Privacy Studies

UNITED STATES FEDERAL LAWS REGARDING PRIVACY AND PERSONAL DATA AND APPLICATIONS TO BIOMETRICS

This report demonstrates that the use of biometrics as part of the Nation's efforts to increase security and protect against future terrorist attacks are not at odds with the protection of privacy and civil liberties. This report further demonstrates how, under the current legal system and state of the law, biometrics can legally be used as a means to verify identity in virtually any situation and, under certain circumstances, to positively identify individuals through the use of databases.

United States Federal Laws Regarding Privacy and Personal Data and Applications to Biometrics demonstrates how, under the current U.S. legal system and state of the law at the federal level, use of biometrics as a means to verify identity in virtually any situation is consistent with the law. The report also illustrates how, under certain circumstances, using biometrics to identify individuals through the use of databases is acceptable without sacrificing the objective of maintaining and protecting personal privacy. The report was provided, on request, to the Department of Homeland Security and the Interagency Working Group on Biometrics chaired by the White House Office of Science and Technology.

The report highlights the distinctions in biometric recognition between identification and verification techniques and discusses how each method relates to privacy laws and issues. Generally, biometric "identification" does a "one to many" search of extensive databanks to find a match. Because such databanks may contain or be linked to personal information, and because identification applications can be used without the subject's knowledge or consent, such as in surveillance, the privacy concerns are intensified. Biometric verification systems that use a "one to one" match are generally designed to be used on a voluntary basis. They only require two pieces of information: something representing your identity (such as a user name to retrieve your biometric template or a smart card with your template embedded in it) and your biometric feature or information (such as your hand to create your hand geometry template) presented for the match. Verification systems can be connected to databanks, but unlike identification systems a database is not a necessary component. The need for the subject's consent and the lack of a databank requirement greatly reduce the privacy concerns.

Table of Contents

Section Page I.     Introduction 4 II.    Privacy Law Applicable to the Public Sector 13 A.    Constitutional Privacy Law 14 1.     Specific Constitutional Provisions 15 a. First Amendment 15 b. Third Amendment 16 c. Fourth Amendment 16 d. Fifth Amendment 17 e. Ninth Amendment 17 f.  Fourteenth Amendment 18 2.     Case Law Examination of the Right to Privacy 19 a. Informational Privacy 20 b. Physical Privacy: Privacy in One’s Personal Space 27 c. Physical Privacy: Privacy in One’s Body 32 B.     Statutory Privacy Laws 41 1.     The Privacy Act of 1974 & FOIA 41 a. What is a Record? 42 b. What is a System of Records? 48 c. Privacy Act Requirements and Penalties for Noncompliance 49 d. The Computer Matching and Privacy Act of 1988 50 2.     Executive Order 12333 52 III.    Privacy and National Security 57 A.     National Security Laws 58 B.     Immigration Laws 63 C.     International Considerations 65 IV.   Privacy Law Applicable to the Private Sector 68 A.     HIPAA 69 B.     Statutes Governing Banks 72 1.     The Gramm-Leach-Bliley Act 72 2.     The Right to Financial Privacy Act 73 3.     The Bank Secrecy Act 74 4.     The Electronic Funds Transfer Act 74 5.     The Fair Credit Reporting Act 74 C.     Statutes Governing Computers 75 1.     The Computer Security Act of 1987 75 2.     The Computer Fraud and Abuse Act 75 V.   Common Law Tort Privacy Rights 77 VI. Conclusion: Impact of United States Privacy Law on the Use of Biometrics 79 Glossary of Terms 91 Bibliography 92 Appendix A: Pending Legislation 98

____________

 

REPORT ON INTERNATIONAL DATA PRIVACY LAWS AND APPLICATION TO THE USE OF BIOMETRICS IN THE UNITED STATES

Presented in Two Parts:

Part One: Report on the State of International Privacy Laws and Application to Biometrics and Their Impact on the United States

The purpose of this report is to understand international privacy law and its impact on the use of biometric recognition technology in both the United States, in isolation, as well as on a global scale. The focus of the government and concerned citizens should not be on preventing the use of the technology, but instead on controlling that aspect of its use that coincides with personal data and privacy considerations.

Resistance to both U.S. and foreign biometric privacy legislation has come from both sides of the fence. Some proponents of biometric recognition technology are concerned that any legislation will restrict the currently legal uses of biometrics. Opponents of biometric recognition technology (on the basis of its perceived threat to privacy) are concerned that legislation will condone the use of such technology on a broad or unrestricted scale. NBSP concludes that the best compromise is implementation of data privacy policy and/or legislation that takes into consideration: (a) the fact that most overt and consensual uses of biometric recognition technology are legal and non-intrusive; (b) that public concerns over misuses (such as could occur with databases or unrestricted data-mining) should be competently addressed; and (c) participation in global privacy standards will enhance proper and effective use of the technology.

Part Two: Report on Privacy Laws of The EU and Select Countries

This report examines the privacy laws, namely data privacy laws, in the European Union and four other leading industrialized nations and OECD member countries: Canada, Australia, New Zealand, and Japan.¹

This report begins with a discussion of the OECD Guidelines and its eight data privacy principles, which have formed the bases for many of the data privacy laws in the countries examined in this report. The report next discusses the privacy laws that have developed in the European Union. Next, the report discusses the federal privacy laws of Canada, Australia, New Zealand, and Japan, and how each of these four countries have looked to either the EU, the OECD Guidelines, or both in developing and crafting their respective national privacy laws and principles. For example, in the background section of Australia's Guidelines to the National Privacy Principles, the Office of the Federal Privacy Commissioner of Australia states that Australia's privacy laws and principles "reflect the ideas that have been developed internationally and, in particular, the OECD Guidelines. A growing number of other countries, including New Zealand, Hong Kong, Canada, and many European nations, have also adopted privacy laws." ²

In discussing each country (and the EU), this report provides a brief overview of the country's government and legal system. It will then go into a detailed discussion of the privacy laws, in particular, the data privacy laws, and provide an analysis of the interplay of such privacy laws and the impact on local and worldwide use of biometric recognition technology. Also included is a summary of some of the applications of biometric recognition technology in each country and in the EU.

Table of Contents

Section     Page PART ONE: Report on the State of International Privacy Laws and Application to Biometrics and Their Impact on the United States 4 PART TWO: Report on Privacy Laws of the EU and Select Countries I.   Introduction 12 II.  The OECD Guidelines 14 III. European Union 19 IV. Canada 65 V.  Australia 83 VI.  New Zealand 104 VII. Japan 116 Bibliography 139

The full reports will be available shortly and information on how to acquire them will be posted on this site.

---