Privacy Issues
Central to the biometrics debate
By Joanne W. Young, Partner, Baker & Hostetler, LLP
April 2002
The Aviation and Transportation Security Act authorized the Transportation Security Administration to move forward with development of data collection and transmission and biometric systems that could form the core of a highly effective international passenger screening system. To build [a] system based on the exchange of data, the industry and participating governments must comply with a variety of complex privacy laws.
There is
a clear tension between the need to obtain and exchange information and
intelligence about individuals and the need to protect the right of privacy.
This right is preserved in many countries through constitutions, common
law, and statutes such as the European Union's Privacy Directive.
Many privacy issues could be overcome by voluntary informed consent obtained
from passengers who choose to participate in a biometric-based trusted
traveler program. It will be necessary to explore whether various law
enforcement exemptions would permit this activity.
U.S.Protections
The Fourth Amendment to the Constitution protects citizens from unreasonable
intrusions by the government. It protects a person against searches and
seizures conducted by the government [and] would potentially apply to
the government's collection and use of biometric and personal data. Whether
the system we are describing today would be classified as a search or
seizure may be subject to debate. In any event, when there is free and
voluntary consent there is no violation.
A second source of privacy protection is found in the common law tort of "invasion of privacy," which is recognized in virtually all 50 states. Two types of invasions of privacy are most likely to be relevant here. Courts may conclude that:
1) the collection of biometric and personal information could be what is termed an "intrusion upon a person's seclusion and solitude;" and
2) disclosure of the information could be considered to constitute the "public disclosure of private facts."
These protections apply to both private and government entities and, if established, both can be held liable for compensatory damages. Once again, however, if a person consents to either the collection or disclosure of information, there can be no invasion of privacy. Moreover, court's have generally held that disclosure to one or a few people is not actionable barring extenuating circumstances.
Unlike the EU, the U.S. does not have any general privacy legislation governing the private sector that would effect the operation of passenger-related data collection and transfer. However, the participation of U.S. government agencies would be covered by the Freedom of Information Act (FOIA) and the Privacy Act.
FOIA requires U.S. government agencies to disclose information requested by citizens, unless it falls within specific exceptions. This could lead to unwanted disclosures of information participating passengers are likely to want protected. For example, a newspaper could request records from participating U.S. agencies that detail the itineraries and traveling habits of particular persons.
The Privacy Act implicates the opposite problem.This statute prohibits the disclosure of information submitted to the government without prior written consent from the relevant person, thus potentially blocking desirable exchanges of information. Specific informed consent regarding the use of information could solve part of this problem, and exceptions for law enforcement activity may enable the transfer of information about passengers who are not voluntary participants in the trusted traveler program.
EU Protections
The EU has enacted a single law that provides comprehensive privacy protection
to individuals and personal data. Fundamentally, the Directive (95/46/EC)
prohibits government and private entities from "processing"
personal and biometric information that would be used in the proposed
system unless a person voluntarily consents to the processing of personal
data. A "law enforcement" exception may also permit collection
and use of biometric and personal information for most security purposes.
The Directive establishes requirements for the collection, maintenance, and storage of personal data. It requires member states to create appropriate penalties for violations and, generally, prohibits transfers to third countries unless the country provides similar and adequate protection of personal data.
A key feature
of the Directive is the requirement that an organization have a "data
controller," responsible for maintaining data security, ensuring
that all users of enrollee data are in compliance with the Directive,
and serving as the primary liaison to passengers on privacy issues. The
need for a data controller is another important reason for selecting an
organization such as IATA to manage a passenger information system.
* * *
It is no longer a question of whether biometric technology will be used
in air travel, but when. Biometric systems are already being used for
airline and airport employee identification to prevent unauthorized access
to secure areas. Experimental programs at various airports using a variety
of biometric or facial recognition systems are already being installed.
Yet, biometrics alone is not the "cure" to all industry security concerns. Data sharing between the industry and government immigration, customs, and security agencies is necessary to provide effective security.
About the Author
Joanne W. Young is a partner with Baker & Hostetler, LLP, based in
Washington, D.C. This article is an edited transcript of a speech before
the International Air Transport Association's Legal Symposium 2002.
