A Privacy Balancing Act
The privacy of the individual is the ultimate importance
- By Arie Melamed
- Apr 01, 2018
Privacy. It’s gone beyond buzzword into a class of its
own: basically, privacy of the individual is of the ultimate
importance, and all else must fall away in our
efforts to preserve it.
To that end, the European Union’s General Data
Protection Regulation (GDPR) comes into effect on May 25. While
this regulation is being mandated by the EU, it applies to organizations
located in European Union states, organization located outside
of the EU processing personal data of EU citizens, and multinational
companies that supply goods or services to, and/or monitor the behavior
of people in the EU.
GDPR addresses how data (including names, photos, email address,
bank details, social media posts, medical information or a
computer IP address) is collected, consented, used, processed, erased
and controlled. The new legislation essentially sets higher fines for
non-compliance or data breaches, and gives people (or, data subjects)
more control and visibility over their personal information, what organizations
do with it, and for how long. The basic concept is that the
data subject, and not the collector, is the owner of his personal data.
According to the new regulations, an individual needs to willingly
consent before his data would be collected; data may only be
processed under “lawful” circumstances—meaning, there must be a
specific purpose that is transparent and known to the data subject.
What is fascinating is that all of this is taking place with a backdrop
of a global push for better security, more scrutiny and making
the most of contactless biometric technologies, which is considered
as sensitive private information.
So how can GDPR, security and biometrics coexist? What are the
challenges and in which areas does society need to focus its energy?
Surveillance—More Important than Ever
There are far reaching implications of these new laws. CCTV cameras
are commonly used in widespread surveillance systems. These
systems can include hundreds, or in public spaces, tens of thousands
(or more if you live in London) of CCTV cameras, which constantly
record and collect people’s images. Police and other law enforcement
officials often rely on these systems. Organizations and facilities also
use CCTV cameras as part of their security infrastructures.
Does every person in the public sphere have to give their consent
for this type of surveillance? In short, no. Surveillance is a common
enough practice that simply having a sign in an area, informing
people that they are being recorded, should be enough. If people see the sign, and still opt to enter that space, this
demonstrates their consent. In some circumstances,
an optional unmonitored passage
needs to be conveniently available to ensure
willing consent. Additionally, there are legal
limitations to storage duration of CCTV recordings
fulfilling a GDPR principle of “ensure
erasure when no longer needed.”
Biometrics—Entering
the Mainstream
The implications of GDPR go beyond basic
CCTV cameras though. Increasingly, organizations
are opting to deploy biometric
systems to identify opted-in users for access
control and security purposes. Biometrics
are being selected both for their enhanced
security, convenience and increased efficiency.
Biometric data, good for identification,
whether it visual identification data such as
face templates or body behavior data, or other
types of biometric information including
fingerprints or iris scans would be included
as Personally Identifiable Information (PII)
under GDPR.
With visual identification in particular,
which can be passively collected using standard
CCTV cameras (unlike fingerprints or
iris scans, which must be actively provided by
a user), GDPR can pose some serious considerations.
What do you do with the data of all the
people who pass by the camera, yet have not
opted into the system? What about people
who have opted in, but would like to opt-out
now? How long can biometric data of subjects
be stored when they have not specifically
provided consent? And, for what purpose?
What of the
Technology Provider?
It is important to note that the provider of
the data collecting and processing technology
is neither the processor, nor the controller
of subjects’ data under GDPR.
To illustrate, computers and smartphones
are used for many useful tasks: work, design,
programming, entertainment, community,
dating, picture albums and more. But, when
used to commit an offence such as hacking
into other systems, violation of media ownership
rights, illegal darknet trades which are
considered as crimes, would the computer
or operating system software manufacturer
be brought to trial for theft? Of course not.
The person orchestrating the offence would
be held responsible. No one thinks to outlaw
computers and smartphones, when they serve
such fundamentally positive purposes as well.
So, too, with personal data collection.
The provider of the data collecting tools
and technologies will not be held responsible
when an organization collects or uses such
personal data incorrectly. However, the technology
provider does have responsibilities to
enable and ensure that organizations are well
equipped to comply with the regulation.
Responsibilities as a
Technology Provider
As a provider of biometric identification
technology, it is our responsibility and commitment
to the organizations we work with
to support the application of GDPR.
To that end, it is clear that technology
providers must:
- Provide the tools necessary for organizations
to be able to not save the data of a
subject’s data who is not enrolled in the
system, or someone who was enrolled and
opted out. Technology providers have a
responsibility to create this capability.
- Ensure that subject data would not be
manipulated without authorization and
would be protected from security breaches.
That’s why it is vital for all data collected
to be hashed and encrypted, so that
if there is a data breach and information
is possibly stolen, it is not usable. This
protects the organization in the event of a
breach from the serious penalties that can
be incurred under GDPR.
- Provide audited interfaces and tools to
enable the organization to provide a data
subject with a copy of the personal data
saved in the system, ability to correct it or
be forgotten when needed.
How GDPR Will
Evolve in the Future
Ultimately, GDPR will be implemented in
the EU and could be further enhanced according
to norms for each member state.
This is changing as well. The public is beginning
to understand the efficiency that biometric
identification brings with it. People
like the idea of walking into their favorite
shop and being welcomed by name.
Air travelers appreciate the convenience
of passport control being automatically
handled through biometrics without having
to stand in the regular queue.
Of course, there will always be those who
prefer to remain as anonymous as possible,
and it is up to those involved in all perspectives
related to GDPR to make sure anonymity
is available.
The Changing Times
The trend is in favor of the public trading off
some level of anonymity for the benefits that
data-based identification can bring. Surveys
show that up to 95 percent of people are interested
in providing personal information
when they stand to receive tangible benefits.
We should all support what GDPR is trying
to accomplish. After all, privacy is still
extremely important to people around the
world. Yet, we have to periodically reexamine
the degree to which there is a demand
for what GDPR protects (namely, personal
privacy), and make adjustments to the laws
accordingly.
In that way, we can continue to move forward,
allowing technology to increase safety,
convenience and efficiency
in our lives without
compromising the privacy
we all consider to be
of sacred status.
This article originally appeared in the April 2018 issue of Security Today.