|
|||||||||
|
| You are here: CESG > Policy and Technologies > BWG > Management Summaries > | ||||||||||||
|
Legal Issues and Biometrics - MS05
Biometric data is personal data within the definition of the Data Protection Act, because the data enables the owner to be identified. This means that biometric systems must take into account and conform to data protection legislation. Other legislation such as the Human Rights Act may also be relevant, particularly to the area of biometric surveillance. Use of biometrics to “sign” documents or authorise transactions will have legal implications. This summary identifies some of the issues of concern and provides guidance to prospective biometric system implementers on legal considerations that need to be addressed. When discussing biometrics in terms of legal aspects we have to distinguish between the following relevant areas: The public sector Within the public sector political decisions play an important role in interpreting existing law and establishing new regulations. In this area, use of biometrics will in most cases be mandatory for the user and mainly based on (new) national and international legislation. Personal documents Following the events of 11 September 2001, developments in the area of personal and travel documents at the international area have been undertaken by the International Civil Aviation Organisation (ICAO). Its recommendations will determine the standards and usage of biometrics in travel documents by member nations, at least in the near future. The legislation on biometrics and travel documents enacted by the US Congress shortly after 11 September 2001 has been a major driver for the ICAO initiative and for related national programmes. The following new regulations are particularly relevant: - USA PATRIOT Act Public Law 107-56, Oct. 26, 2001: mandates development of a biometric technology standard to detect multiple enrolees in non-immigrant-visa-issuance; Focus of system development shall be on a) utilization of biometric technology and b) tamper-resistant documents readable at ports of entry.The law enforcement sector / Immigration and Asylum This sector is an area of the public sector which needs particular attention in regard to biometrics. There is specific legislation which allows e.g. taking fingerprints in criminal cases under certain conditions. In the UK the Police and Criminal Evidence Act 1984 and the Criminal Justice and Police Act 2001 are relevant. In Germany there is the Criminal Law and the Law of Criminal Procedures which allows taking fingerprints, as well as the DNA-Identification law which rules on when and how DNA is allowed to be taken. In both countries AFIS-Systems are in place, which are used both to record fingerprint data from convicted criminals and to identify suspects from samples taken from crime scenes. On the European level EURODAC has started its official work in January 2003. The system is used to store fingerprints from asylum seekers all over the EU and other countries who signed the Dublin-treaty. The AFIS-system is centrally installed in Brussels and can transfer the stored fingerprints to all 16 EU-Member States in order to check against criminal databases for fighting illegal immigration. With regard to visa and other resident documents for aliens the use of biometrics is already in operation. In the UK the Immigration and Asylum Act 1999 allows fingerprints to be taken from anyone claiming asylum and certain other categories. E.g. the Immigration and Asylum Fingerprint System (IAFIS) has been used by the immigration service since spring 2001. Here, a full set of fingerprints is recorded from all applicants, aimed at the detection of multiple enrolees. In Germany, the possibilities of taking biometric features from asylum seekers and other non-immigrant residents has been widened after the 11 September 2001 regulations. The private sector E-Commerce, electronic signature For e-commerce applications, biometrics can potentially help to achieve stronger legal binding e.g. with respect to electronic signatures. Some national regulations already authorise the use of biometrics for a high security level electronic signature (“qualified signature“) under certain (technical) conditions (e.g. Common Criteria certification of systems). According to European Directives, for so-called qualified electronic signature, the use of biometrics to enable the secure signature creation device has gained legal acceptance through electronic form and specific evidence rules. This is at least valid in some European member states. On this basis, biometrics will gain legal importance in electronic legal transactions as soon as they will be used within qualified electronic signatures. In terms of legal liability and evidence biometrics offer a better opportunity to actually bind an electronic transaction and indicate an expression of intent by the signatory. Whereas with traditional means as PINs and passwords the recipient of an electronic declaration cannot be sure of the person who sent the message, with appropriately secure biometrics the authenticity of the declaration could be better assured. It is important to note that the legal liability of biometrics in terms of allocation of a declaration depends heavily on the proven level of security and liability of the used biometric. In this regard evaluation and certification will play an important role in court cases. Contractual Issues In the contractual area the distribution of liability is going to become increasingly relevant the more companies ask their customers to use biometrics. For instance a relevant question is: to what extent can a user become liable for a failure of the biometric system. The operator might want to consign the legal liability, e.g. for a financial damage caused by the non-function of the system, to the user, claiming he or she didn’t take care of his or her biometric feature well enough. According to the principle of appropriateness this will be also a question of who has to bear the consequences of malfunction of the system in general. In most cases, for example when technical problems occur, the operator will have to take full responsibility. Also the user cannot be made responsible for non-function of the system due to normal and acceptable changes of his biometric feature. Last but not least in business-to-business relations licences and patents are important to consider in order to protect proprietary products, inventions and innovations as well as copyrights. Working Place With regard to biometrics as physical or logical access control in working environments, in some European countries specific regulations need to be taken into account. The use of biometrics at the working place can also be focussed on monitoring employees. The working place needs special consideration due to the dependence of the employee on his or her work and therefore the minor importance of actual declaration of consent. In order to protect the rights of the employees, in particular with regard to their privacy, it will often make sense to involve employee councils or organisations to negotiate sensible use and management of the biometric data. In Germany e.g. there are clear legal provisions which need to be considered and require in either case the participation of the working council. See also: Management Summary MS06 - Privacy Issues and Biometrics Back to Management Summary Index The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems. For further details telephone +44 (0) 1242 221491 extension 34124 |
|||||||||||
 |
|||
|