Recent Posts
Connect with:
Thursday / April 15
HomeBlogPanel Summary Report: Privacy and Passenger Biometrics

Panel Summary Report: Privacy and Passenger Biometrics

Image credit: Hanson Lu

By Bailey Cordrey

On February 10, 2021, the Institute for Peace & Diplomacy (IPD), in collaboration with InterVISTAS Consulting, hosted a panel discussion on “Privacy and Passenger Biometrics: New Developments and Perspectives.” The focus of the panel was to discuss developments and perspectives regarding new applications of biometric data systems and facial recognition technologies in airport environments. Fundamental policy issues around the protection of personal air traveller data as well as digital profiles and identities were also explored. Our four esteemed panelists included:

  • John P. Wagner, Former Deputy Executive Assistant Commissioner (Office of Field Operations), U.S. Customs and Border Protection (CBP)
  • Ellen McClain, Former Deputy Assistant Secretary, U.S. Department of Homeland Security (DHS); Vice President, InterVISTAS Consulting Inc.
  • Isabelle Lelieur, Partner, Cabinet Chevrier Avocats, Paris
  • Jacqueline Lu, Co-Founder, Helpful Places

The panel was moderated by Paul Clark, Vice President of InterVISTAS Consulting.

Solomon Wong, President and CEO of InterVISTAS Consulting, opened the panel with brief remarks on the importance of balancing the practical benefits offered by biometrics systems against the policy challenges underlying the regulation of emergent technologies. Wong also observed that demand for “touchless travel” resulting from the coronavirus pandemic has been an additional driver toward the application of biometric technologies across modes of transport. He noted that digital identity, globalization and stakeholder engagement would be important themes throughout the panel. Following this introduction, Moderator Paul Clark guided panelists to individually share their insights on the topic at hand before inviting live questions from the audience.

Ellen McClain began by discussing the legal landscape with respect to privacy and the collection and use of biometric data. Generally speaking, she noted, a person’s reasonable expectation of privacy is protection from government intrusion, but there is less consensus about how lawmakers and courts view the balance between technology and privacy in commercial contexts. The three biggest concerns of data subjects appear to be breaches, function creep and data sharing. Currently, the US lacks a comprehensive federal law regulating the collection and use of biometric data, resulting in what commentators have called a ‘patchwork’ of sector- and state-specific laws, which fail to adequately address the interconnected nature of data networks. To aid her summary, McClain switched focus to the European Union’s General Data Protection Regulation (GDPR) requirements, which can apply to any business that processes the personal data of EU residents, regardless of where the company is located or where the processing occurs. Last July, the European Court of Justice invalidated the EU-US Privacy Shield Agreement, ruling that US law failed to protect personally identifiable data from surveillance by government agencies. As a result, entities that transfer data pertaining to EU persons must adopt GDPR-approved mechanisms or cease business in the region. McClain contends that US laws are concerned with imposing requirements and restrictions on commercial entities, while the EU emphasizes protecting data subjects’ rights and empowering them as data owners. She concluded her segment with advice for commercial operators: understand the legal landscape in which you operate and remain in compliance with regional regulations to garner trust from travelers and avoid government scrutiny.

John Wagner contributed his perspective as a former public servant of US Customs and Border Protection (CBP). Wagner explained how the assemblage of checkpoints and portals embedded within airport settings work in tandem to verify the identity of travelers and reduce dependency on one singular screening modality. A challenge for these multiplicitous systems, however, is striking a balance between security efficiency and protection for civil liberties in such a way that is both jurisdictionally and functionally adaptable. This was identified as a priority in the 9/11 Commission Report, which recommended that the Department of Homeland Security (DHS) and CBP co-develop a discrete biometrics-based departure control system. Early on, this system relied on stovepiped novel data contributions, though recent iterations have adapted to collate data from other government and industry sources. This practice has created an information ‘ecosystem’ fed by many tributaries, capable of verifying the identity of travelers remotely and in real-time. Travelers, in return, receive the benefit of an intuitive and expedited check-in process. However, the application of these new technologies pose several intersecting privacy challenges for administering agencies and private vendors, such as the collection of informed consent from data subjects. Wanger concluded by reiterating the CPB’s overarching goal to build a hygienic, efficient and scalable identity verification system enabled by biometric data–especially in light of the barriers to international travel posed by the coronavirus pandemic. 

Isabelle Lelieur was next to join the dialogue, sharing insights on the EU GDPR based on her specialization in aviation law. Her presentation sought to address the EUs legal foundation for data protection, and to what extent biometric data are subject to special protection. Lelieur began by reviewing the three main uses of biometric technologies in airport settings: border control, passenger journey facilitation and mass surveillance. The GDPR recognizes biometric data as ‘sensitive’ and, therefore, subject to special provisions. Since biometric data is produced by the body, is unique and permanent to each individual, and can be used to identify someone without their consent, these characteristics warrant the prohibition of biometric data processing, unless certain prerequisites are fulfilled according to the GDPR. The data controller must prove that the collection of biometric data is both necessary and proportionate, and that data collection is minimized to only fulfil the requirements of legitimate interest. Next, the data subject shall have given explicit consent to the processing of those personal data for specific purposes, and finally, the individual shall be allowed to opt-out of participating in a biometric system in favour of an alternative without any penalties or constraints. Should all these conditions be met, a data controller must administer a data protection impact assessment prior to processing. Lelieur closed with an analysis of each functional biometric system used in airport environments. While border controls are broadly lawful and passenger journey facilitation is relatively well admitted (providing that GDPR provisions are scrupulously fulfilled), wide surveillance of public space remains controversial. 

Jacqueline Liu’s presentation concentrated on the technological design aspects of connectivity-enabling biometric systems. As Co-Founder of Helpful Places and Data Lead at the Mozilla Foundation, she works to improve digital transparency in the public realm with multi-medium communication strategies. Liu shared two key questions that guide her practice: (1) How do we think about solving the needs of people with embedded technologies in the built environment? (2) How do we empower people to understand the why and how of their data processing?

Digital Trust for Places and Routines (DTPR) is a conceptual framework preoccupied with building mechanisms for notification and accountability within environments that host technological features–biometric systems included. It is founded on the principle that people should be able to quickly understand how these technologies work and the purposes that they serve. Through rounds of design-led prototyping and research, Liu understands that user trust first and foremost demands transparency on the part of data controllers, but requires accountability and meaningful participant agency to be sustainable. DTPR attempts to fulfil these parameters with visual markers that make the covert technological features of built environments legible. These markers are intended to be combined with feedback receptors to facilitate two-way communication between data subjects and data controllers. Liu concluded that conversations about digital systems should not only address regulatory standards, but also consider user experience. Connectivity-enabling biometric systems have the potential to make travel more “delightful” for users. 

Following a round of questions from the audience, the panel discussion closed at 12:00 ET. To review the entire live discussion, watch the recording on our YouTube channel and subscribe for more Canadian foreign policy analysis.