Article 4(14) of the GDPR
Processing of personal data when using facial recognition
The rules on the processing of personal data when using facial recognition are strict, as it includes biometric data, which constitutes sensitive personal data.
What is Biometric data?
When a company uses facial recognition technology, biometric data is processed. The definition of biometric data is set out in Article 4(14) of the GDPR. The technique involves a person’s physical characteristics (face geometry) being processed to confirm the identification of a person.
The biometric template created by a face and consisting of a numeric code is a biometric data, although only an AI model can read it. This is because it is unique and can confirm, or alternatively enable, the identification of an individual. In addition, it is a question of biometric data if the processing is carried out for the purpose of unambiguously identifying a natural person.
Biometric data constitute sensitive personal data
Biometric data constitute sensitive personal data within the meaning of Article 9 GDPR. The processing of such special categories of personal data is prohibited as a general rule, but there are exceptions. Please note, however, that the rules are stricter when processing sensitive personal data.
Biometric data storage location
According to the EDPB, the best storage solution for biometric data is in the data subject’s own hands. In other words, on the unit that is in the possession of the data subject. Another option is to have the storage in a central database. However, only the data subject should have access to the encryption key. In addition, it is important to ensure that authorisation is granted only to those who need access to the information.
Facial recognition technology: Must be proportionate
Please note that the use of facial recognition technology must be proportionate to the purpose of the processing. This is a privacy-sensitive measure. Where the same purpose can be achieved in a less privacy-sensitive manner, facial recognition technologies should not be used.
Processing of personal data when using facial recognition
There are a number of uses where facial recognition can be suitable for businesses. For example, in:
- Banking and finance, for example in the identification of customers;
- Trading, such as unstaffed gym.
- Airports, to increase safety
1 to 1 verification
Facial recognition can be used to verify a natural person. In other words, there is a saved biometric template compared to another template. This occurs, for example, in some unstaffed gyms, which admit members to the gym through technology and cameras using facial recognition at the entrance. The image from the camera is compared to the image of the individual stored in the database, to determine how high the probability is that it is the same person. This is called “1 to 1 verification”.
1 to many identifications
Another way to use facial recognition is to identify people through “1 to many identifications”. In other words, there is a saved biometric template that is compared with several people. For example, if an airport has a database of biometric templates of wanted persons and the airport cameras have a trained AI model to be able to find wanted persons among people at the airport.
Risks of using facial recognition technology
There are several risks with the use of facial recognition technology and it is good to understand them before using it. Here are two risk areas with facial recognition technology:
The result is an estimate, not a definitive confirmation. In other words, two biometric templates are compared against each other and the quality of these can affect the result.
There is a risk of discrimination and bias if, for example, an AI model for facial recognition technology has been trained primarily with people of a particular origin or appearance.
Legal bases when using facial recognition technology
A common legal basis for private actors, such as a company, to support the processing around facial recognition is consent. Please note, however, that the requirements for consent are higher than usual, as it relates to the processing of sensitive personal data. This means, among other things, that the consent must be explicit.
Legitimate interest, which is otherwise a common legal basis for many types of processing, is not appropriate as it relates to sensitive personal data and it does not fulfil any of the exceptions to such processing.
Safeguards to minimise the risks of facial recognition technology
What precise safeguards a company should take to minimise the risks of facial recognition technology is difficult to say, as it differs based on the circumstances and situations in question. These are some protective measures that may be appropriate:
Encrypting personal data
It may be appropriate to store the personal data encrypted, so that a person who unauthorisedly accesses, for example, the biometric data, cannot read who they belong to directly, without the encryption key.
Eligibility management
Ensure that only those individuals who need access to the stored personal data in the database have access to them.
Conduct and document an impact assessment
It may be appropriate to carry out and document an impact assessment prior to the use of the facial recognition technology. In addition, the company may need to request a prior consultation with the national data protection authority, after the impact assessment has been carried out.
More about GDPR
Information about the GDPR and AI
AI is a highly topical field that affects, or will affect, many companies in society. There are great opportunities with the technology, but also risks. The GDPR is an important regulation to keep in mind when developing, providing or using AI models in the EU/EEA area, as it usually involves the processing of personal data. In addition, in such cases, it is also important to keep the EU AI Act in mind.