in the European Union ....................... 12 2.1 Introduction .............................................................................................................. 12 2.2 Fundamental rights in the European Union: Right to respect for privacy and the right to data protection ......................................................................................................... 14 2.2.1 Article 8 of the European Convention on Human Rights ................................ 14 2.2.2 Articles 7 and 8 of the EU Charter................................................................... 20 2.3 The Data Protection Directive 95/46/EC ................................................................. 21 2.4 The Framework Decision on the protection of personal data in the field of police and judicial cooperation in criminal matters ........................................................................ 28 2.5 A selective overview of opinions of the Article 29 Working Party and the EDPS on biometrics ............................................................................................................................. 30 2.5.1 Opinions and comments on the processing of biometrics in general............... 30 2.5.2 The use of biometrics in specific large scale systems in the EU...................... 32 2.6 The role of the National Data Protection Authorities .............................................. 36 2.7 Preliminary conclusion............................................................................................. 38 3 Belgium............................................................................................................................ 40 3.1 Introduction .............................................................................................................. 40 3.2 The spreading of biometric applications .................................................................. 40 3.2.1 Fields in which biometric applications are implemented................................. 40 3.2.2 National studies and debate about biometrics.................................................. 42 3.3 Legislation regulating the use of biometric data ...................................................... 43 3.3.1 General and specific privacy legal framework for biometrics ......................... 43 3.3.2 Legal provisions for government controlled ID biometric applications (passports, other civil ID biometric applications and law enforcement).........................