I interviewed Peter Hustinx, the EDPS (European Data Protection Supervisor), for the European Biometrics Forum recently. Transcript below.
Johnny Ryan: On 3 March, in your preliminary comments on the European Commission’s package of border proposals, you noted that you had not been consulted during the drafting process. Again, your opinion of 26 March 2008 noted that the Commission had failed to adhere to its legal obligation to consult you in drafting its Proposal of 18 October 2007. Is there a flaw in the process, why have you not been consulted?
Peter Hustinx: Some Commission services are apparently still not completely aware of the legal obligations they have to comply with. However, this is not representative as cooperation with the Commission services is fruitful and satisfactory in most cases. The EDPS will continue to raise awareness on this point in a constructive way.
Johnny Ryan: You raised a number of concerns over the proposed entry-exit system and registered traveller programme in early March. Has any subsequent progress been made? The EBF has learned that these systems are not expected to be in place before 2015 – might this allow sufficient time for the testing of standards of data protection?
Peter Hustinx: As you rightly observe, these systems are part of a long term policy view. This view has been presented through a communication of the Commission. We therefore expect that further discussion and debate will take place – both in Parliament and in Council – before a formal proposal is issued. However, the impact of the proposed systems is such that we have made preliminary comments at this stage in order to contribute to the debate. It should also be kept in mind that the results obtained with a similar system already implemented (US visit) are far from satisfactory, considering the investment, the goal and the constraints, according to US GAO reports. The EU would be very wise to draw lessons from these reports.
Johnny Ryan: The EBF recently interviewed Ilkka Laitinen, Executive Director of Frontex, who stated that he saw no alternative to “the comprehensive and systematic use of biometric features” as the future path for border security. Yet on 8 March, you issued an Opinion which referred to the “inherent imperfections of biometric systems”. Could you outline what you see as the limitations of biometrics?
Peter Hustinx: Biometrics can have great added value, but should not be seen as a silver bullet. By the same token, we cannot reduce the border security policy to a single technology. In my view, a wider and technology neutral approach would be more appropriate. Technological tools are usually only a part of far bigger and more complex systems. If a system is already badly designed, biometrics will offer nothing more.
The “inherent imperfections” of biometric systems are – briefly put – the result of various problems in the enrolment phase, unavoidable errors at different stages, and a lack of agreed quality standards, as I have already observed in different opinions (SISII, VIS etc). A greater awareness of these imperfections in policy discussions and projects would be a welcome first step.
In order to benefit from the added value they are still promising, biometrics need to be implemented in a professional way which should concretely take into account their limits. For instance, a biometric system implemented without or with very poor fallback procedure is a system that will never reach its expected efficiency and will face a very low acceptation level.
Johnny Ryan: Biometrics appears to be growing in importance, in policing, border security and now in the financial services sector. There appears to be a lack of dialogue between the policy community, privacy advocates and regulators, technology providers, and users. Do you think there is a need for a platform for considered dialogue among key stakeholders, particularly on the recent proposals concerning biometrics?
Peter Hustinx: The European Parliament already provides a good platform for dialogue. The European Commission could also launch targeted public consultations on specific aspects of biometrics. The industry – together with data protection authorities – could also identify Best Available Techniques, as well as develop a code of conduct through constructive dialogue. Here again the Commission could facilitate this dialogue.
Johnny Ryan: One issue that could be considered is the use of biometrics in a registered traveller system. It seems that there are two possible ways that biometrics could be used: first, it could simply be a means of proving that a given identity document (i.e. passport, smartcard, token, …) was in fact related to the person who presents it (the operational biometric); second, it could also be used to perform background checks at registration using, at the very least the VIS/SIS-II + BMS and national criminal databases. Are you concerned that these two very different uses might raise questions on function creep? What measures could be taken to prevent this?
Peter Hustinx: The question to come first is not the way in which biometrics should be used (authentication, background check, etc.), but for which purposes and by whom. VIS and SIS II have defined and limited purposes which have to be respected. It is not yet obvious to which category – business or national security – a registered traveller system belongs. Mixing the two would in any case be inappropriate.