Privacy and body scanners: Finding the balance

The failed terrorist attack on Christmas Day last year, involving a Northwest Airline aircraft bound to Detroit from Amsterdam, reminded us of the limitations of the commonly used metal detectors when a passenger carries non-metallic threat items. In 2006, the threat of liquid explosives had already compelled authorities to heighten security levels by prohibiting the carrying of liquids on board aircrafts.

These incidents highlight the fact that nowadays aviation security is facing new types of threats; threats to which traditional security technologies deployed at airport checkpoints do not always deliver adequate and efficient results. This has instigated some EU member states to introduce, on an experimental basis, security scanners at their respective airports.

In accordance with EU law, member states may solely introduce the use of security scanners either by exercising the right to apply security measures that are more stringent than existing requirements or as a temporary measure to conduct trials of new technical process or methods for an established period of time. Equipment trials, as a primary method for screening passengers, were undertaken in various European countries including Finland, the UK, the Netherlands and recently France and Italy.

The current legislative framework does not permit airports to systematically replace any of the recognised screening methods and technologies by security scanners. A decision by the European Commission, supported by member states and the European Parliament, can be the basis for allowing security scanners as a further eligible method for aviation security.

A security scanner or body scanner, as it is more commonly known, is the generic term used for a technology that is capable of detecting objects worn on the body or on the garments of the screened individual. Several forms of radiation, differing in wavelength and energy emitted, are used to identify any object distinct from the human skin. In aviation, security scanners could potentially replace the walk-through metal detectors as a means of screening passengers to identify both metallic and non-metallic objects, including plastics and liquids.

The capturing and processing of the image of an identified or identifiable person by a security scanner, in order to allow a human reviewer to perform the security relevant assessment, certainly falls under EU legislation on data protection. The three criteria against which the scanning has to be assessed include, whether the measure proposed is appropriate to achieve the objective, whether it does not go beyond what is necessary to achieve this objective and whether there are no less intrusive methods or means.

The European Directive on Data Protection requires that passengers should be informed prior to being subjected to the scanning technology and shall be granted the opportunity to opt for the conventional physical pat-down, given that such technology is still at trial stage. Passengers do also have the right to be adequately informed of the possible use of their images. As a rule, personal data, such as images, should be processed in compliance with the applicable data protection principles and solely used for aviation security purposes.

In principle, the storage and retrieval of images created by the security scanner should not be possible once a person has been screened and cleared of holding any threat items. Only where an individual is found to be in possession of a prohibited article may the respective images be retained as evidence, until the passenger is ultimately cleared or denied access to the security restricted area and eventually the aircraft.

Existing technical solutions, incorporating privacy by design methodologies and privacy enhancing technologies, provide the right platform for system developers to address certain areas of the scanners which concern the protection of human dignity and other fundamental rights. For instance, it is possible to produce the images on a stylised human figure or mannequin and which do not reveal any real parts of the screened person's body but only identifies the location demanding further search.

An additional solution to address data protection requirements and eventually phase out human analysis of images is expected to be the automation of the object recognition process, generally referred to as automatic threat recognition (ATR). It may be either used to assist the human screener in interpreting images or to carry out this interpretation automatically. Technologies allowing fully automated threat recognition have been tested in laboratories and are ready for member states to test them at airports.

Common EU standards for security scanners can ensure an equal level of protection on fundamental rights and health. A common level of protection for European citizens in this respect could be ensured by way of technical standards and operational conditions that would have to be laid down in EU legislation. Only an EU approach would legally guarantee uniform application of security rules and standards throughout all EU airports.

This is essential to ensure both the highest level of aviation security as well as the best possible protection of EU citizens' fundamental rights and health. The deployment of any security scanner technology requires a rigorous scientific assessment of the potential health risks that such technology may pose for the population. Scientific evidence documents the health risks associated with exposure to ionising radiation. It justifies particular precaution in considering the use of such radiation in security scanners.

The balance between the deployment of advanced technological tools to ensure high security level and the respect of fundamental human rights, once again, presents a challenge for both legislators and civil liberties who are tasked to define the subtle line which exists in this area.

Mr Deguara is the head of the technical unit in the Office of the Data Protection Commissioner.