Facial recognition technology by private sector entities under the existing EU legal framework

Assumptions

Facial recognition technology, using artificial intelligence, becomes more and more widely used in verification, identification or categorisation of personal identity by private sector entities. It can be used, for example, for marketing or statistical purposes, for granting access or as a security mechanism.

Among the advantages of face recognition technology, it is also worth to mention: speed, automaticity and a unique nature of the used data. At the same time, it is important to ensure that its use does not violate the rights of people whose face is being recognised.

Currently, introduction of the EU provisions, to be applicable also to the remote biometric identification systems is pending, including facial recognition technology.

Current legal framework

The main guarantees in the EU law for persons whose face would be subject to recognition are the rights to privacy and protection of personal data (Articles 7 and 8 of the Charter of Fundamental Rights of the EU). However, a detailed legal framework for the use of facial recognition technology by private sector entities is now by and large determined by the provisions of the General Data Protection Regulation (“GDPR”).

Application of facial recognition technology usually involves automatic processing of data regarding physical, physiological or behavioural features in order to unambiguously identify a natural person. Consequently, it is indicated that the use of such data should be qualified as processing of biometric data.[1]

In accordance with the definition in Article 4 section 14 of the GDPR, biometric data shall be understood as personal data which result from special technical processing, relate to the physical, physiological or behavioural features of a given person and allow or confirm unambiguous identification of that person, such as facial image or dactyloscopic data.

Processing of biometric data on the basis of explicit consent

Processing of biometric data in order to unambiguously identify a natural person is, as a rule, prohibited under Article 9 section 1 of the GDPR. However, there are exceptions to this rule, among which is the explicit consent of the data subject to such processing for specific purposes.

It is worth to point out that, for example, photographs or recordings are included only in the definition of biometric data, if they are processed by special technical methods which make it possible to unambiguously identify a natural person or to confirm their identity. If this is not possible, we do not have to deal with the processing of biometric data at all.

Using video surveillance, including biometric recognition functionalities, installed by private entities for their own purposes, will, in most cases, precisely require the explicit consent of all persons whose data will be processed [2]. Under separate, non-EU regulations, it is further noted that entities using such technology should be able to demonstrate that its application is strictly necessary and proportional in the specific context of its use and that it does not violate the rights of data subjects [3].

Consent of the data subject must be freely given, must be specific, informed and unambiguous. It may be expressed in the form of a statement or by a clear affirmative action (Article 4 item 11 of the GDPR). It will not be freely given, if, for example, performance of a contract, including services provision, depends on such consent and the processing of biometric data is not necessary for the contract performance.

Detailed practical aspects

The European Data Protection Board points out that: if the facial recognition technology was to be applied in order to gain access to premises, then an alternative means of access, without the use of biometrics, must always be offered in order to ensure the legitimacy of the processing of personal data.

In order to unambiguously identify a specific person, a facial recognition system could use a pattern of a person's facial image, to which templates would then be matched, both correct (if the exact person whose facial image the template refers to is found in the scanning field) and wrong, belonging to other persons, if they are found in the scanning field. In the context of the developed templates, the standpoint of the European Data Protection Board is that controllers are responsible for ensuring that, once a match or mismatch has been established, all indirect templates made quickly (‘in a run’) in order to make a comparison with the template are immediately and securely deleted.

Another interesting example are situations in which the purpose of facial recognition is to distinguish one category of people from another, but without unambiguous identification of anyone. For example, this may be the case in order to adjust advertisements based on a customer's gender and age, and therefore only for the purpose of detecting specific physical features, without generating biometric templates to unambiguously identify individuals. In such a case, the sender of the advertisement does not record or verify who the recipient is. As a result, in the opinion of the European Data Protection Board, general prohibition of the processing of biometric data will not apply here due to the fact that the purpose of unambiguous identification of a person is not fulfilled.

However, if biometric data of random people were recorded and stored, e.g. in order to detect re-entry into an area for the purpose of subsequently presenting a personalised advertisement, then, in the opinion of the European Data Protection Board, we would be dealing with unambiguous identification of persons. In fact, the data of a specific person, stored in the form of a template during the first entry into the scanning area, would be processed in order to determine whether during another entry, it is exactly the same person as when the image template was created. On the other hand, however, the data subject may not give their consent to receive personalised advertising specifically addressed to them. In such a situation, in order for such an advertising scheme to be legal, it would be necessary to obtain prior consents from each person for the processing of their biometric data.

Summary

In realizing the potential that the use of facial recognition technology entails, special care should be taken to ensure that its design and implementation respect the principles of personal rights protection. In particular, in a situation where the use of facial recognition technology is for the purpose of recognizing a specific person, against which his or her consent is required, consideration of the requirements of such consent should optimally take place at a relatively early stage of the design of the mechanisms of this technology.

The currently drafted solutions assume that, in principle, the processing of biometric and other personal data related to the use of artificial intelligence systems for biometric identification, regardless of the new regulations, should continue to meet all the requirements under the RODO. This means that the current basic rules for the processing of biometric data will be largely applicable after the introduction of the planned regulations.

^[1] Analysis entitled. "In-depth analysis - regulating facial recognition in the EU," September 2021, prepared by the European Parliament's EPRS Analysis Office.

^[2] European Data Protection Board Guidelines No. 3/2019, Version 2.0. of January 29, 2020 on the processing of personal data through video devices.

^[3] Council of Europe Facial Recognition Guidelines of January 29, 2021, issued by the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.