Info about Facial recognition
Risks of using facial recognition technology
There are several risks associated with using facial recognition technology and it is important to understand them before using the technology.
Are biometric data such as facial recognition sensitive personal data?
Yes, biometric data constitutes sensitive personal data according to Article 9 of the GDPR. The processing of biometric data is prohibited as a general rule. However, there are exceptions, but it is important to keep in mind that the rules are stricter for such processing.
Biometric data is unique to each individual. It is immutable data unlike other personal data that we choose ourselves or receive.
Risk areas with facial recognition technology
- It can lead to discrimination.
- The result is an appreciation.
- Data may be obtained from easily accessible sources.
- Technology is increasingly being used.
Can biometric data be changed?
Biometric data are generally immutable. However, they can be changed slightly by surgical procedures. In addition, age can have a certain impact.
Risks of using facial recognition technology
It can lead to discrimination and bias
There is a risk that the technology will become biased, as a system developed through machine learning is trained to find solutions based on that information. For example, if people with a certain origin or appearance are used in training, it may be more difficult in practice to identify people who do not fall into that target group. The consequences of this can be, among other things, that the wrong people are pointed out.
Prevention of discrimination
In order to prevent discrimination and bias, it is therefore important to use good training data in the development of the technology. In addition, it is important to constantly test and evaluate the system to ensure that it is not discriminatory.
The result is an estimate
It is important to keep in mind that the result when using facial recognition technology is always an estimate. In other words, two biometric templates are compared against each other and the technology then gives an answer as to whether it is likely to be the person. This can be done either through the “1 to 1 verification” model or “1 to many identifications”. There are several factors that affect the outcome. For example, light conditions, image quality and angles.
Data may be obtained from easily accessible sources
Some types of processes that are done through facial recognition technology, retrieve information (facials) from easily accessible sources, such as the internet. Face recognition technology does not always have to be biometric technology where the data is retrieved directly from the person, such as through a recent image, but can be done with images that are already available oline. These may, for example, have poorer quality, which may affect the result.
The technology is being used more and more
Facial recognition technology is increasingly used in society. In addition, the increase in camera surveillance in society means that there are great opportunities to use facial recognition technology on the existing equipment. For example, to provide better conditions for law enforcement authorities. It is important to bear in mind that facial recognition technology is an intrusive measure and therefore it is important to analyse the privacy risks, possibly carry out an impact assessment and request a prior consultation before such processing is carried out.
One school used facial recognition technology for attendance registration, which was considered too intrusive as it was possible to achieve the same results without the technology. They had to pay a fine for the infringement of the GDPR and had, among other things, failed to carry out an impact assessment and request a prior consultation before processing.
More about GDPR
Legal bases when using facial recognition technology
The most common legal basis for private actors to support their facial recognition processing is consent. However, it is important to keep in mind that the consent requirements are higher, as it relates to sensitive personal data. For example, it requires explicit consent. In addition, consent must be freely given, informed, specific and withdrawable in order for it to be valid.