Privacy Rules: A Way to Comply with Data Protection Laws

Under the accountability principle laid out in the Proposed Regulation[1] and by the Article 29 Working Party[2] (the Working Party), controllers are obligated to adopt effective and appropriate measures to ensure data are processed in compliance with data protection laws. In addition, they must be able to prove that certain measures have been implemented[3]. The specific measures adopted are left to each controller’s discretion and may take various forms, such as technical and organizational measures[4].

The privacy rules established by Natural Security Alliance address this accountability principle by imposing contractual obligations in addition to the requirements specified in the Natural Security standard.

1.    A code of conduct to complement technical measures

Natural Security’s standard was developed according to the Privacy by Design principle. This means that privacy issues were taken into consideration right from the design stage to implement technical measures that mitigate risks[5].

However, as has been observed by the Working Party, technical measures are not sufficient and must be supplemented with organizational measures[6].

The Privacy Rules by Natural Security Alliance constitutes a code of conduct that imposes certain obligations for implementing Natural Security’s standard on any controller that has agreed to respect these rules. These Privacy Rules are founded on recommendations made by data protection authorities for the application of biometric technologies, and uphold Natural Security Alliance’s values around privacy and data protection.

By following the Privacy Rules, just as by implementing a Privacy by Design standard, controllers adopt de facto effective and appropriate measures, both technical and organizational, to comply with the accountability principle.

2.    Rules founded on values and recommendations

Natural Security Alliance maintains a strong authentication standard based on biometrics in order to contribute to a privacy-friendly authentication environment. The Privacy Rules aim to ensure that the standard is implemented in accordance with Natural Security’s values, namely the respect of privacy and data protection.

These rules have been defined according to recommendations made by national data protection authorities and by the Working Party[7] regarding the application of biometrics. French[8], Belgian[9], and Italian[10] data protection authorities have developed guidelines and recommendations on the technical and organizational measures to implement for biometric authentication. Their documents specify the requirements for biometric data processing that must be met to comply with data protection laws.

  •       Consent and active role of the data subject

Two crucial requirements concern the legality and legitimacy of data processing. Controllers must therefore obtain the data subject’s consent.

To satisfy this requirement, and to ensure biometric authentication is not executed without the data subject’s knowledge, the Privacy Rules emphasize the active role the user must play. Controllers subject to the Privacy Rules must therefore ensure that authentication is based on a voluntary action made by the user, who places his/her finger or hand on the reader.

In addition, Natural Security technology may not be used to track the user without his/her prior consent.

  •       Minimization of biometric data

Biometric data can reveal a great deal of information about the data subject that is not necessary for authentication. To comply with the minimization and adequacy principles, only data necessary for authentication may be collected and processed. Controllers therefore agree to convert raw data into templates at enrollment, and to only store and process these templates.

  •       High security and confidentially level for biometric data

The primary concern of data protection authorities and National Security Alliance is the security and confidentiality of biometric data, to prevent unlawful use. In this respect, the Privacy Rules impose stringent obligations.

During enrollment, biometric data should not be stored within the enrollment station, they should only be transmitted to the personal device. Furthermore, controllers may not create a database with the biometric data. Storage of biometric data on a personal device gives the user control over his/her data, which prevents unlawful use (function creep).

In addition, biometric data are stored on the personal device in a secure environment to protect data from intrusion, destruction, accidental loss, unwilling disclosure, and unauthorized access.

Finally, to protect biometric data during transmission between the reader and the personal device, the transmission takes place only after mutual recognition of authenticity and using a secure communication protocol.

By respecting these obligations, controllers ensure authentication does not compromise privacy or security, and they guarantee that data are processed in accordance with the recommendations of data protection authorities.

3.    Certification and trademark: two complementary measures

In addition to the Privacy Rules, Natural Security Alliance has developed two instruments to encourage compliance: certification and the trademark.

The certification process was developed to ensure that products integrating Natural Security’s standard do in fact comply with the technical specifications. Certification serves to recognize products as “genuine”, enabling them to communicate with other products integrating the standard. Certification therefore facilitates the creation of a genuine Natural Security environment.

Certification also falls under the organizational measures that can be implemented to satisfy the accountability principle. As noted by the Working Party, certification schemes allow controllers to prove they have adopted technical measures[11].

The Natural Security trademark can also be used by implementers if they obtain the certification and respect the Privacy Rules. The trademark allows implementers to provide better transparency and gives data subjects better visibility, so a relationship based on trust and reliability can be established between controllers and data subjects.

 

To conclude, when controllers integrate Natural Security’s standard, obtain certification, and respect the Privacy Rules during implementation, they provide biometric authentication that complies with privacy and data protection laws. Moreover, they take de facto effective and appropriate measures to comply with the accountability principle and are accountable to national data protection authorities. Finally, they actively contribute to the creation of an authentication environment that users can confidently navigate.

 

[1] Article 22, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final, 2012/0011 (COD) C7-0025/1 , available at <http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf>

[2] Article 29 Data Protection Working Party (WP29), Opinion 3/2010 on the principle of accountability (WP173), July 13, 2010, available at  <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf>

[3] Ibid., 5

[4] Ibid., 8

[5] Article 23, Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final, 2012/0011 (COD) C7-0025/1

[6] WP29, Opinion 3/2010 on the principle of accountability (WP173), 11-12

[7] Article 29 Data Protection Working Party, Opinion 3/2012 on developments in biometric technologies (WP193), 27th April 2012, available at  <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf>

[8] CNIL, Communication de la CNIL relative à la mise en œuvre de dispositifs de reconnaissance par empreinte digitale avec stockage dans une base de données, 2007, available at <http://www.cnil.fr/fileadmin/documents/approfondir/dossier/CNI-biometrie/Communication-biometrie.pdf>

[9] Commission de la Protection de la Vie Privée, Avis d’initiative relatif aux traitements de données biométriques dans le cadre de l’authentification de personnes (A/2008/017), April 9, 2008, available at <http://www.privacycommission.be/sites/privacycommission/files/documents/avis_17_2008_1.pdf>

[10] Garante Privacy, Schema di provvedimento in tema di riconoscimento biometrico e firma grafometrica, May 21, 2014, available at  <http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3132642>

[11] WP29, Opinion 3/2012 on developments in biometric technologies (WP193), 17-18