Facial Recognition and GDPR
Facial recognition is growing by leaps and bounds so what of privacy and data protection? Today we take a deeper look at facial recognition and GDPR.
From surveillance to marketing; advances in technology has resulted in the commercialization—and some may even say normalization!—of facial recognition. Used by airports terminals, mobile phone makers and social media companies like Facebook, its likely that facial recognition has already touched your life in some way. In the months and years ahead we can certainly expect greater integration of this identification tool in society.
For instance, last month, South Wales Police began testing a new facial recognition app on officers’ mobile phones to help with suspect and vulnerable person identification. Also reports indicate that facial recognition will play a significant role during next year’s 2020 olympics.
Yet while trends indicate an upsurge of use of this seemingly convenient and exciting technology, it is not without privacy concerns.
As explained by data mining specialist and biometrics researcher engineer, Christina-Angeliki Toki, in an interview with Aphaia these privacy risks and concerns include:
“Re-use, unauthorized access or theft, over which the data subject has no control, [therefore] interfering with the fundamental rights of the data subject, in an excessive and disproportionate way.”
So as it relates directly to facial recognition and GDPR; what are the possible implications for entities which fail to implement necessary measures to negate privacy risks? Well for starters, administrative fines.
In one of our recent blogs we saw that a Swedish school had been fined 20.000 EUR for privacy and data protection infringements related to its use of facial recognition.
Meanwhile in a September 4th statement, the ICO urged police forces, and private organizations alike, using “intrusive” facial recognition technology to be aware that existing data protection law and guidance still apply.
This is because facial recognition constitutes the use of biometric data—i.e a way to measure a person’s physical characteristics to verify their identity. Biometric data is therefore personal data which must be processed on a lawful basis in compliance with GDPR and the UK’s Data Protection Act.
While the cases above relate to public bodies using facial recognition, we should note that this technology is also widely common across private companies.
That said, what are the main GDPR requirements that businesses (and public bodies) implementing facial recognition should comply with?
• Identify a lawful basis for processing. Considering that biometric data is deemed as a special category
of personal data, the valid bases for this type of processing are quite limited.
• Implement appropriate security measures.
• Where the facial recognition system is as well used for automated decision making, additional safeguards should apply.
• Facial recognition is a new technology that processes special categories of personal data and may be used both for profiling and monitoring individuals in a publicly accessible area in large scale, among others, so it is mandatory to previously run a DPIA.