World View | In the Land of Cheese, Tulips and Biometrics

Biometrics are moving into daily life in the Netherlands, but Europe's stringent data protection requirements may or may not be applied.

The transformation taking place in the Netherlands is similar to what occurred in the States during the fifties and sixties with the use of credit cards. Then, credit cards were billed as a more convenient way of paying for relatively small purchases like gasoline, department store purchases and dining out. At the time credit cards were introduced, scarcely anyone was concerned about the protection of peoples personal details. The focus was on convenience and increasing buying opportunities and identity theft was a relatively uncommon phenomenon.

It was only decades later, when credit cards became deeply ingrained in everyday American life, that concerns have began to emerge about protecting personal information. The recent arrest of Mr. Albert Gonzalez (no relation to the former U.S. Attorney General) for stealing credit card information by utilizing an advanced technological attack called war driving underscores the point. Mr. Gonzalez drove by and scanned corporations looking for unprotected wireless networks. Once a vulnerability was found, he installed sniffer programs on the network designed to ferret out personal information—especially credit card information. This type of advanced technological theft could not possibly have been imagined in the United States at the time credit cards were being introduced.

Fortunately, the Netherlands might be able to avoid similar type problems with its use of biometrics. Like most European countries, the Netherlands has strong privacy protections — protections which were put in place to guard against abuses that occurred during totalitarian regimes of the recent past. A persons biometric, be it their fingerprint or iris scan, would certainly qualify as personal information and would be subject to the provisions of the European Unions Data Protection Act.

Granted, the consumer protections established in the Data Protection Act cannot, of themselves, protect against potential technological attacks which may occur in the future, but what it can and does do is lay the groundwork for a regulatory regime that will insist that due care be taken by organisations possessing citizens biometric data.

Just as Federal Reserve bank regulators today insist that the banks they regulate possess adequate means of protecting Internet banking, so too, must the various Information Commissioners in the EU states ensure that organisations possessing citizens biometric information have adequate security measures in place. If this path is followed, then perhaps the next generation of commercial transactions will have learned the lessons of the previous generation. If not, we may face what Yogi Berra once observed, "It's like deja vu all over again." ##