Online Behavior Recognition: Can We Consider It Biometric Data under GDPR?
Roč.12,č.2(2018)
Our everyday use of electronic devices and search for various contents online provides valuable insights into our functioning and preferences. Companies usually extract and analyze this data in order to predict our future behavior and to tailor their marketing accordingly. In terms of the General Data Protection Regulation such practice is called profiling and is subject to specific rules. However, the behavior analysis can be used also for unique identification or verification of identity of a person. Therefore, this paper claims that under certain conditions data about online behavior of an individual fall into the category of biometric data within the meaning defined by the GDPR. Moreover, this paper claims that profiling of a person can not only be done upon existing biometric data as biometric profiling but it can also lead to creation of new biometric data by constituting a new biometric template. This claim is based both on legal interpretation of the concepts of biometric data, unique identification, and profiling as well as analysis of existing technologies. This article also explains under which conditions online behavior can be considered biometric data under the GDPR, at which point profiling results in creation of new biometric data and what are the consequences for a controller and data subjects.
Behavior Analysis; Behavior-based Tracking; Behavioral Biometrics; Biometric Data; General Data Protection Regulation; Personal Data; Privacy; Profiling; Unique Identification
p. 161–178
Alžběta Krausová
Institute of State and Law of the Czech Academy of Sciences
[1] (1996) Webster’s Encyclopedic Unabridged Dictionary of the English Language. New York: Random House.
[2] Article 29 – Data Protection Working Party. (2003) Working document on biometrics. 12168/02/EN WP 80. Brussels: Directorate E of the European Commission. Available from: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp80_en.pdf [Accessed 15 November 2017].
[3] Article 29 – Data Protection Working Party. (2007) Opinion 4/2007 on the concept of personal data. 01248/07/EN WP 136. Brussels: Directorate C of the European Commission. Available from: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf [Accessed 20 October 2017].
[4] Article 29 – Data Protection Working Party. (2012) Opinion 01/2012 on the data protection reform proposals. 00530/12/EN WP 191. Brussels: Directorate C of the European Commission. Available from: http://www.europarl.europa.eu/document/activities/cont/201305/20130508ATT65841/20130508ATT65841EN.pdf [Accessed 15 October 2017].
[5] Article 29 – Data Protection Working Party. (2012) Opinion 3/2012 on developments in biometric technologies. 00720/12/EN WP 193. Brussels: Directorate C of the European Commission. Available from: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf [Accessed 20 October 2017].
[6] Article 29 – Data Protection Working Party. (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. 17/EN WP 251. Brussels: Directorate C of the European Commission. Available from: http://ec.europa.eu/newsroom/document.cfm?doc_id=47742 [Accessed 15 November 2017].
[7] Article 29 – Data Protection Working Party. (2017) Guidelines on Consent under Regulation 2016/679. 17/EN WP 259. Brussels. Available from: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611232 [Accessed 8 January 2018].
[8] Banse, C., Herrman, D. and Federrath, H. (2012) Tracking Users on the Internet with Behavioral Patterns: Evaluation of its Practical Feasibility. In: Gritzalis, D., Furnell, S. and Theoharidou, M. (eds.) 27th IFIP TC 11 Information Security and Privacy Conference, Heraklion, Crete, 4–6 June. Berlin: Springer, pp. 235–248. Available from: https://link.springer.com/chapter/10.1007/978-3-642-30436-1_20 [Accessed 24 November 2017].
[9] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union (1995/L 281/38) 23 November. Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046 [Accessed 1 November 2017].
[10] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Official Journal of the European Union (2002/L 201/45) 31 July. Available from: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML [Accessed 1 November 2017].
[11] European Commission. (2016) Cookies. [online] European Commission. Available from: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm [Accessed 22 December 2017].
[12] Eurostat. (2017) Individuals – frequency of internet use [isoc_ci_ifp_fu]. [online] European Commission. Available from: http://appsso.eurostat.ec.europa.eu/nui/submitViewTableAction.do [Accessed 22 December 2017].
[13] Ghilardi, G. and Keller, F. (2012) Epistemological Foundation of Biometrics. In: Mordini, E., Tzovaras, D. (eds.) Second Generation Biometrics: The Ethical, Legal and Social Context. Dordrecht: Springer.
[14] Gu, X., Yang, M., Feit, J., Ling, Z. and Luo, J. (2015) A Novel Behavior-Based Tracking Attack for User Identification. Third International Conference on Advanced Cloud and Big Data, Yangzhou, China, 30 October – 1 November. IEEE. Available from: https://ieeexplore-ieee-org.ezproxy.techlib.cz/document/7435478/ [Accessed 24 July 2018].
[15] Gu, X., Yang, M., Shi, C., Ling, Z. and Luo, J. (2016) A novel attack to track users based on the behavior patterns. Concurrency and Computation Practice and Experience, 29(6). Available from: https://onlinelibrary-wiley-com.ezproxy.techlib.cz/doi/full/10.1002/cpe.3891 [Accessed 24 July 2018].
[16] Herrmann, D., Banse, C. and Federrath, H. (2013) Behavior-based tracking: Exploiting characteristic patterns in DNS traffic. Computers & Security, 39 Part A. Available from: https://www-sciencedirect-com.ezproxy.techlib.cz/science/article/pii/S0167404813000576 [Accessed 24 July 2018]. https://doi.org/10.1016/j.cose.2013.03.012
[17] Herrmann, D., Kirchler, M., Lindemann, J. and Kloft, M. (2016) Behavior-based tracking of Internet users with semi-supervised learning. 14th Annual Conference on Privacy, Security and Trust (PST), Auckland, New Zealand, 12–14 December. IEEE. Available from: https://ieeexplore-ieee-org.ezproxy.techlib.cz/document/7906992/ [Accessed 24 July 2018].
[18] Hildebrandt, M. (2015) Smart Technologies and the End(s) of Law. Cheltenham: Edward Elgar Publishing.
[19] Iovane, G., Bisogni, C., De Maio, L. and Nappi, M. (2018) An encryption approach using Information Fusion techniques involving prime numbers and Face Biometrics. IEEE Transactions on Sustainable Computing, (99). Available from: http://ieeexplore.ieee.org/document/8259031/ [Accessed 15 January 2018].
[20] Kindt, E. (2008) Need for Legal Analysis of Biometric Profiling. In: Hildebrandt, M. And Gutwirth, S. (eds.) Profiling the European Citizen. Cross-Disciplinary Perspectives. Dordrecht: Springer.
[21] Kindt, E. (2013) Privacy and Data Protection Issues of Biometric Applications. A Comparative Legal Analysis. Dordrecht: Springer.
[22] Koops, B. J. (2006) Should ICT Regulation Be Technology-Neutral? In: Koops, B. J., Lips, M., Prins, C. and Schellekens, M. (eds.) Starting Points for ICT Regulation. Deconstructing Prevalent Policy One-Liners. The Hague: T. M. C. Asser Press.
[23] Meena, K. and Malarvizhi, N. (2017) An Efficient Human Identification through MultiModal Biometric System. Brazilian Archives of Biology and Technology, 59(2). Available from: http://www.scielo.br/scielo.php?script=sci_arttext&pid=S1516-89132016000300403&lng=en&tlng=en [Accessed 24 July 2018].
[24] Mordini, E., Tzovaras, D. and Ashton, H. (2012) Introduction. In: Mordini, E. And Tzovaras, D. (eds.) Second Generation Biometrics: The Ethical, Legal and Social Context. Dordrecht: Springer.
[25] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Official Journal of the European Union (2016/L 119/1) 4 May. Available from: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 [Accessed 1 November 2017].
[26] Ross, A. and Jain, A. (2003) Information Fusion in Biometrics. Pattern Recognition Letters, 21 (13), pp. 2115–2125. Available from: https://www.sciencedirect.com/science/article/pii/S0167865503000795?via%3Dihub [Accessed 2 November 2017]. https://doi.org/10.1016/S0167-8655(03)00079-5
[27] Z. Li, S., Anil, K. Jain (eds.) (2009) Encyclopedia of Biometrics. [online] Dordrecht: Springer. Available from: https://link.springer.com/referencework/10.1007/978-3-642-27733-7 [Accessed 27 October 2017].
[28] Wilson, C. R. (2003) Biometric Accuracy Standards. [online] National Institute of Standards and Technology. Available from: https://csrc.nist.gov/CSRC/media/Events/ISPAB-MARCH-2003-MEETING/documents/March2003-Biometric-Accuracy-Standards.pdf [Accessed 20 November 2017].
[29] Yampolskiy, R. V. and Govindaraju, V. (2010) Taxonomy of Behavioral Biometrics. In: Wang, L. andGeng, X. (eds.) Behavioral Biometrics for Human Identification: Intelligent Applications. [online] IGI Global, pp. 1–43. Available from: https://www.researchgate.net/publication/254217766_Taxonomy_of_Behavioural_Biometrics [Accessed 15 September 2017].
[30] Yannopoulos, A., Androniku, A. and Varvarigou T. (2008) Behavioural Biometric Profiling and Ambient Intelligence. In: Mireille Hildebrandt, Serge Gutwirth (eds.) Profiling the European Citizen: Cross-Disciplinary Perspectives. [online] Dordrecht: Springer, pp. 89–110. Available from: http://www.springer.com/gp/book/9781402069130 [Accessed 21 August 2017].
Copyright © 2018 Masaryk University Journal of Law and Technology