Privacy Studies
SUPPLEMENT TO REPORT ON
UNITED STATES FEDERAL LAWS REGARDING PRIVACY AND PERSONAL DATA AND APPLICATION TO BIOMETRICS
UNITED STATES FEDERAL LAWS REGARDING PRIVACY AND PERSONAL DATA AND APPLICATIONS TO BIOMETRICS
This report demonstrates that the use of biometrics as part of the Nation's efforts to increase security and protect against future terrorist attacks are not at odds with the protection of privacy and civil liberties. This report further demonstrates how, under the current legal system and state of the law, biometrics can legally be used as a means to verify identity in virtually any situation and, under certain circumstances, to positively identify individuals through the use of databases.
United States Federal Laws Regarding Privacy and Personal Data and Applications to Biometrics demonstrates how, under the current U.S. legal system and state of the law at the federal level, use of biometrics as a means to verify identity in virtually any situation is consistent with the law. The report also illustrates how, under certain circumstances, using biometrics to identify individuals through the use of databases is acceptable without sacrificing the objective of maintaining and protecting personal privacy. The report was provided, on request, to the Department of Homeland Security and the Interagency Working Group on Biometrics chaired by the White House Office of Science and Technology.
The report highlights the distinctions in biometric recognition between identification and verification techniques and discusses how each method relates to privacy laws and issues. Generally, biometric "identification" does a "one to many" search of extensive databanks to find a match. Because such databanks may contain or be linked to personal information, and because identification applications can be used without the subject's knowledge or consent, such as in surveillance, the privacy concerns are intensified. Biometric verification systems that use a "one to one" match are generally designed to be used on a voluntary basis. This only requires two pieces of information: something representing identity (such as a user name to retrieve a biometric template or a smart card) and a biometric feature or information (such as a hand to create a hand geometry template) presented for the match. Verification systems can be connected to databanks, but unlike identification systems a database is not a necessary component. The need for the subject's consent and the lack of a databank requirement greatly reduce the privacy concerns.
Table of Contents
| Section | Page |
| I. Introduction | 4 |
| II. Privacy Law Applicable to the Public Sector | 13 |
| A. Constitutional Privacy Law | 14 |
| 1. Specific Constitutional Provisions | 15 |
| a. First Amendment | 15 |
| b. Third Amendment | 16 |
| c. Fourth Amendment | 16 |
| d. Fifth Amendment | 17 |
| e. Ninth Amendment | 17 |
| f. Fourteenth Amendment | 18 |
| 2. Case Law Examination of the Right to Privacy | 19 |
| a. Informational Privacy | 20 |
| b. Physical Privacy: Privacy in One's Personal Space | 27 |
| c. Physical Privacy: Privacy in One's Body | 32 |
| B. Statutory Privacy Laws | 41 |
| 1. The Privacy Act of 1974 & FOIA | 41 |
| a. What is a Record? | 42 |
| b. What is a System of Records? | 48 |
| c. Privacy Act Requirements and Penalties for Noncompliance | 49 |
| d. The Computer Matching and Privacy Act of 1988 | 50 |
| 2. Executive Order 12333 | 52 |
| III. Privacy and National Security | 57 |
| A. National Security Laws | 58 |
| B. Immigration Laws | 63 |
| C. International Considerations | 65 |
| IV. Privacy Law Applicable to the Private Sector | 68 |
| A. HIPAA | 69 |
| B. Statutes Governing Banks | 72 |
| 1. The Gramm-Leach-Bliley Act | 72 |
| 2. The Right to Financial Privacy Act | 73 |
| 3. The Bank Secrecy Act | 74 |
| 4. The Electronic Funds Transfer Act | 74 |
| 5. The Fair Credit Reporting Act | 74 |
| C. Statutes Governing Computers | 75 |
| 1. The Computer Security Act of 1987 | 75 |
| 2. The Computer Fraud and Abuse Act | 75 |
| V. Common Law Tort Privacy Rights | 77 |
| VI. Conclusion: Impact of United States Privacy Law on the Use of Biometrics | 79 |
| Glossary of Terms | 91 |
| Bibliography | 92 |
| Appendix A: Pending Legislation | 98 |
FIRST SUPPLEMENT TO INTERNATIONAL DATA PRIVACY LAWS AND APPLICATION TO THE USE OF BIOMETRICS IN THE UNITED STATES
REPORT ON INTERNATIONAL DATA PRIVACY LAWS AND APPLICATION TO THE USE OF BIOMETRICS IN THE UNITED STATES
Part One: Report on the State of International Privacy Laws and Application to Biometrics and Their Impact on the United States
The purpose of this report is to understand international privacy law and its impact on the use of biometric recognition technology in both the United States, in isolation, as well as on a global scale. The focus of the government and concerned citizens should not be on preventing the use of the technology, but instead on controlling that aspect of its use that coincides with personal data and privacy considerations.
Resistance to both U.S. and foreign biometric privacy legislation has come from both sides of the fence. Some proponents of biometric recognition technology are concerned that any legislation will restrict the currently legal uses of biometrics. Opponents of biometric recognition technology (on the basis of its perceived threat to privacy) are concerned that legislation will condone the use of such technology on a broad or unrestricted scale. NBSP concludes that the best compromise is implementation of data privacy policy and/or legislation that takes into consideration: (a) the fact that most overt and consensual uses of biometric recognition technology are legal and non-intrusive; (b) that public concerns over misuses (such as could occur with databases or unrestricted data-mining) should be competently addressed; and (c) participation in global privacy standards will enhance proper and effective use of the technology.
Part Two: Report on Privacy Laws of The EU and Select Countries
This report examines the privacy laws, namely data privacy laws, in the European Union and four other leading industrialized nations and OECD member countries: Canada, Australia, New Zealand, and Japan.1
This report begins with a discussion of the OECD Guidelines and its eight data privacy principles, which have formed the bases for many of the data privacy laws in the countries examined in this report. The report next discusses the privacy laws that have developed in the European Union. Next, the report discusses the federal privacy laws of Canada, Australia, New Zealand, and Japan, and how each of these four countries have looked to either the EU, the OECD Guidelines, or both in developing and crafting their respective national privacy laws and principles. For example, in the background section of Australia's Guidelines to the National Privacy Principles, the Office of the Federal Privacy Commissioner of Australia states that Australia's privacy laws and principles "reflect the ideas that have been developed internationally and, in particular, the OECD Guidelines. A growing number of other countries, including New Zealand, Hong Kong, Canada, and many European nations, have also adopted privacy laws."2
In discussing each country (and the EU), this report provides a brief overview of the country's government and legal system. It will then go into a detailed discussion of the privacy laws, in particular, the data privacy laws, and provide an analysis of the interplay of such privacy laws and the impact on local and worldwide use of biometric recognition technology. Also included is a summary of some of the applications of biometric recognition technology in each country and in the EU.
Table of Contents
| Section | Page |
| PART ONE: Report on the State of International Privacy Laws and Application to Biometrics and Their Impact on the United States | 4 |
| PART TWO: Report on Privacy Laws of the EU and Select Countries | |
| I. Introduction | 12 |
| II. The OECD Guidelines | 14 |
| III. European Union | 19 |
| IV. Canada | 65 |
| V. Australia | 83 |
| VI. New Zealand | 104 |
| VII. Japan | 116 |
| Bibliography | 139 |
1The United States, 18 of the 25 EU member countries, and 1 of the 4 EU candidate countries are also members of the OECD. Beyond the four OECD member countries herein discussed, there are 4 other non-EU countries that are OECD members: Korea, Mexico, Norway, and Switzerland.
2Office of the federal Privacy Commissioner of Australia, Guidelines to the National Privacy Principles (2001), http://www.privacy.gov.au/publications/nppgl_01.html