19 juillet 2021
Radar - July 2021 – 3 de 3 Publications
The use of live facial recognition technology is extremely controversial. Its use both in law enforcement and for other purposes is regulated and stands to become even more so in the EU which has published a draft AI Regulation.
Facial recognition technology clearly involves the processing of personal and often special category data. As such, its use comes within the remit of data protection regulators.
The new EC draft AI Regulation categorises the use of real-time biometric identification systems in publicly accessible spaces for law enforcement purposes as 'unacceptable risk' except when used for certain restricted purposes. However, the European Data Protection Board and the EDPS are calling for an outright ban on facial recognition technology, whatever its purpose.
The ICO has published a Commissioner's Opinion on the use of live facial recognition (LFR). It focuses on the use of LFR in public places by private companies and public organisations and builds on the Opinion on the use of LFR by police forces which covers use of LFR in law enforcement.
The ICO investigated or assessed 14 examples of LFR deployments and proposals and conducted wider research. The Opinion focuses on the use of LFR for the purposes of identification and categorisation. It does not address verification or other one-to-one uses. It defines public places as any physical space outside a domestic setting. It does not cover the online environment.
Following an analysis of applicable law, key risks and use cases, the ICO concludes that key requirements for controllers are, at a broad level, that any use of personal data must be lawful, fair, necessary and proportionate. This is magnified given processing of biometric data and automatic processing, and where there is a broader risk to the rights and freedoms of individuals.
Essentially, this means there is a high bar to lawful use of LFR in public places for automatic and indiscriminate use. Of the 14 examples of LFR deployments and proposals analysed by the ICO, not one organisation was found be fully compliant with data protection law in their use of LFR and all either chose to stop or did not proceed with its use.
This does not mean that LFR can't be used. It means that care needs to be taken and the guidance followed before it is deployed and while it, or the data it generates, is used.
The guidance states:
When using LFR surveillance, controllers must:
When conducting a DPIA, which must be before the processing begins, controllers:
The ICO recommends technology developers, LFR vendors and service providers as well as the wider industry:
The ICO will be further investigating use of LFR and will be primed to investigate complaints, potentially referring to the Opinion in its assessment of issues.
par Debbie Heywood