Wednesday, 12 November 2003
Setback for "Simplified Travel" field test
Greece's national data protection authority has blocked a test that was scheduled to begin later this month of fingerprinting and iris scans of passengers on Athens-Milan flights.
The ruling is a major setback for the joint IATA/SITA Simplifying Passenger Travel (SPT) project, in which "biometric" data plays a central role:
The one-stop check concept is built around a passenger "travel card" which facilitates all aspects of the journey from initial enquiry/reservation through to baggage pick-up and exit at final destination. The card will be a "smart-card" holding secure personal data, including a machine-readable biometric, and passport/visa information.
(There's no explicit reference to remotely-readable radio-frequency ID chips in the SPT concept description, and RFID wouldn't have been used in the pilot programs, but the final SPT cards would almost certainly include RFID chips.)
Like every European Union member country, Greece has a national data privacy protection commisison responsible for enforcement of the EU Data Protection Directive as well as the country's own privacy laws. EU airlines have been leaders in the SPT project; if other EU countries' data projection authorities take the same view of the illegality of biometric data collection as their counterparts in Greece, the whole SPT porject will have to go back to the drawing board, if it isn't abandoned altogether.
SAS (Scandinavian Airlines System) is scheduled to begin another major SPT pilot test later this month, also involving fingerprinting and iris scans of passengers , at the much smaller airport in Umea, Sweden. Sweden is an EU member, and has its own strong privacy law, but SAS has gone further than any other airline in deploying multi-purpose smart frequent flyer/debit/e-ticket cards. So far as I know, Swedish courts and data protection authorities haven't yet been asked to rule on the legality of the planned test.
Airlines have conflicting interests in potentially privacy-invasive technologies: On the one hand, these programs might have operational and marketing advantages for airlines (especially if airlines are allowed free use of data passengers are required to provide on ostensible grounds of "security"). On the other hand, excessive data collection is likely to run afoul of many countries' privacy laws, in ways that could prove impossible for airlines to comply with if data collection demands by some other countries' (especially the USA) aren't harmonized with global privacy norms.
The airlines' official collective positions reflect this contradiction: the declared priorities of the International Air Transportation Association (IATA) include the following two potentially contradictory items under the heading of "Security":
- Promote the implementation of global biometric techniques that enhance aviation security and passenger convenience.
- Ensure that new regulations affecting Advance Passenger Information [which are the subject of the current USA-EU negotiations] are internationally harmonised and minimally disruptive to airline costs and operations.