A Privacy Balancing Act

The privacy of the individual is the ultimate importance

• By Arie Melamed
• Apr 01, 2018

Privacy. It’s gone beyond buzzword into a class of its own: basically, privacy of the individual is of the ultimate importance, and all else must fall away in our efforts to preserve it.

To that end, the European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25. While this regulation is being mandated by the EU, it applies to organizations located in European Union states, organization located outside of the EU processing personal data of EU citizens, and multinational companies that supply goods or services to, and/or monitor the behavior of people in the EU.

GDPR addresses how data (including names, photos, email address, bank details, social media posts, medical information or a computer IP address) is collected, consented, used, processed, erased and controlled. The new legislation essentially sets higher fines for non-compliance or data breaches, and gives people (or, data subjects) more control and visibility over their personal information, what organizations do with it, and for how long. The basic concept is that the data subject, and not the collector, is the owner of his personal data.

According to the new regulations, an individual needs to willingly consent before his data would be collected; data may only be processed under “lawful” circumstances—meaning, there must be a specific purpose that is transparent and known to the data subject.

What is fascinating is that all of this is taking place with a backdrop of a global push for better security, more scrutiny and making the most of contactless biometric technologies, which is considered as sensitive private information.

So how can GDPR, security and biometrics coexist? What are the challenges and in which areas does society need to focus its energy?

Surveillance—More Important than Ever

There are far reaching implications of these new laws. CCTV cameras are commonly used in widespread surveillance systems. These systems can include hundreds, or in public spaces, tens of thousands (or more if you live in London) of CCTV cameras, which constantly record and collect people’s images. Police and other law enforcement officials often rely on these systems. Organizations and facilities also use CCTV cameras as part of their security infrastructures.

Does every person in the public sphere have to give their consent for this type of surveillance? In short, no. Surveillance is a common enough practice that simply having a sign in an area, informing people that they are being recorded, should be enough. If people see the sign, and still opt to enter that space, this demonstrates their consent. In some circumstances, an optional unmonitored passage needs to be conveniently available to ensure willing consent. Additionally, there are legal limitations to storage duration of CCTV recordings fulfilling a GDPR principle of “ensure erasure when no longer needed.”

Biometrics—Entering the Mainstream

The implications of GDPR go beyond basic CCTV cameras though. Increasingly, organizations are opting to deploy biometric systems to identify opted-in users for access control and security purposes. Biometrics are being selected both for their enhanced security, convenience and increased efficiency. Biometric data, good for identification, whether it visual identification data such as face templates or body behavior data, or other types of biometric information including fingerprints or iris scans would be included as Personally Identifiable Information (PII) under GDPR.

With visual identification in particular, which can be passively collected using standard CCTV cameras (unlike fingerprints or iris scans, which must be actively provided by a user), GDPR can pose some serious considerations.

What do you do with the data of all the people who pass by the camera, yet have not opted into the system? What about people who have opted in, but would like to opt-out now? How long can biometric data of subjects be stored when they have not specifically provided consent? And, for what purpose?

What of the Technology Provider?

It is important to note that the provider of the data collecting and processing technology is neither the processor, nor the controller of subjects’ data under GDPR.

To illustrate, computers and smartphones are used for many useful tasks: work, design, programming, entertainment, community, dating, picture albums and more. But, when used to commit an offence such as hacking into other systems, violation of media ownership rights, illegal darknet trades which are considered as crimes, would the computer or operating system software manufacturer be brought to trial for theft? Of course not. The person orchestrating the offence would be held responsible. No one thinks to outlaw computers and smartphones, when they serve such fundamentally positive purposes as well.

So, too, with personal data collection. The provider of the data collecting tools and technologies will not be held responsible when an organization collects or uses such personal data incorrectly. However, the technology provider does have responsibilities to enable and ensure that organizations are well equipped to comply with the regulation.

Responsibilities as a Technology Provider

As a provider of biometric identification technology, it is our responsibility and commitment to the organizations we work with to support the application of GDPR.

To that end, it is clear that technology providers must:

• Provide the tools necessary for organizations to be able to not save the data of a subject’s data who is not enrolled in the system, or someone who was enrolled and opted out. Technology providers have a responsibility to create this capability.
• Ensure that subject data would not be manipulated without authorization and would be protected from security breaches. That’s why it is vital for all data collected to be hashed and encrypted, so that if there is a data breach and information is possibly stolen, it is not usable. This protects the organization in the event of a breach from the serious penalties that can be incurred under GDPR.
• Provide audited interfaces and tools to enable the organization to provide a data subject with a copy of the personal data saved in the system, ability to correct it or be forgotten when needed.

How GDPR Will Evolve in the Future

Ultimately, GDPR will be implemented in the EU and could be further enhanced according to norms for each member state. This is changing as well. The public is beginning to understand the efficiency that biometric identification brings with it. People like the idea of walking into their favorite shop and being welcomed by name.

Air travelers appreciate the convenience of passport control being automatically handled through biometrics without having to stand in the regular queue.

Of course, there will always be those who prefer to remain as anonymous as possible, and it is up to those involved in all perspectives related to GDPR to make sure anonymity is available.

The Changing Times

The trend is in favor of the public trading off some level of anonymity for the benefits that data-based identification can bring. Surveys show that up to 95 percent of people are interested in providing personal information when they stand to receive tangible benefits.

We should all support what GDPR is trying to accomplish. After all, privacy is still extremely important to people around the world. Yet, we have to periodically reexamine the degree to which there is a demand for what GDPR protects (namely, personal privacy), and make adjustments to the laws accordingly.

In that way, we can continue to move forward, allowing technology to increase safety, convenience and efficiency in our lives without compromising the privacy we all consider to be of sacred status.

This article originally appeared in the April 2018 issue of Security Today.