European Biometric Identity Repository Project – National Security Trumps Privacy?
European General Data Protection Regulation (GDPR) came into effect on 28 May 2018, after years of deliberations inside and outside the EU parliament, and in all major economies of the world. That global data flows contribute to global GDP, and data driven innovation (DDI) are critical to individual economies is well recognized. Several studies show that the AI adoption in countries will nearly double the GDP growth rate of advanced economies in 10-15 years. Much has been talked about the conflict between DDI and privacy violation of individuals, while GDPR was in the making.
GDPR implementation has barely started. So, it’s with surprise and disbelief that the world has woken up to the news of the European Parliament voting for a Common Identity Repository (CIR), which will amass biometrics and identity data of over 350 million EU and non-EU citizens, for enabling border control, and for law-enforcement access for national security and public safety. Two different resolutions were passed by the Parliament with over two third majority, in third week of April 2019. The first one was to merge visas and border systems; the other was to merge systems with law-enforcement, judicial, migration, and asylum information. An idea for inter-connectivity among EU databases has transformed into a centralised EU database, which will help simplify the role of border officers and law-enforcement agencies. With a single click they will be able to uniquely identify someone.
CIR will unify the existing Schengen Information System, Visa information system, and Eurodac (EU asylum seekers’ biometric database); and take in three new databases, namely, the European Travel Information and Authorisation System, the Entry/Exit System, and the European Criminal Records System for Third Country Nationals. The database will aggregate the identifying information, such as names, passport number, dates of birth, as well as biometrics like fingerprints and facial scans of all the people. It will be the largest people-tracking system, behind the Chinese surveillance system.
It has shocked the privacy rights groups and others throughout the world that a law that seems to violate the privacy of citizens could come within a year of GDPR going to implementation. Corporates are just beginning to learn the ropes of GDPR, even though two years time was allowed. And here we are with a massive people-tracking centralised database of over 350 million people. Citizens have to rest with assurance of the European Parliament that "proper safeguards will be in place to protect fundamental rights and access to data." They have to trust the security measures that the government puts on the data and database. Will these be transparent?
It is well known that the privacy laws of countries make an exception for national security and public safety. For example, Article 2 of the GDPR states that it does not apply to processing personal data "by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” This is reiteration of exceptions to restrictions on data processing and to data protection obligations for national security and public safety purposes that have been there in EU laws. So, is there nothing new? Using biometric data by law-enforcement agencies is a clear expansion in the scope of ‘purpose’ for which data was collected from individuals, in the first instance, even though, legally speaking the EU has always permitted this kind of personal data processing in the interest of national security. For example, a UK Court quoted that “ECHR .... consistently recognized that (subject always to proportionality) public safety and the prevention and detection of crime will justify it provided that sufficient safeguards exist to ensure that personal information is not retained for longer than is required for the purpose of maintaining public order and preventing or detecting crime, and that disclosure to third parties is properly restricted.”
Have the recent security incidents in EU and global events leading to increase in asylum seekers in Europe changed the political narrative away from privacy as a fundamental right, so assiduously championed by the Europeans? Do national security and public safety trump privacy? These developments are important for India in the context of debate around Aadhaar database, which provides unique identity to every resident based on biometrics.
India has the world’s largest biometric database with nearly 1.2 billion records. Being the largest democracy, developing at a rapid pace, it has attracted much global attention. The nine-judge Constitutional Bench of the Supreme Court of India ruled on August 24, 2017 that ‘Privacy is a fundamental right under Article 21 of the Constitution’. However, it emphasised “the need to examine and put in place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate interests of the State. The legitimate aims of the State would include, for instance, protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits.” Clearly, privacy is not an absolute right. The Justice Srikrishna Committee tasked with preparing a data protection law keeping in view the need for economic growth, innovation, and privacy rights, submitted a draft data protection bill in July 2018. The bill makes exception for national security, as in other countries, and even recommends data localisation for better access to law-enforcement agencies. Detailed scrutiny of the Aadhaar Act as to whether it violates privacy was left to another five-judge bench of the Supreme Court.
The judgement delivered on 26 September 2018, held that Aadhaar - a unique identity number assigned to every resident, after de-duplicating on the basis of unique biometrics - does not violate his privacy, nor does it track people for surveillance. Disclosure of demographic data to third parties is under strict regulations. Section 33 allows sharing of data, including biometric data, with law-enforcement agencies for national security, under government orders, and court orders not below the level of a District Judge. The judgement has referred to many judgements of the US Supreme Court, UK, and that of the European Court of Justice, which hold the following: “What is in the interest of national security is not a question of law. It is a matter of policy....not a matter for judicial decision. They are entrusted to the executive.”
A similar judgement of the Federal Constitution Court of Germany delivered on 11 October 2013 (quoted in the SC judgement) reads, “the Court had occasion to consider the case in the context of data processing and protection of individual information against self-incrimination and use of their personal data. Dealing with right of information and self-determination the Court held that individuals have no right in the sense of absolute, unrestricted control over their data.”
Aadhaar is for providing identity to poor and deprived citizens to authenticate themselves for availing of the welfare benefits such as transferring of subsidies to their bank accounts. Its scope was expanded to curb corruption by linking it with income tax PAN and with mobile phones for enhancing security. While the Supreme court endorsed the biometric identity for inclusivity, fight against corruption, and for national and economic security, it deemed the use of Aadhaar number for authentication by the private sector for several business apps focused on convenience , e.g. to provide access to mobile services, unlawful.
The judgement is clear. Collection of biometrics in itself does not violate privacy of an individual. Aadhaar database is subject to normal security controls and oversight. In case of national security, it can be used. The European Parliament’s approval of over 350 million persons biometric database for use by law-enforcement agencies and border control officers for crime investigation and checking illegal immigration is an endorsement of national security and public safety. Will this put an end to the debate of privacy violation in the context of national security? Data Protection law, as envisaged and required by the SC judgement, is expected to be in place to fulfil the requirements of a law for balancing privacy rights with legitimate state interests.
Dr Kamlesh Bajaj (East Western Institute ,NIIT University), VIF
14 May 2019