On January 28, 2021, the Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”) released the Guidelines on Facial Recognition (“Guidelines”) with the aim to protect fundamental freedoms, human rights, and personal data. The Guidelines have been released keeping in mind legislation that authorise the use of facial recognition technology for surveillance purposes, which may, in turn, be contrary to the right of private life. In this regard, the guidelines aim to ensure that the use and development of facial recognition technology respect the fundamental freedoms of individuals and do not violate the principles of data protection. The Guidelines cover the use of facial recognition technology in the public and the private sector with analyisng sector-wise use cases for the technology.
Summary of the Guidelines
1. Legal Basis for Utilising Facial Recognition
Facial recognition technologies are vastly used by law enforcement personnel and decision-makers for the purpose of biometric or unique identification of a person. The use of facial recognition technologies shall be limited to a legal basis where it is specifically allowed. The Guidelines reiterate laws that prohibit the use of facial recognition and only allow for such processing by way of exceptions. In this regard, Article 9 of the General Data Protection Regulation (“GDPR”) prohibits the processing of personal data that may reveal biometric data and identify a natural person, however, derogations from Article 9 is allowed in some instances such as when the data subject has provided ‘explicit consent’ or when data processing is required by the controller to carry out obligations in the field of employment or social security, to name a few.
The Guidelines provide that the necessity to use facial recognition technology shall be assessed together with its impact on the rights of the data subject. The use of live facial recognition in uncontrolled environments shall be subject to democratic debates as it has the potential to have an adverse impact on the fundamental freedoms of persons. Until such resolution on the use of live facial recognition is reached, there shall be a moratorium placed on the technology’s usage.
Further, the Guidelines specify that images that are available in digital formats, for example in social media, cannot be used to extract biometric information, without a specific legal basis. The processing of such digital pictures which are available on websites or even through video surveillance would not be considered lawful merely on the basis that such data was made available by the data subjects on public platforms.
2. Use of Facial Recognition in the Public Sector
The Guidelines state that ‘consent’ should not be the legal ground for performing facial recognition as there is an imbalance of powers between data subjects and public authorities. The lawful purpose for the use of facial recognition technology shall be based on the purposes of processing biometric data and safeguards provided in the Convention for the Protection of Individuals with regard to the Processing of Personal Data (“Convention 108+”). The use of such technologies shall be done taking into account the vulnerability of the data subjects and by placing necessary safeguards. Where there exist alternate methods, the use of facial recognition should be limited.
3. Use of Facial Recognition in the Private Sector
The use of facial recognition by private entities shall be based on the explicit and informed consent of the data subjects and in accordance with Article 8 of the Convention 108+. Such use shall be limited to verification, authentication, or categorisation purposes in controlled environments. Any disclosure of data to third parties shall be made with the specific consent of data subjects. The Guidelines prohibit the use of facial recognition by private entities in uncontrolled environments such as public malls or for marketing purposes.
4. Guidelines for Developers, Manufacturers, and Service Providers
Developers or manufacturers of facial recognition technology are required to ensure that such technologies fulfil the accuracy requirements provided under Article 5 of Convention 108+. The Guidelines further provide for technical standards to be followed by developers and manufacturers such as utilisation of diverse photos for algorithmic training purposes, with the periodic renewal of such data. Considering that the use of facial recognition may have an adverse effect on an individual, the technology shall adhere to the highest level of reliability standard. Further, entities developing and selling facial recognition technology are required to adhere to data protection principles and adopt data minimisation and limitation standards. Entities are also required to implement an internal review process to mitigate any adverse impact on the fundamental freedoms and rights of data subjects.
5. Data Protection Principles
The Guidelines iterate provisions for maintaining strict security measures, both at organisational and technical level, to protect the data and image sets and ensuring that no unauthorised access or storage occurs during each stage of processing. The Guidelines further provide for data protection impact assessment (“DPIA”) to be carried by entities before biometric processing. When deploying facial recognition technologies in uncontrolled environments, law enforcement personnel are required to (a) explain the necessity and proportionality for the deployment of the technology; and (b) address the risk involved to the fundamental rights, including privacy rights, of individuals. Such DPIA may be carried out by the entities themselves or by an independent monitoring body. Moreover, the Guidelines also provide for data protection by design standards.
Authored by Shivani Agarwal, Founder, and Samaksh Khanna, Co-founder.
Comments