10 September 2011


Olga Mironenko's succinct 'Body Scanners Versus Privacy & Data Protection' (University of Oslo Faculty of Law Research Paper No. 2011-20) offers a cogent and nicely-illustrated comment on law and body scanning technologies.

Mironenko indicates that -
In recent history, the world has experienced dramatic events which have had a substantial effecton the balance between human rights protection and security measures. Body scanners installed at airports are intended to protect our lives. But at the same time they have a serious impact on privacy and data protection. The international legislation allows limiting people's rights and freedoms, but only if it is in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. Do body scanners respect these principles? The article examines the current situation, its background and future prospects. It discusses and analyzes the key terms and legal instruments, problems, disputes and proposed "safeguards". The work concludes by pointing out the unlawfulness of current regimes and sets forth perspective on the possible solutions.
She comments that -
breaching people’s rights and freedoms can be justified under human rights legislation, if it is done in accordance with the law and is proportionate and necessary for national security, public safety and for the protection of the rights and freedoms of others. If it is accepted that the security benefit outweighs the health and privacy risks, this does not automatically mean that privacy and other values should be given up or that standards should be reduced. Increased security does not always mean reduced privacy.

Nevertheless, in the meantime the governments have failed to demonstrate that the body scanner security policy is currently justifiable within the law. Existing legislation and proposals suffer from various weaknesses and need improving. From the EU Commission’s Report and other consultation papers we can see some endeavors to incorporate and ensure the aforementioned standards, but they all contain weak privacy provisions that ignore many of the problems already identified in relation to the devices.

While halting the deployment of scanners would be unrealistic, a more practical solution would be to adopt appropriate legal, policy and technical measures focusing on two key aspects: regulate and control (i) the adoption of the scans and (ii) the use of the scans. In addition to legal norms, the means for ensuring their effective application should be established as well.

The deployment of the machines should be restricted by law and permitted only under conditions where it is necessary. From the effectiveness prospects, as long as the technology detects such sensitive items as prosthetics, breast implants, diapers, etc. and may fail to tell the difference between them and weapons, the law should provide that body scanners may neither be used as the only or primary method of screening passengers, nor as a method for screening any person unless another method of screening, such as metal detectors or behavior analysis, gives cause for additional searches. Any derogations and exceptions should be provided by law and applied strictly.

In order to evaluate the necessity, reasonableness and proportionality of the technology applications, several factors should be taken into consideration: available alternatives, types of scans chosen, technical features, etc. Different devices may differ in the effectiveness levels and privacy impacts. To decide which kind of technology to choose an evaluation of all relevant factors should be fulfilled. Much expectation is also made to the new generation of scanners which would enable a technical solution to some of the ‘privacy issues’.

An option of alternative security methods should be further developed and made available to people with ‘privacy concerns’ and/or who do not consent. States should concentrate on developing alternative solutions that are non-invasive or less invasive for passengers.

Data protection framework could be improved by establishing detailed mechanisms to enable individuals to enforce their rights. Passengers should be provided with appropriate, comprehensive and clear information about the applicable security measures - along with information regarding the protection of their rights - before traveling and before purchasing the tickets.

Complete and reliable information regarding the functioning and technical specifications of the devices, reviewed and examined by competent authorities (including independent reviewers), should be provided and made publicly available in an appropriate form. Moreover, there should be specific requirements regarding the quality of the machines. Technical specifications should include limitations on image capture, storage, or copying. The requirement of a system of encryption, password or similar security, different identification/authentication mechanisms as well as usage of other technical measures enhancing privacy and data protection should be provided and regulated by law. These requirements should concern all the stages of the technology operation, with the measures being integrated into the devices already at the design phase. All technical requirements should not only be established by law, but be accompanied by control and enforcement mechanisms.

Since the images produced by scans include sensitive information, they should receive stricter privacy protection. The potential of extracting health information should not be underestimated. A simple general prohibition is unlikely to be a practical solution. Further research is needed to deal with such risks (Liu, 2010).

In addition to general privacy and data protection regulations such as the Directive 95/46/EC, other regulatory models may be used for the scanners. It would be a good idea if the ICAO took the initiative to establish global common rules and standard approaches for the image screening technologies, particularly in relation to ensuring passengers’ rights, as has already been done with some other security measures. Although the ICAO’s regulations and guidelines are recommendations only and not obligatory for contracting states, they could become helpful in efforts to establish global, standard approaches in the aviation industry, which by definition is international in scope.

Furthermore, the ICAO’s role could be revised, so that it might be enabled not only to establish, but to enforce such rules. Another option would be adoption of industry selfregulations in the form of Code of conduct, so-called “binding corporate rules”, which are “a set of legally-binding data processing rules adopted by a company or groups of companies and which grant rights to data subjects” (Kuner, 2007, 4.120). Such combination of general privacy and data protection legislation with special guidelines and regulations on the technology may be a promising solution.