Biometrics, Privacy and Agency

Abstract

This chapter starts by identifying the basic principles behind data protection law and showing how these principles might affect the choice or even admissibility of the use of certain types of biometrics. We conclude that currently only data relating to identified or identifiable persons are protected. We will argue that the use of second generation biometrics will have to lead to a re-assessment of this traditional data protection approach. We then focus on the case of biometric profiling: existing legal mechanisms cannot offer European citizens effective protection against it. The latter has led to a call for widening the protection currently granted through the regulation of ‘unsollicited communications’ via the new notion of ‘unsollicited adjustments’. This notion of ‘unsollicited adjustments’ would close a legal loophole allowing a situation in which objects that seemingly have a neutral guiding function, in practice secretly track individuals to surreptitiously adapt their performance based on undisclosed criteria. Second generation biometrics applied in real life situations can lead to forms of profiling that leave some of the rights for individual unprotected. We argue that approaching new phenomena such as profiling with heavy prohibitions may block progress or lead to a situation where the prohibitions are not respected. A more subtle approach will render better results and in the regulation of profiling, opacity (prescriptive rules) and transparency tools (making data handling visible and data handlers accountable) can each have their own role to play. In a normative weighing of privacy and other interests, some intrusions will turn out just to be too threatening for fundamental rights whilst others will be accepted and submitted to the legal conditions of transparency and accountability.