Face recognition technology is nothing else than the possibility of automatic identification of a person on the basis of their photo (digital image). It is based on comparing a recorded or continuously registered image to a previously collected database. Let’s consider the benefits but also the risks of this technology and whether it is worth using?
Face recognition technology, with the use of appropriate filters and algorithms working in real time, as well as through the analysis of surveillance recordings, is offered by more and more IT companies. In addition to identification, it can also be used to categorise people according to specific characteristics such as gender, age, weight etc.
It is no secret that this technology is becoming cheaper and more accessible. Some time ago, a state in Australia considered using it in public transport to make fare payments easier. However, this was met with criticism from many activists who pointed out that the idea posed a threat to citizens’ privacy. Recently, the “Face Pay” system has been available at Moscow metro stations. Anyone interested in using this form of ticket purchase must register with the system in advance, providing the operator with their photo, credit card number and phone number. Cameras at the gates recognise such people and the system charges their accounts accordingly. The use of facial recognition technology is also being tested in Amazon shops. Amazon’s ‘Just walk out’ solution allows shoppers to do their shopping without using a cash register by recognising them and connecting them to a mobile application.
Can these examples be followed by players in other sectors of the economy? It is not difficult to imagine using this technology in the event industry. It can support, for example, access control, including the verification of tickets for events. It is enough for interested persons to register in the appropriate system and make their photograph available. If it is possible to pass through the gates of the Moscow metro or Osaka airport in this way, there is no obstacle that stadiums or concert halls also apply such facilitations. But do the provisions of Polish and EU law allow such action?
There is no doubt that the use of facial recognition technology can threaten the rights of individuals whose data are processed in this way. This can happen when such technology is used without their knowledge, or when the data collected is used for purposes other than those to which the identified persons consented. Therefore, the regulations governing the use of facial recognition technology are mainly regulations in the area of personal data protection.
Under the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), a “facial image” may fall into a special category of data – so-called biometric data, the processing of which is heavily restricted. So is information about racial origin, religious beliefs or genetic data. However, the processing of photographs does not always constitute the processing of special categories of personal data. This is the case when they are processed with special technical methods that allow an individual to be uniquely identified or have his or her identity confirmed.
So if, for example, our image appears on a company intranet as our business card or our image appears in a photograph of a concert audience and is posted on the event’s website, then, according to the GDPR, this is ordinary data. However, if the photo is analysed using special systems in such a way as to catalogue our features and establish our identity, then we are already dealing with “sensitive” data, which is the case with facial recognition technology.
The implicit prohibition on the processing of biometric data does not apply only in the cases indicated in the provisions of the GDPR. When it comes to the use of this technology in the private sector, in practice, only consent to the processing of personal data can be the basis for such actions. The consent must be explicit (not implicit), specific, voluntary, informed and must be given for a specific purpose. At the same time, the persons providing access to the image for identification purposes should be fully informed about the rules of processing their personal data, in particular about the right to withdraw consent at any time and the right to delete their personal data (and thus have their image deleted from the database). To ensure that consent is voluntary, data subjects should be offered alternatives to facial recognition technology that are not too burdensome for them. Otherwise, choice would not be genuine and consent would not be voluntary.
In early 2021. The Council of Europe’s Convention 108 Committee adopted “Guidelines on Facial Recognition”, which provide a series of guidelines on the principles that should be observed and applied to ensure the inviolability of the dignity, rights and fundamental freedoms of every person, including the right to the protection of personal data. These guidelines are addressed both to national legislators, but also to developers, manufacturers and suppliers and users of facial recognition technology. According to them, the use of this technology is first and foremost the processing of a special category of data, and therefore the obligation to maintain higher standards of protection. When deciding on such solutions, it is important to ensure that you have proven technology and reliable suppliers who will comply with the law and apply the guidelines provided by data protection authorities.
In light of the Council of Europe document, it is crucial to ensure an adequate level of security. After all, data breach incidents can have serious consequences for data subjects. This is because the unauthorised disclosure of sensitive data can have irreversible consequences. Appropriate security measures must therefore be implemented, both at the technical and organisational level. In order to protect data, relating to facial recognition, from loss and unauthorised access or use by unauthorised entities. It is also worth emphasising that, according to the guidelines of the Council of Europe, facial recognition technology should not be used to identify individuals for marketing purposes.
The Data Protection Authority stresses that “the integration of facial recognition technologies with existing surveillance systems poses a serious risk to privacy and data protection rights, as well as other fundamental rights, as the use of these technologies does not always require the awareness or cooperation of the individuals whose biometric data is being processed, taking into account, for example, the possibility of accessing digital images of individuals on the internet”. In this context, it is worth recalling the famous case involving Amazon’s algorithms, which “mistook” US congressmen for persons wanted by law enforcement authorities in the framework of tests conducted by a citizens’ rights organisation. Mistakes by facial recognition algorithms can result in exclusion or other negative consequences for individuals.
In the light of publications by privacy and data protection authorities, facial recognition technology carries many risks. Such arguments cannot be denied. The leakage of biometric databases, their seizure and use by unauthorised parties, the use of data for purposes other than those for which they were collected and the unlawful and unjustified surveillance of citizens are just some of the dangers that can be imagined. Nevertheless, this technology is attractive and has great potential. It offers tangible benefits not only for the entities implementing it, but also for its users (it can serve to increase their comfort). Therefore, it should be assumed that face recognition technology will certainly be more and more widely used in various areas of life. However, in order to prevent abuse, it is necessary to urgently introduce detailed regulations in this area and ensure supervision by appropriate state authorities.
The article was published in Think Mice magazine –https://www.thinkmice.pl/news/prawo/3453-wykorzystanie-technologii-rozpoznawania-twarzy-ulatwienie-czy-zagrozenie
Author: Maciej Dudek, attorney at law. Maciej specialises in intellectual property law, in particular copyright law, advertising law, as well as unfair competition, consumer rights, protection of personal rights and e-commerce. He advises clients on the implementation of IT solutions, starting with bidding procedures for the selection of a supplier, through preparation and negotiation of implementation and service agreements. He has completed a number of complex IT system implementation projects. He provides advisory services in the field of personal data protection, including auditing personal data processing activities, development and implementation of documentation, as well as representing clients before the President of the Office for Personal Data Protection. He also provides legal services in the field of personal rights protection.