Privacy & Information Security Law Blog

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights.  This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports.  The move has raised concerns about the excessive collection of personal data.

The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

• rules regarding the location of the equipment;
• a process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
• a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
• a prohibition on copying or transferring the images in any way;
• instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
• a process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published.

The use of scanners has been discussed previously in France and Germany. In France, the proposal was dropped due to privacy concerns. The German Data Protection Commission  has indicated it  believes the machines infringe on the privacy of both adults and children, but the German news outlet Spiegel Online recently suggested that the machines may yet be installed in German airports following tests by Germany’s federal police.

Meanwhile, in a Canadian report published in March 2009, the Ontario Privacy Commissioner,  Dr. Ann Cavoukian, approved the usage of the screening technology, commenting that as long as the scanners “incorporate strong privacy filters … [they] can deliver privacy-protective security.”

The British Department of Transport will continue to develop the Interim Code of Practice. The Department has announced that it will launch a full public consultation on the requirements relating to the use of scanners as set out in the Interim Code of Practice, and it will publish a Final Code of Practice later in the year. In the meantime, it is likely that additional airports in the UK and elsewhere in Europe will subject travelers to full body scans.