In the context of the accountability principle, reckoned in the Proposed Regulation[i] and by the Working Party 29[ii], the controller has the obligation to adopt effective and appropriate measures to ensure the compliance of the treatment with data protection law. In addition, the controller shall be able to prove that measures have been taken and implemented3.
Those measures are at the discretion of the controller, and can have various forms, such as technical and organizational measures [iii] . The Privacy Rules elaborated by Natural Security Alliance form part of the accountability principle by providing, in addition of the standard, contractual obligations to respect.
A code of conduct completing technical measures
Natural Security Standard has been developed according to the Privacy by Design principle. It means that from the design stage privacy issues have been taken into consideration to implement technical measures mitigating risks[iv].
However, as it has been observed by the Working Party 29, technical measures are not sufficient and must be completed with organizational measures[v].
In this regard the Privacy Rules constitute a code of conduct dictating controllers, who have agreed to respect them, obligations concerning the implementation of Natural Security standard. On the one hand, these rules are based on the values defended by Natural Security Alliance concerning respect of privacy. On the other hand, they are founded on recommendations of Data Protection Authorities concerning the application of biometrics.
By committing to the Privacy Rules, exactly as by implementing a Privacy by Design standard, the controller adopt de facto effective and appropriate measures, both technical and organizational, to comply with the accountability principle.
Rules founded on values and recommendations
Natural Security Alliance develops a strong authentication standard based on biometrics in order to contribute to a privacy-friendly authentication environment. The Privacy Rules aim to ensure that the standard is implemented according to Natural Security values, which are the respect of privacy and data protection.
Furthermore, these rules have been elaborated according to recommendations made by national Data Protection Authorities and by the Working Party 29[vi] regarding the application of biometrics. Indeed, French8, Belgian[vii][viii], and Italian[ix] Data Protection Authorities have developed guidelines and recommendations on technical and organizational measures to implement for a biometric authentication. These documents list the requirements for a biometric treatment to comply with data protection law.
Consent and active role of the data subject
Legality and legitimacy of the treatment are two crucial requirements the treatment shall meet. Therefore, the controller must obtain the consent of the data subject.
To meet this requirement, and to ensure the biometric authentication is not executed unwittingly, the Privacy Rules highlight the active role of the user. Thus, the controller commits that the authentication results from a voluntary gesture of the user who places either his/her finger or his/her hand on the reader.
Moreover, Natural Security technology shall not be used to track the user without his/her prior consent.
Minimization of biometric data
Biometric data can reveal a large amount of information related to the data subject and which are not necessary for the authentication. In order to comply with the minimization and the adequacy principles only data necessary for the authentication shall be collected and processed. Therefore, the controller agrees at the enrollment to convert raw data into templates, and only store and process them.
High security and confidentially level for biometric data
Principal concern of Data Protection Authorities and National Security Alliance is the security and confidentiality of biometric data in order to prevent unlawful use. In this respect the Privacy Rules impose stringent obligations.
At the enrollment biometric data should not be stored within the enrollment station but only transmitted to the personal device. Furthermore, the controller commits not to constitute a database with the biometric data. The storage on a personal device provides the user with an actual control upon his/her data, and this prevents unlawful use (function creep).
In addition, in the personal device the storage takes place in a secure environment in order to protect data from intrusion, destruction, accidental loss, unwilling disclosure, and unauthorized access.
Finally, to protect biometric data during the transmission between the reader and the personal device, the transmission takes place only after a mutual recognition of authenticity and through a secure communication.
By respecting these obligations the controller offers an authentication which does neither compromise privacy nor security. And it guarantees the conformity of the treatment with the recommendations of Data Protection Authorities.
Certification and mark: two complementary measures
In addition of the Privacy Rules two instruments have been developed within the Alliance: the certification and the mark.
The process of certification has been elaborated to ensure that products integrating Natural Security Standard are complying with the technical specifications. The certification allows reckoning products as “genuine”, and thus enables them to communicate with other products integrating the standard. Therefore, the certification permits the creation of a genuine Natural Security environment.
Moreover, the certification forms part with the organizational measures in the context of the accountability principle. The Working Party 29 observes, indeed, that certification schemes allow controllers to prove they have adopted technical measures11.
The Natural Security mark can also be used by implementers if they respect the certification and the rules. Thanks to the mark implementers provide a better transparency and data subject have a better visibility. This permits to establish a relationship based on trust and reliability between controllers and data subject.
To conclude, the controller, who integrates Natural Security standard and obtains the certificate, and respects the Privacy Rules during the implementation, provides a biometric authentication complying with privacy and data protection law. Moreover, he/she takes de facto effective and appropriate measures to comply with the accountability principle and is accountable to national Data Protection Authorities. Finally, he/she participates actively to the setting up of an authentication environment in which users can navigate with confidence.
About Natural Security Alliance
The Natural Security Alliance is a global community of preeminent companies dedicated to accelerating the adoption and ongoing development of solutions built on Natural Security technology. It includes some of the most influential companies in the world from the retail, banking, payment and IT sectors. All Alliance members share a strategic commitment to delivering mission-critical authentication and payment solutions based on secure elements and wireless and biometric technologies. Visit www.naturalsecurityalliance.org for more information.
[i] Article 22 Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final, 2012/0011 (COD) C70025/1
[ii] Article 29 Data Protection Working Party (WP29), Opinion 3/2010 on the principle of accountability WP(173), 13th July 2010 3 Ibid. 5
[iii] Ibid. 8
[iv] Article 23Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final, 2012/0011 (COD) C70025/1
[v] WP29, Opinion 3/2010 on the principle of accountability WP(173), 11-12
[vi] Article 29 Data Protection Working Party, Opinion 3/2010 on developments in biometric technologies WP(193), 27th April 2012
[vii] CNIL, Communication de la CNIL relative à la mise en œuvre de dispositifs de reconnaissance par empreinte digitale avec stockage dans une base de données, 2007
[viii] Commission de la Protection de la Vie Privée, Avis d’initiative relatif aux traitements de données biométriques dans le cadre de l’authentification de personnes (A/2008/017), 9 Avril 2008
[ix] Garante Privacy, Schema di provvedimento in tema di riconoscimento biometrico e firma grafometrica, 21 Maggio 2014
11 WP29, Opinion 3/2010 on developments in biometric technologies WP(193), 17-18