What is facial recognition technology?
Facial recognition technology (FRT) is a technology that identifies and verifies someone’s face based on the unique characteristics of their face. Usually, FRT matches a face from an image or video frame against a predefined database of faces.
FRT uses a face’s distinctive characteristics and features to establish someone’s identity. For example, the shape, size, and placement of eyes, noses, mouths, and any other unique facial attributes, like moles or scars. In other words, FRT uses someone’s biometric data to identify them and/or to verify their identity against existing records.
Facial recognition technology is used in various circumstances, including security and surveillance, mobile device authentication (think unlocking your phone with your face), and border control (eg e-gates).
What is biometric data?
Article 4 of the GDPR defines biometric data as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person’.
The most common types of biometric data use include:
-
facial recognition
-
fingerprint verification
-
voice recognition
-
iris scans
-
handwriting analysis (including signature analysis)
For more detailed information on biometric data, see the Information Commissioner’s Office (ICO) guidance on biometric data.
The law on biometric data
The GDPR classes biometric data as special category personal data. This means that it receives even greater protection under data protection law than other types of personal data.
It can only be processed (eg used, stored, or collected) if at least one of two conditions apply:
-
the data subject (ie the person the biometric data belongs to) has given their active, free, and informed consent, and/or
-
the data processor (ie the party that actually processes the personal data) can indisputably prove that the use of FRT serves a legitimate aim in a proportionate way.
Currently, FRT tends to be used by government organisations. The justification is therefore that it is in the public interest. Private organisations such as businesses can use FRT for business purposes. They should, however, be very wary of relying purely on consent as grounds for doing so.
The issue of consent
There are several reasons why businesses should be wary of relying on consent as a justification for processing any form of personal data that belongs to their employees. Most of them hinge on one or both of 2 key facts.
Firstly, the law recognises that there is often an imbalance of power between an employer and an employee. This can make it difficult for employees to refuse consent even if they are told (in writing) that they can do so without penalty.
Secondly, the law around facial recognition technology is extremely complex. This means that explaining the use of FRT will almost inevitably require the employer to go into highly technical details. If their use of FRT were to be subsequently challenged, they would then need to prove that the data subject fully understood all those details.
Realistically, this would probably be a major challenge even with senior employees. When dealing with employees further down the business hierarchy, it could be even more difficult.
If businesses want to use FRT to monitor non-employees, then relying purely on consent becomes even riskier. Members of the public may have more liberty to say no to requests they dislike (although in some circumstances they may not). Proving that their consent was sufficiently informed, however, could again be extremely difficult.
For more information, read Consent for GDPR.
Relying on FRT serving a legitimate aim
Demonstrating a legitimate aim is, in principle, a far more solid basis for implementing FRT. In practice, it raises the question of what aims can reasonably be considered legitimate. This is particularly relevant to private businesses as they are far less likely to be able to argue that they are protecting the public interest.
With that said, there are some grey areas here. For example, some industries are known as being particularly vulnerable to attacks by criminals. Transport is one clear example of this with airports probably being top of the list of potential targets. These industries may, therefore, be able to justify using FRT on this basis.
Other industries may still be able to use FRT as a means to fulfil ‘employment, social security, or social protection obligations’. They will, however, need to prove both that the aim is legitimate and that the use of FRT is a proportionate way of achieving it. The second point is likely to be far more challenging than the first.
For example, it would be hard to dispute that employers have a legitimate interest in knowing who is on their business premises at any given time. It is, however, hugely unlikely that using FRT would be considered a proportionate means of achieving this goal.
The importance of risk assessment
You will probably be required to undertake a detailed Data protection impact assessment (DPIA) before implementing FRT. Even if you are not, it’s highly advisable to undertake a DPIA anyway. Given the sensitivities around FRT, it is best to seek legal advice from a specialist in the area. It may also be useful to contact the ICO for guidance. For more information on DPIAs, read Data protection impact assessments.
For more information on data protection in general, read Complying with the GDPR and Data protection and employees. Make sure that your business adopts all relevant GDPR documents, not just a DPIA, and consider using Rocket Lawyer’s GDPR compliance service if you’re worried about your business’ GDPR compliance.
Remember that you can Ask a lawyer if you don’t know where to start or if you have any questions.
