Análisis de la solución

This section examines four countries examples of the current applications of biometric technology in different fields and biometric industry practices. Mapping the biometric industry illustrates not only the key players, products and partnerships, but also opens a global window on the current practices and ethical commitments of this industry. These country examples, two Common Law countries and two Civil Law countries, reveal the approach legal challenges in biometrics technology in a proportional way. In addition, these examples present the impact on privacy and data protection rights in the four countries: Australia, Mexico, New Zealand and Spain88.

3.6.1. Australia: Database IdEye Implemented in Pubs and Clubs. The company Idtect89 is an Australia specialised company that developed ID scanning software with two software identification tools: “Alcohol Management Systems” and “idEye for clubs and pubs”. This research will focus its attention on the idEye for clubs and pubs.

In Australia, the private sector is covered by the Privacy Act 1988 and must comply with the Australian Privacy Principles (APPs) in handling personal information. Under the Privacy Act 1988 the Federal Privacy Commissioner does not have a complete jurisdiction to audit private sector systems90. But, in 2010 guidelines for private sector hospitality organisations were drawn up by the Federal Privacy Commissioner91 for pubs and clubs that demand an ID. Some pubs and clubs also demand biometric photos and fingerprints of every individual who enters. Idtect

88

For further details, see section 1.3. Country Profiles for the Comparative Study Component

89

This Company has been identified in this chapter http://www.idtect.com.au/ (19/12/2013)

90

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner. In 2014, important changes to the Privacy Act 1988 commence into force http://www.oaic.gov.au/ (19/12/2013)

91

Office of the Privacy Commissioner of Australia, Private sector information sheet 30 – ID scanning in pubs and clubs, (April 2010) http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact- sheets/other/information-sheet-private-sector-30-2010-id-scanning-in-clubs-and-pubs (19/12/2013)

92

scanners scans identities onto a database, called “the ban list” which is shared on local, state or national levels. The system stores the data for a month and then deletes it, but any troublemaker’s personal information can be kept indefinitely. In this case, the argument used to justify the implementation of this technology is that “public safety should over rule issues about privacy”. In this scenario, the information collected does not reveal sensitive personal information. However, the collection of photographs, fingerprints and driver licences raises concerns about unauthorised access, misuse, identity fraud and disclosure of information.

First, under 2010 guidelines for private sector hospitality organisations, individuals must be notified what will happen to the information collected at pubs and clubs: the purpose of the collection, with whom they will exchange this information, who will have access to it and when the information will be destroyed.

Second, based on the characteristics of the venues and the software identification idEye the information may be stored on their servers as a backup. When the venue shares or collects from third parties, the information is stored on the database located in each venue’s network servers or even on a private cloud. Under the

Privacy Act 1988 and the National Privacy Principles, venues must have robust security measures that protect information, but they also must ensure that personal information is accurate and up-to-date.

It is important to highlight that biometric information must be collected for valid reasons, in this case, valid business reasons. The most interesting legal concern is that regarding the ban list. The ban list means that individuals banned at one location may be refused entry at other venues. The individual on that biometric database is flagged and venues may choose to accept or ban him or her. Venues impose bans for a discretional period of time: a day, a month, a year or indefinitely. This ban list database infringes, on one hand, civil liberties since the disclosure of the ban list could cause discrimination. On the other hand, the existence of a ban list where cancelation of personal information is discretional; this clearly undermines privacy and data protection rights. This discretional period of time consists in transgression to “the right to be forgotten or the right to withdraw their consent to data processing”

93

and it is consistent with Castellano that explains the “right to be forgotten” as an element of the right of data protection (self-determination) when the owner of the data has withdrawn his/her consent for processing or when he/she objects to the processing of his/her personal data92.

It can be argued that the discretionary power to ban people could be the result of a proactive society in activities in which government has a security and protection role in fighting violence in pubs and clubs. However, the State has responsibilities in the use of such technologies.

“Although individual interests must on occasion be subordinated to those of a group, democracy does not simply mean that the views of a majority must always prevail: a balance must be achieved which ensures the fair and proper treatment of minorities and avoids any abuse of a dominant position”93

.

The State should not be passive towards transgressions against civil liberties and rights. So Valades has stated that, “if the violation of one of those rights and freedoms is the result of a breach of that duty in terms of national legislation, the State is ultimately responsible for any violation”94

.

3.6.2. Mexico: Fingerprint Implemented at Banco Azteca. The company Digital Persona95 is a U.S. specialised business that develops biometric fingerprint products for two applications: customer authentication for secure banking and credit

92

This has been developed by Spaniards authors and recently promoted to the European Commission. Simon Castellano, Pere, "Los límites jurídico-constitucionales de la Administración electrónica en España y el Open government" (2011) 27 Revista Aranzadi Derecho y Nuevas Tecnologías 67; Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2012] COD 2012/0011.

93

Young, James and Webster v United Kingdom (European Court of Human Rights, Plenary, Application Nos 7601/76 and 7806/77, 13 August 1981) 63.

94 _{Valades, Diego, “La Protección de los Derechos Humanos Frente a Particulares” in Bogdandy Armi}

von, Ferrer Mac-Gregor, Eduardo and Morales Antoniazzi, Mariela (coords) La Justicia Constitucional y su Internacionalizacion. Hacia un Ius Constitucionale Commune en America Latina?, (UNAM, Instituto Iberoamericano de Derecho Constitucional, Max-Planck-Institut Für Ausländisches Öffentliches Recht Und Völkerrecht, 2010), pp. 681-710.

95

94

transactions, and employee authentication for branch executives, tellers and vault access.

In 2002, Banco Azteca96 started operations targeting the low income sector, which represents the 70% of population not served by traditional banks. In addition, Banco Azteca became the first bank to implement biometric fingerprints as a method to protect customers’ savings in a product called “Guardadito” (saving accounts). At that time, Mexico neither had a data protection law nor a Data Protection Commissioner.

In Mexico, recognizing data protection as a fundamental right has been a gradual process. This process started in 200797 and in 2010 the Federal Data Protection for Private Sector Law was approved. This law came into force in January 2012. Under the Federal Data Protection for Private Sector Law, all private sector entities, including banks, must notify individuals about their information collected on their websites: the purpose of said data collection, with whom the information will be exchanged, who will have access to said information and when this information will be destroyed98.

In 2007 any movement of money through bank portals had to be confirmed by a dynamic passwords device; thus Banco Azteca expanded the use of biometric fingerprints to customers’ financial and banking services, to secure employee access to bank vaults and to time attendance control99. There were two companies involved

96

Banco Azteca is a subsidiary of Group Elektra, a Mexican financial and retail corporation owned by Grupo Salinas. Currently, Banco Azteca has holdings in Panama, Honduras, Guatemala, El Salvador,

Peru and Brazil.

http://www.bancoazteca.com.mx/PortalBancoAzteca/publica/conocenos/historia/quienes.jsp (19/12/2012) (information in Spanish)

97

Since 2000, several bills have been presented without coming to any fruition. In 2007, The Federal Congress approved an amendment to Article 6 of the Constitution which recognizes and gives content to the right to data protection. The amendment reflected the rights that holders have over this type of data, such as those of access, rectification, cancellation and objection (known by its acronym in Spanish as ARCO rights). This is highly significant considering that personal data are in the hands of governments and the private sector (companies, organisations and professionals).

98

http://www.bancoazteca.com/PortalBancoAzteca/publica/conocenos/historia/AvisoPrivacidad.htm (19/12/2012)

99

Customers can acquire a fingerprint reader from the bank and plug it into their computers for $55 AUD plus tax ($742.40 Mexican pesos) and the software can be downloaded from Banco Azteca’s website.

95

in the biometric applications: Biometria Aplicada100, a reseller, and Digital Persona. Furthermore, Banco Azteca plans to incorporate biometric fingerprint readers into its ATM machines for customers to check their balances, withdraw cash or purchase pre-paid mobile phone minutes. Banco Azteca requests an official identification card with the holder’s current address, email address, personal information and one biometric fingerprint. The information collected does not reveal sensitive personal information. However, many customers are farmers and construction workers whose fingers are damaged and worn.

Based on bank characteristics, the information is stored on different databases where distributed database management is required. The information is stored on multiple network servers. This gives banks the ability to link the different databases of each location and gain access to bank branches.

It is important to highlight that it has only been two years since the data protection law has come into force. Thus, there are no complaints against Banco Azteca or appeals yet to be solved by the Federal Privacy Commissioner101 whereas at the National Commission for the Protection and Defence of Users of Financial Services, it is ranked number one in the 2011 Index of Fines102. It will be a matter of time to find out whether Banco Azteca is complying with the data protection regime. The Federal Privacy Commissioner has that authority to audit their databases and, in case of irregularities, to impose a corresponding sanction.

3.6.3. New Zealand: Biometric Voice Recognition. The company Salmat103 is a specialised Australian company that provides customer communication solutions. It has developed three Voice ID versions: one similar to the interactive voice response system, an online identification system and a mobile identification system, all of

100

This company has been identified in this chapter. http://www.biometriaaplicada.com/ (19/12/2012)

101

Freedom of Access Information and Data Protection Institute (known by its acronym IFAI) http://www.ifai.org.mx/English (19/12/2012)

102

Mexico Government, National Commission for the Protection and Defence of Users of Financial Services, Fines imposed on financial institutions, (2012) http://www.condusef.gob.mx/PDF- s/Comunicados/2012/com05_multas-2011.pdf (19/12/2012)

103

96

which use biometrics104. The voice identification biometric systems are inexpensive and good for remote database access, but it can be affected by physical conditions or emotional states.

In 2008, New Zealand’s Inland Revenue (IR)105

began to modernise its phone interface. In November 2011, IR implemented Salmat Voice ID106 as its interactive voice response system. This voice ID allows taxpayers to access their accounts by telephone instead of entering a PIN number. In the first four weeks, 10,000 customers enrolled; in a year, this number increased to 400,000 customers107 by 2012 using this system to confirm their identity.

The Bank of New Zealand, National Australia Bank, Centrelink, St. George Bank and the Ministry of Social Development (MSD)108 are implementing Voice ID in their contact centres, as well as other biometric systems for banking transactions. However, information security policies and compliance statutes have undergone considerable changes both locally and internationally over the last few years109. Given the proliferation of this type of identity verification systems and the fight against fraud and identity theft, the New Zealand parliament has passed the Identity Information Confirmation Act 2012110 and Electronic Identity Verification Act 2012111. Under these Acts, the New Zealand Privacy Commissioner may call for periodic reports on confirmation service operations. While the Identity Information Confirmation Act 2012 will help with face-to-face transactions, the current Electronic Identity Verification Act 2012 and the identity verification service play a complementary role in the online environment112. This legal framework also covers

104

http://www.salmat.com.au/products-services/speech-recognition-voice-biometrics/ (19/12/2012)

105 _{New Zealand’s Inland Revenue is the Tax Department}

http://www.ird.govt.nz/ (19/12/2012)

106

http://www.salmat.com.au/news-insights/ (19/12/2012)

107

New Zealand Government, Inland Revenue, Annual Report (2012) http://www.ird.govt.nz/resources/1/4/14a3ef004d1a9cf8915793d981e6622f/annual-report-2012.pdf (19/12/2012)

108

http://www.msd.govt.nz/ (19/12/2012)

109 _{Hunter, L., Orr, A. and White, B., “Towards a framework for promoting financial stability”, (Paper}

presented at The Institution of Professional Engineers New Zealand, Wellington, 22 March 2006).

110

Identity Information Confirmation Act 2012 (NZ) in force 2013

111

Electronic Identity Verification Act 2012 (NZ) in force 2013

112

97

the RealMe program113, which includes a combination of authentication techniques and support for biometric voice recognition system.

The New Zealand Privacy Commissioner has made two recommendations to address the adequate level of privacy protection. The first related to a proposal to amend an electronic identity credential and the second dealt with protection from liability114.

3.6.4. Spain: Compulsory National ID Card. Spanish compulsory national ID cards –

called DNIs- are provided by the Royal Spanish Mint (known by its acronym FNMT- RCM), which use embedded microprocessors provided by ST Microelectronics115. The DNI has been used for over 50 years and Spaniards over the age of 14 must present it as proof of identity for a very wide range of transactions116. It is governed by two laws: Royal Decree 1553/2005 of 23 December 2005, which regulates the issue of national identity and electronic signature certificates117, and Law 59/2003 of 19 December 2003, which deals with electronic signatures118.

The Spanish Data Protection Agency119 has specific regulations for personal information management, namely the Organic Law on the Protection of Personal

113 _{Clarke, Mick and Sorensen Steffen, “REALME, Technology Solution Overview” (2012)}

http://kantarainitiative.org/confluence/download/attachments/45059378/NZ+RealMe+Solution+Overvi ew+v1.pdf (19/12/2012)

114 _{New Zealand Privacy Commissioner “Submission to the Government Administration Committee on}

the Electronic Identity Verification Bill”.

115

http://www.st.com/internet/com/home/home.jsp (19/12/2012)

116

Dirección General de la Policía y Guardia Civil, DNI Electrónico Guía de Referencia Básica, Comisión Técnica de Apoyo a la Implementación del DNI Electrónico (2010) [Basic eID Digital Guide] (Spain) http://www.dnielectronico.es/Guia_Basica/index.html (19/12/2012)

117

Real Decreto 1553/2005, de 23 de diciembre, por el que se regula la expedición del documento nacional de identidad y sus certificados de firma electrónica, BOE-A-2005-21163 [Royal Decree 1553/2005 of 23 December 2005, regulating the issue of national identity and electronic signature certificates] (Spain) http://www.boe.es/buscar/doc.php?id=BOE-A-2005-21163 (19/12/2012)

118

Ley 59/2003, de 19 de diciembre, de firma electrónica, BOE-A-2003-23399 [Law 59/2003 of 19 December 2003, on electronic signatures] (Spain) http://www.boe.es/buscar/doc.php?id=BOE-A- 2003-23399 (19/12/2012)

119

Spain, Data Protection Spanish Agency http://www.agpd.es/portalwebAGPD/index-ides-idphp.php (19/12/2012)

98

Data120 on the one hand and the Organic Law on Exact Nature of Security Measures to Protect Personal Information121 on the other.

The information shown on the front of this card consists of the individual’s full name, place of birth, gender, nationality, DNI number in relation to his or her tax number, photograph and signature. The information shown on the back consists of place of birth, local state or province, parents’ names, address and province address. A microchip contains the individual’s data, electronic photograph, signature and biometric fingerprint.

In 2008, the Spanish Minister of the Interior decided to expand the information contained in the microchip with biometric photographs and fingerprints. This proposal also included RH blood group information. However, the Spanish Data Protection Agency objected to the project, arguing that “a document that incorporates additional data would be different from electronic DNI, which would require new legislation for its implementation and development"122. The DNI is only used as proof of identity when Spaniards use electronic signatures for secure personal information transmitted through electronic identification systems (eID).

3.7. Conclusions

These four countries examples provide an outline of the current practices within the biometric industry. These examples also show, on the one hand the interaction between society and government, and on the other, the interaction between society and technology. There has been little debate which “underlines the deeply contested character of the transition to the tightly interdependent, knowledge-dominated, high-

120

Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, BOE-A- 1999-23750 [Organic Law 15/1999 of 13 December 1999, on the Protection of Personal Data] (Spain) http://www.boe.es/buscar/doc.php?id=BOE-A-1999-23750 (21/12/2012)

121

Ley Orgánica 1/1992, de 21 de febrero, sobre Protección de la Seguridad Ciudadana, BOE-A- 1992-4252 [Organic Law 1/1992 of 21 February 1992, on the Protection of Public Safety] (Spain) http://www.boe.es/buscar/doc.php?id=BOE-A-1992-4252 (19/12/2012)

122 _{Europa Press, “Protección de Datos estará ‘especialmente atenta’ a la posible incorporación de}

datos nuevos en el DNI electrónico” (Media Release, 1 December 2005) http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2005/common/Interbusca.1_de_di ciembre_de_2005.pdf (19/12/2012)

99 tech economies of the twenty-first century”123

. The sketch of the types of political and public debates surrounding the deployment of biometric systems in the four countries support that view.

This chapter has explored the biometric industry, as well as its key players, practices, commitments and regulation. This thesis does not propose to regulate the biometric technology itself, but it does acknowledge the importance of regulating the people who will apply the technology. This chapter provides an overview of the products that have been developed by this technology. Products, such as ePassports, have not only enhanced border controls, but also play a key role in the world economy by ensuring trade with legitimate travellers. At the same time, concerns about terrorism, cross-border crimes and illegal immigrants are incentivizing national governments to adopt biometric ePassports, but this development has been with relatively little public knowledge of the biometric industry without a public debate.

The biometric industry debate should not be viewed solely in terms of a map the key players, such as IBM, HP, Microsoft, Datacard Group, Safran Morpho, Steria,