Tamas Bisztray,Nils Gruschka,Thirimachos Bourlai,Lothar Fritsch

DOI: https://doi.org/10.1109/BIOSIG52210.2021.9548298

2022-11-23

Abstract:Technological advancements allow biometric applications to be more omnipresent than in any other time before. This paper argues that in the current EU data protection regulation, classification applications using biometric data receive less protection compared to biometric recognition. We analyse preconditions in the regulatory language and explore how this has the potential to be the source of unique privacy risks for processing operations classifying individuals based on soft traits like emotions. This can have high impact on personal freedoms and human rights and therefore, should be subject to data protection impact assessment.

Cryptography and Security,Computers and Society

Jordan Deliversky,Mariela Deliverska

DOI: https://doi.org/10.3389/fpubh.2018.00025

IF: 5.2

2018-02-12

Frontiers in Public Health

Abstract:Ethical and legal considerations with regards to biometric data usage are directly related to the right to protection of personal data, which is part of the rights protected under the European Convention of human rights. Specific protection is required to the process and use of sensitive data which reveals certain personal characteristic and is related to the health status of individuals. Biometric data and information on individual upon which people could be identified based on specifics and distinguishing signs. Bulgaria, as a country progressing in terms of integration of digital technologies and as a European Union member state has adopted international and universal legal instruments related on the procession and use of digital data and data protection. On legislative and ethical grounds, it has been established the particular importance of not violating human rights and individual freedoms when processing and using personal data. It has been noted that the processing of special categories of personal data may be necessary for reasons of public interest in the field of public health and that is why under such circumstances it has been permitted the procession to be carried on without the consent of the data subject. Lack of transparency and lawfulness of the processing of personal data could lead to physical, tangible, or intangible damages where processing could lead to discrimination, identity theft, or identity fraud as a result of which may be significant adverse economic or social consequences. Increasingly, widespread use of biometrics in the implementation of medical activities requires the application of a new approach in terms of awareness regarding existing risks to the rights, ethics, and freedoms of all of us, as a user of medical service.

public, environmental & occupational health

Joanna Osiejewicz,Dmytro M Zherlitsyn,Svitlana M Zadorozhna,Oleksii V Tavolzhanskyi,Maryna O Dei

DOI: https://doi.org/10.1007/s41649-022-00231-4

2022-11-14

Abstract:The application of the latest technologies in biology and medicine has brought them to a qualitatively new level of possibilities. Worldwide, biobanking is actively developing through the creation of biobanks of various types and purposes, whose resources are used to solve therapeutic or scientific problems. Legal science remains an open question concerning the boundary that runs between the right to data protection and the scope of disclosure of data needed for medical purposes. In this article, the author considers peculiarities of data processing in the context of biobanking activity on the example of Austria and its national legislation. In addition, the article reveals features of the approaches of the European Court of Human Rights (ECtHR) and the Council of Europe to the issue of biobanking in general, its characteristics in the context of data, and legal regulation of this phenomenon in the national law of states. The author devoted an important part of the study to the role of Austria's experience in the context of data processing for scientific purposes and the development of biobanking for a number of other European states. The aim of the article is to analyze the Austrian legislation on data processing for scientific research and biobanking, the attitude of the Council of Europe to this phenomenon, and the practice of the ECtHR, as well as to consider the impact of the current world situation on these activities. The leading method of research used in the article is the formal-legal method. The article analyzes the Austrian law in the context of data processing in medical research, the relationship of the specifics of personal data protection, and the need to disclose them for scientific purposes. The author pays special attention to the influence of Austrian law on the legislation of other countries, which is reflected in the conclusions to the article. In addition, based on an analysis of the application of the Austrian experience to the legislation of Poland and Ukraine, the author points out the necessary changes that should be made in the laws of these countries.

Pietro Melzi,Christian Rathgeb,Ruben Tolosana,Ruben Vera-Rodriguez,Christoph Busch

DOI: https://doi.org/10.48550/arXiv.2206.10465

2022-06-21

Abstract:Privacy-enhancing technologies are technologies that implement fundamental data protection principles. With respect to biometric recognition, different types of privacy-enhancing technologies have been introduced for protecting stored biometric data which are generally classified as sensitive. In this regard, various taxonomies and conceptual categorizations have been proposed and standardization activities have been carried out. However, these efforts have mainly been devoted to certain sub-categories of privacy-enhancing technologies and therefore lack generalization. This work provides an overview of concepts of privacy-enhancing technologies for biometrics in a unified framework. Key aspects and differences between existing concepts are highlighted in detail at each processing step. Fundamental properties and limitations of existing approaches are discussed and related to data protection techniques and principles. Moreover, scenarios and methods for the assessment of privacy-enhancing technologies for biometrics are presented. This paper is meant as a point of entry to the field of biometric data protection and is directed towards experienced researchers as well as non-experts.

Computer Vision and Pattern Recognition

Graham Pearce,Nicholas Platten

DOI: https://doi.org/10.1111/1468-5965.00138

1998-12-01

Abstract:Actions aimed at exploiting the benefits of information and communication technologies have become a major focus of European Community (EC) policy.The new technologies offer considerable benefits to consumers, businesses and governments, but there is growing concern that their widespread use may threaten the privacy of personal information. Increases in transborder data flows, within the EC and globally, imply that a EC‐wide, and ultimately a global, approach is more appropriate than one based upon national rules. This article examines the evolution of EC personal data protection policies and concludes that, whilst considerable progress has been made towards establishing a regulatory framework, advances in technology and continuing variations in national responses seeking to protect personal privacy, are major obstacles to achieving data protection equivalence, both within the EC and in third countries.

economics,international relations,political science

Andrea Parziale,Deborah Mascalzoni

DOI: https://doi.org/10.3389/fpsyt.2022.873392

IF: 4.7

2022-06-10

Frontiers in Psychiatry

Abstract:Psychiatric research traditionally relies on subjective observation, which is time-consuming and labor-intensive. The widespread use of digital devices, such as smartphones and wearables, enables the collection and use of vast amounts of user-generated data as "digital biomarkers." These tools may also support increased participation of psychiatric patients in research and, as a result, the production of research results that are meaningful to them. However, sharing mental health data and research results may expose patients to discrimination and stigma risks, thus discouraging participation. To earn and maintain participants' trust, the first essential requirement is to implement an appropriate data governance system with a clear and transparent allocation of data protection duties and responsibilities among the actors involved in the process. These include sponsors, investigators, operators of digital tools, as well as healthcare service providers and biobanks/databanks. While previous works have proposed practical solutions to this end, there is a lack of consideration of positive data protection law issues in the extant literature. To start filling this gap, this paper discusses the GDPR legal qualifications of controller, processor, and joint controllers in the complex ecosystem unfolded by the integration of digital biomarkers in psychiatric research, considering their implications and proposing some general practical recommendations.

psychiatry

John M M Rumbold,Barbara K Pierscionek

DOI: https://doi.org/10.1186/s12910-017-0184-y

2017-04-08

Abstract:The EU offers a suitable milieu for the comparison and harmonisation of healthcare across different languages, cultures, and jurisdictions (albeit with a supranational legal framework), which could provide improvements in healthcare standards across the bloc. There are specific ethico-legal issues with the use of data in healthcare research that mandate a different approach from other forms of research. The use of healthcare data over a long period of time is similar to the use of tissue in biobanks. There is a low risk to subjects but it is impossible to gain specific informed consent given the future possibilities for research. Large amounts of data on a subject present a finite risk of re-identification. Consequently, there is a balancing act between this risk and retaining sufficient utility of the data. Anonymising methods need to take into account the circumstances of data sharing to enable an appropriate balance in all cases. There are ethical and policy advantages to exceeding the legal requirements and thereby securing the social licence for research. This process would require the examination and comparison of data protection laws across the trading bloc to produce an ethico-legal framework compatible with the requirements of all member states. Seven EU jurisdictions are given consideration in this critique.

Evert-Ben van Veen

DOI: https://doi.org/10.1016/j.ejca.2008.03.011

Abstract:Most European biomedical research projects are about data. Research with tissue is about data as well; data will accompany the tissue, and data will be derived from analysing the tissue. Data can be merged with data from various sources, copied and re-analysed in the context of European projects. Privacy enhancing technologies (PET) should be used for transferring data from participating centres to the level where data are being merged. PET provide coding techniques which allow donors to be anonymous and still uniquely discernable. It is defended that under certain conditions two-way coded data can be considered as anonymous data in the sense of the European Data Protection Directive. Divergent interpretations of this Directive and most of all about the concept of coded-anonymous data is one of the main obstacles to observational research in Europe. The Data Protection Authorities will have to relax the extremely high threshold before data cannot be considered personal data anymore. Arguments are given for such relaxation. Besides the logic and logistics of data transfer in European projects, it is also about trust and a realistic risk assessment. In spite of the massive dataflow in European research projects no breach of confidentiality has ever been reported. The ethical rationale of such projects can be based on the principles of citizenship and solidarity provided that certain safeguards are met by which that research will remain observational. However, if the project does not preclude individual feed-back on the outcomes of research, as in theory would be possible with two-way coded tissue, that tissue cannot be considered anonymous. It is argued that in most tissuebanking projects individual feed-back should be excluded. Tissuebanking for research should not turn into medical screening without applying the established criteria for screening to it. If individual feed-back is not foreseen, two-way tissue should be considered anonymous, under the same conditions as two-way coded data. Good research governance is proposed as the way forward in the longer run. Good research governance is about a fair balance between the interests of all stakeholders. It should make the basic principles transparent on which observational research projects are based in line with European solidarity-based healthcare systems. It should encompass principles on how the general results of research will be disseminated, 'conflict of interests' policies, how the issues of intellectual property rights are dealt with, how the confidentiality of personal data of donors is maintained, etc. This should not become an extra bureaucratic layer. A good research governance framework should not establish rules but principles which provide enough flexibility for the specifics of a project, according to the 'comply or explain' principle. Such research governance should be developed bottom-up, by researchers together with the most interested stakeholders, patient organisations. Patients as 'biosocial citizens' are the natural allies of researchers against the 'paternalistic attitudes' of some ethicists and regulators.

Alessandro Mantelero

DOI: https://doi.org/10.1016/j.clsr.2016.01.014

2016-04-01

Abstract:In the big data era, new technologies and powerful analytics make it possible to collect and analyse large amounts of data in order to identify patterns in the behaviour of groups, communities and even entire countries.Existing case law and regulations are inadequate to address the potential risks and issues related to this change of paradigm in social investigation. This is due to the fact that both the right to privacy and the more recent right to data protection are protected as individual rights. The social dimension of these rights has been taken into account by courts and policymakers in various countries. Nevertheless, the rights holder has always been the data subject and the rights related to informational privacy have mainly been exercised by individuals.This atomistic approach shows its limits in the existing context of mass predictive analysis, where the larger scale of data processing and the deeper analysis of information make it necessary to consider another layer, which is different from individual rights. This new layer is represented by the collective dimension of data protection, which protects groups of persons from the potential harms of discriminatory and invasive forms of data processing.On the basis of the distinction between individual, group and collective dimensions of privacy and data protection, the author outlines the main elements that characterise the collective dimension of these rights and the representation of the underlying interests.

law

Martí Cuquet,Guillermo Vega-Gorgojo,Hans Lammerant,Rachel Finn,Umair ul Hassan

DOI: https://doi.org/10.48550/arXiv.1704.03361

2017-04-11

Computers and Society

Abstract:This paper presents the risks and opportunities of big data and the potential social benefits it can bring. The research is based on an analysis of the societal impacts observed in a set of six case studies across different European sectors. These impacts are divided into economic, social and ethical, legal and political impacts, and affect areas such as improved efficiency, innovation and decision making, changing business models, dependency on public funding, participation, equality, discrimination and trust, data protection and intellectual property rights, private and public tensions and losing control to actors abroad. A special focus is given to the risks and opportunities coming from the legal framework and how to counter the negative impacts of big data. Recommendations are presented for four specific legal frameworks: copyright and database protection, protection of trade secrets, privacy and data protection and anti-discrimination. In addition, the potential social benefits of big data are exemplified in six domains: improved decision making and event detection; data-driven innovations and new business models; direct social, environmental and other citizen benefits; citizen participation, transparency and public trust; privacy-aware data practices; and big data for identifying discrimination. Several best practices are suggested to capture these benefits.

Katarzyna Kolasa,W Ken Redekop,Alexander Berler,Vladimir Zah,Carl V Asche

DOI: https://doi.org/10.1007/s40273-020-00927-1

PharmacoEconomics

Abstract:The development of evidence to demonstrate 'value for money' is regarded as an important step in facilitating the search for the optimal allocation of limited resources and has become an essential component in healthcare decision making. Real-world evidence collected from de-identified individuals throughout the continuum of healthcare represents the most valuable source in technology evaluation. However, in the European Union, the value assessment based on real-world data has become challenging as individuals have recently been given the right to have their personal data erased in the case of consent withdrawal or when the data are regarded as being no longer necessary. This act may limit the usefulness of data in the future as it may introduce information bias. Among healthcare stakeholders, this has become an important topic of discussion because it relates to the importance of data on one side and to the need for personal data protection on the other side, especially when it comes to "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status". At the forefront of these discussions are data protection issues as well as the population's trust in digital services. It seems that the new era has begun, where citizens and patients will have the ability to manage their personal or self-generated data. The European Commission has laid the groundwork for this paradigm shift that will steadily emerge in the coming years. To prepare for this change, we believe attention should be given to data security and other rules of data privacy. It has become increasingly important to ensure that individuals are properly introduced into complex environments with multiple sources of Big Data for clinical and behavioral purposes to provide an optimal balance between societal and individual benefits. In this article, a number of issues are considered and discussed, based upon the authors' experience, with the aim of helping the reader better understand the implications of the use of Big Data and the importance of data protection in the coming years.

Paul Balanoiu

DOI: https://doi.org/10.48550/arXiv.1002.3475

2010-02-18

Abstract:Most developed countries have started the implementation of biometric electronic identification cards, especially passports. The European Union and the United States of America struggle to introduce and standardize these electronic documents. Due to the personal nature of the biometric elements used for the generation of these cards, privacy issues were raised on both sides of the Atlantic Ocean, leading to civilian protests and concerns. The lack of transparency from the public authorities responsible with the implementation of such identification systems, and the poor technological approaches chosen by these authorities, are the main reasons for the negative popularity of the new identification methods. The following article shows an approach that provides all the benefits of modern technological advances in the fields of biometrics and cryptography, without sacrificing the privacy of those that will be the beneficiaries of the new system.

Cryptography and Security

Irena Barkane,Irena Nesterova

DOI: https://doi.org/10.3233/ip-211524

2022-04-22

Information Polity

Abstract:Artificial Intelligence (AI)-based surveillance technologies such as facial recognition, emotion recognition and other biometric technologies have been rapidly introduced by both public and private entities all around the world, raising major concerns about their impact on fundamental rights, the rule of law and democracy. This article questions the efficiency of the European Commission’s Proposal for Regulation of Artificial Intelligence, known as the AI Act, in addressing the threats and risks to fundamental rights posed by AI biometric surveillance systems. It argues that in order to meaningfully address risks to fundamental rights the proposed classification of these systems should be reconsidered. Although the draft AI Act acknowledges that some AI practices should be prohibited, the multiple exceptions and loopholes should be closed, and in addition new prohibitions, in particular to emotional recognition and biometric categorisation systems, should be added to counter AI surveillance practices violating fundamental rights. The AI Act should also introduce stronger legal requirements, such as third-party conformity assessment, fundamental rights impact assessment, transparency obligations as well as enhance existing EU data protection law and the rights and remedies available to individuals, thus not missing the unique opportunity to adopt the first legal framework that truly promotes trustworthy AI.

Dara Hallinan,Michael Friedewald

DOI: https://doi.org/10.1186/s40504-014-0020-9

Abstract:This article focuses on whether a certain form of consent used by biobanks--open consent--is compatible with the Proposed Data Protection Regulation. In an open consent procedure, the biobank requests consent once from the data subject for all future research uses of genetic material and data. However, as biobanks process personal data, they must comply with data protection law. Data protection law is currently undergoing reform. The Proposed Data Protection Regulation is the culmination of this reform and, if voted into law, will constitute a new legal framework for biobanking. The Regulation puts strict conditions on consent--in particular relating to information which must be given to the data subject. It seems clear that open consent cannot meet these requirements. 4 categories of information cannot be provided with adequate specificity: purpose, recipient, possible third country transfers, data collected. However, whilst open consent cannot meet the formal requirements laid out by the Regulation, this is not to say that these requirements are substantially undebateable. Two arguments could be put forward suggesting the applicable consent requirements should be rethought. First, from policy documents regarding the drafting process, it seems that the informational requirements in the Regulation are so strict in order to protect the data subject from risks inherent in the use of the consent mechanism in a certain context--exemplified by the online context. There are substantial differences between this context and the biobanking context. Arguably, a consent transaction in the biobanking does not present the same type of risk to the data subject. If the risks are different, then perhaps there are also grounds for a reconsideration of consent requirements? Second, an argument can be made that the legislator drafted the Regulation based on certain assumptions as to the nature of 'data'. The authors argue that these assumptions are difficult to apply to genetic data and accordingly a different approach to consent might be preferable. Such an approach might be more open consent friendly.

John Mark Michael Rumbold,Barbara Pierscionek

DOI: https://doi.org/10.2196/jmir.7108

IF: 7.076

2017-02-24

Journal of Medical Internet Research

Abstract:BACKGROUND: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.OBJECTIVE: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.METHODS: Analysis of ethicolegal requirements imposed by the GDPR.RESULTS: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.CONCLUSIONS: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

health care sciences & services,medical informatics

Luis Felipe M. Ramos

2023-10-27

Abstract:Despite the increasing adoption of biometric technologies, their regulation has not kept up with the same pace, particularly with regard to safeguarding individuals' privacy and personal data. Policymakers may struggle to comprehend the technology behind biometric systems and their potential impact on fundamental rights, resulting in insufficient or inadequate legal regulation. This study seeks to bridge this gap by proposing a taxonomy of biometric technologies that can aid in their effective deployment and supervision. Through a literature review, the technical characteristics of biometric systems were identified and categorised. The resulting taxonomy can enhance the understanding of biometric technologies and facilitate the development of regulation that prioritises privacy and personal data protection.

Computers and Society,Cryptography and Security

Bart Custers,Francien Dechesne,Alan M. Sears,Tommaso Tani,Simone van der Hof

DOI: https://doi.org/10.1016/j.clsr.2017.09.001

2018-04-01

Abstract:Although the protection of personal data is harmonized within the EU by Directive 95/46/EC and will be further harmonized by the General Data Protection Regulation (GDPR) in 2018, there are significant differences in the ways in which EU member states implemented the protection of privacy and personal data in national laws, policies, and practices. This paper presents the main findings of a research project that compares the protection of privacy and personal data in eight EU member states: France, Germany, the UK, Ireland, Romania, Italy, Sweden, and the Netherlands. The comparison focuses on five major themes: awareness and trust, government policies for personal data protection, the applicable laws and regulations, implementation of those laws and regulations, and supervision and enforcement. The comparison of privacy and data protection regimes across the EU shows some remarkable findings, revealing which countries are frontrunners and which countries are lagging behind on specific aspects. For instance, the roles of and interplay between governments, civil rights organizations, and data protections authorities vary from country to country. Furthermore, with regard to privacy and data protection there are differences in the intensity and scope of political debates, information campaigns, media attention, and public debate. New concepts like privacy impact assessments, privacy by design, data breach notifications and big data are on the agenda in some but not in all countries. Significant differences exist in (the levels of) enforcement by the different data protection authorities, due to different legal competencies, available budgets and personnel, policies, and cultural factors.

law

Béatrice Godard,Jörg Schmidtke,Jean-Jacques Cassiman,Ségolène Aymé

DOI: https://doi.org/10.1038/sj.ejhg.5201114

2003-12-01

European Journal of Human Genetics

Abstract:The purpose of this paper is to formulate a professional and scientific view on the social, ethical, and legal issues that impact on data storage and DNA banking practices for biomedical research in Europe. Many aspects have been considered, such as the requirements for data storage and DNA banking in the public and private sectors in Europe and the issues relating to DNA banking, that is to say the consent requirements for the banking and further uses of DNA samples, their control and ownership, and the return of benefit derived from DNA exploitation to the community. The methods comprise primarily the review of the existing professional guidelines, legal frameworks and other documents related to the data storage and DNA banking practices in public and private sectors in Europe. Then, the issues related to DNA banking were examined during an international workshop organized by the European Society of Human Genetics Public and Professional Policy Committee in Paris, France, 07–08, April, 2000. A total of 50 experts from 12 European countries attended this workshop. It came out that DNA banking for medical and research purposes is indispensable. It facilitates the constitution of large collections, sharing of samples, multiple testing on the same samples, and repeating testing over the years. However, banking organization is complex, requires multiple actors, and concerns are expressed in various countries. International standardization of ethical requirements and policies with regard to DNA banking has been recommended. Such standardization would facilitate a greater protection of individuals as well as future international cooperation in biomedical research.

genetics & heredity,biochemistry & molecular biology

Andreas Hauselmann,Alan M. Sears,Lex Zard,Eduard Fosch-Villaronga

2023-09-20

Abstract:This article sheds light on legal implications and challenges surrounding emotion data processing within the EU's legal framework. Despite the sensitive nature of emotion data, the GDPR does not categorize it as special data, resulting in a lack of comprehensive protection. The article also discusses the nuances of different approaches to affective computing and their relevance to the processing of special data under the GDPR. Moreover, it points to potential tensions with data protection principles, such as fairness and accuracy. Our article also highlights some of the consequences, including harm, that processing of emotion data may have for individuals concerned. Additionally, we discuss how the AI Act proposal intends to regulate affective computing. Finally, the article outlines the new obligations and transparency requirements introduced by the DSA for online platforms utilizing emotion data. Our article aims at raising awareness among the affective computing community about the applicable legal requirements when developing AC systems intended for the EU market, or when working with study participants located in the EU. We also stress the importance of protecting the fundamental rights of individuals even when the law struggles to keep up with technological developments that capture sensitive emotion data.

Computers and Society,Human-Computer Interaction

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals' privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.