Call us: 0113 244 0597

Ogarra Cohen Cramer

News

Live Facial Recognition 

2nd September 2021

Live Facial Recognition. Facial recognition technology is the process by which a person can be identified from a digital facial image. A camera captures an image and produces a biometric template. A system is then used to compare the degree of similarity between two facial templates. Such facial recognition is used in various ways, such as unlocking mobile phones and going through passport control.

Live Facial Recognition (LFR) is slightly different rather than a one-to-one process as above; it is typically deployed in a similar way to CCTV. The Information Commissioner has expressed concern about the risk to people’s privacy when the technology is used to scan people’s faces in real-time and in a more public context.

Sensitive data could be used excessively, recklessly or inappropriately, with a significant impact if data is collected without people’s knowledge on a mass scale.

LFR can make an automatic identification and infer sensitive details. The profile can then be used to serve personalised adverts or match images against known shoplifters. As a form of enhanced CCTV, the Commissioner states that while the technology is developing and not widely deployed, the opportunity is taken to ensure it does not expand without regard for data protection. The UK courts recognise that a facial biometric template is information of an “intrinsically private” character, in the same way as fingerprints and DNA.

What is Live Facial Recognition used for?

LFR is often used for surveillance purposes to prevent crime or antisocial behaviour. If a particular individual is identified, for example, they could then be removed from the site. LFR can also be used for targeted marketing and other commercial purposes.

Commissioner’s opinion

A paper has been published setting out the Commissioner’s opinion on the use of LFR for the purposes of identification and categorisation. Several key data protection issues were identified, including a lack of control and choice for individuals, the effectiveness of the systems, the potential for bias and discrimination, and the automatic collection of data at speed and scale without clear justification, including the necessity and proportionality of processing.

For the use of LFR to be lawful, there are several requirements to be met, including the need to identify a lawful basis to process the data and that it is necessary and proportionate to their objectives. The processing of the data must also be fair. This means that where LFR is used for automatic and indiscriminate collection of biometric data in public places that there is a high bar for its use to be lawful.

Conclusion

The key legal requirements for controllers are:

  • The controller must identify a specified, explicit, and legitimate purpose for using LFR in a public place.
  • The controller must identify a valid lawful basis and meet its requirements.
  • The controller must identify conditions for processing special category data and criminal offence data, where required, and meet their conditions.
  • The use must be necessary and a targeted and effective way to achieve the controller’s purpose.
  • The controller must consider alternative measures and demonstrate that they cannot reasonably achieve their purpose using a less intrusive measure.
  • The use of LFR must be proportionate and of sufficient importance to justify any privacy intrusion or impact on individuals.
  • The LFR should be technically effective and sufficiently statistically accurate.
  • The controller should address the risk of bias and discrimination and must ensure fair treatment of individuals.
  • Clear and transparent information must be provided about how the personal data is processed
  • The controller should undertake a DPIA
  • The assessment must consider the risks and potential impacts of the processing on the interests, rights and freedoms of data subjects
  • There must be compliance with data protection principles and accountability for the use of personal data.

The Commissioner expects controllers to carry out rigorous assessment against the legal requirements, documenting the assessments and decisions before LFR is deployed.

Next steps

The Commissioner is going to continue with her investigatory work, including a proactive audit of LFR systems in deployment. The published opinion may be referred to as a guide for how the Information Commissioner interprets and applies the law.

How can we help?

We ensure we keep up to date with any changes in legislation and case law so that we are always best placed to advise you properly.

If you would like to discuss any aspect of your case, please call 0113 2440597 or email info@ogcclaw.com and let us help.

 

[Image credit:  Tokumeigakarinoaoshima, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons ]