Data related to a person's physical, biological, or physiological characteristics that enable an individual to be uniquely identified is considered to bebiometric data.[1]Using this kind of data can help to raise the security level and make identification and authentication procedures easy, fast and convenient. Technological progress has made biometric systems more accessible, but with the consequent positive results, new threats have emerged.[2]
Data protection authorities, civil liberties groups and some scholars have followed the growth of biometric technologies with a critical eye. A point of departure for their concern is the automation of biometric identification and authentication schemes.[3] In the words of the WP29,[4] these schemes change irrevocably the relation between body and identity, because they make the characteristics of the human body “machine-readable” and subject to further use.[5]
Besides, in recent years the extraction of many types of personal data from human biological material has reached enormous scales, in which genome sequencing has played a special role. The accuracy and scope of genetic testing within and beyond studies and treatments have increased, and the increase in scale has been facilitated by a drastic reduction in the cost of genome sequencing.[6]
Advances in genetic data processing technologies help researchers better study different diseases, identify ways to prevent and treat them, and acquire vital importance to humans and their health. Each person's genetic makeup is common to him/her, his/her family members, and the group to which he/she belongs. Consequently, genetic testing in order to assess health risks or to determine biological relationships affects not only the right to privacy of an individual but also raises the issue of privacy of a group of individuals. The indelible nature of genetic information and its potential implications for discriminatory treatment make it particularly sensitive.[7]
The growing ability to obtain a wide variety of information about humans as a result of genetic data processing and the unique nature of DNA makes it essential to exercise proper control over them and to have effective mechanisms for protecting privacy.
With the adopting General Data Protection Regulation (GDPR),[8]the Data Protection Directive 2016/680 for the police and criminal justice authorities, [9] as well as with the modernization of Council of Europe Convention 108, [10] legal instruments have emerged to regulate the processing of biometric and genetic data across Europe.
The General Data Protection Regulation, considered to be the most complex legal framework for data protection in the world, does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences.[11] Such processing is regulated by Directive 2016/680. Herein, neither the General Data Protection Regulation nor Directive 2016/680 applies[12] to the collection, storage, processing and exchange of data for national security purposes. The EU has no direct legislative power in this area, as under the Treaty on European Union, national security remains the sole responsibility of each Member State.[13]
As for the modernized Convention 108, it considers inadmissible a complete exception to the processing of data for the purposes of national security and defense. Exceptions are allowed only in respect of certain provisions, on the condition that such exceptions are provided for by law, that they respect the essence of the fundamental rights and freedoms, and are necessary in a democratic society.[14] Notwithstanding the exceptions allowed, the requirement that processing activities for national security and defense purposes be subject to an independent and effective review and supervision is laid down in the convention.[15]
The present study reviews the concept and area of application of biometric and genetic data, the threats and risks associated with their processing, and analyzes the principles and grounds for processing such data. The study also discusses certain judgments delivered by the European Court of Human Rights and the Court of Justice of the European Union regarding the processing of biometric and genetic data.
/public/upload/Analysis/Processing of Biometric and Genetic data_ENG.pdf
______
[1] 108+ Convention for the protection of individuals with regard to the processing of personal data, explanatory report, Par. 58, available at: https://bit.ly/3kF2S6lDate of access: 21.07.2021.
[2]Opinion 3/2012 on developments in biometric technologies, available at: https://bit.ly/2W6MtgTDate of access: 21.07.2021.
[3] Christopher Kuner, Lee A. Bygrave, Christopher Docksey, The EU General Data Protection Regulation (GDPR), A Commentary, Oxford University Press, 2020, p. 209.
[4] Advisory body that was based on the Data Protection Directive.
[5] Christopher Kuner, Lee A. Bygrave, Christopher Docksey, The EU General Data Protection Regulation (GDPR), A Commentary, Oxford University Press, 2020, p. 209.
[6]Christopher Kuner, Lee A. Bygrave, Christopher Docksey, The EU General Data Protection Regulation, A Commentary, Oxford University Press, 2020, p. 197.
[7] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, p. 85.
[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, available at: https://bit.ly/3C6j2Le Date of access: 20.07.2021.
[9] Directive (EU) 2016/680 of the European Parliament and of the Councilof 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data available at: https://bit.ly/3kTaS3d Date of access: 20.07.2021.
[10]Available at: https://bit.ly/3qqm0Ip Date of access: 20.07.2021.
[11] General Data Protection Regulation, article 2 (2)(d).
[12] General Data Protection Regulation, article 2 (2); 2016/680 Directive, article 2.
[13] Treaty on European Union, Article 4(2), available at: https://bit.ly/3cd5mDw Date of access:14.11.2021.
[14] 108+ convention, article 11.
[15] The Modernised Convention 108: novelties in a nutshell, available at: https://bit.ly/3caNkBXDate of access: 14.11. 2021.