2nd September 2021
Live Facial Recognition. Facial recognition technology is the process by which a person can be identified from a digital facial image. A camera captures an image and produces a biometric template. A system is then used to compare the degree of similarity between two facial templates. Such facial recognition is used in various ways, such as unlocking mobile phones and going through passport control.
Live Facial Recognition (LFR) is slightly different rather than a one-to-one process as above; it is typically deployed in a similar way to CCTV. The Information Commissioner has expressed concern about the risk to people’s privacy when the technology is used to scan people’s faces in real-time and in a more public context.
Sensitive data could be used excessively, recklessly or inappropriately, with a significant impact if data is collected without people’s knowledge on a mass scale.
LFR can make an automatic identification and infer sensitive details. The profile can then be used to serve personalised adverts or match images against known shoplifters. As a form of enhanced CCTV, the Commissioner states that while the technology is developing and not widely deployed, the opportunity is taken to ensure it does not expand without regard for data protection. The UK courts recognise that a facial biometric template is information of an “intrinsically private” character, in the same way as fingerprints and DNA.
LFR is often used for surveillance purposes to prevent crime or antisocial behaviour. If a particular individual is identified, for example, they could then be removed from the site. LFR can also be used for targeted marketing and other commercial purposes.
A paper has been published setting out the Commissioner’s opinion on the use of LFR for the purposes of identification and categorisation. Several key data protection issues were identified, including a lack of control and choice for individuals, the effectiveness of the systems, the potential for bias and discrimination, and the automatic collection of data at speed and scale without clear justification, including the necessity and proportionality of processing.
For the use of LFR to be lawful, there are several requirements to be met, including the need to identify a lawful basis to process the data and that it is necessary and proportionate to their objectives. The processing of the data must also be fair. This means that where LFR is used for automatic and indiscriminate collection of biometric data in public places that there is a high bar for its use to be lawful.
The key legal requirements for controllers are:
The Commissioner expects controllers to carry out rigorous assessment against the legal requirements, documenting the assessments and decisions before LFR is deployed.
The Commissioner is going to continue with her investigatory work, including a proactive audit of LFR systems in deployment. The published opinion may be referred to as a guide for how the Information Commissioner interprets and applies the law.
We ensure we keep up to date with any changes in legislation and case law so that we are always best placed to advise you properly.
[Image credit: Tokumeigakarinoaoshima, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons ]