Info about GDPR
Uses for facial recognition
There are several uses for facial recognition, such as access to unmanned gyms, identification by banks, security at airports, etc. Facial recognition processes biometric personal data, which constitutes sensitive personal data under the GDPR.
Biometric data constitute sensitive personal data
Biometric data constitutes sensitive personal data under the GDPR. The processing of sensitive personal data is prohibited under the general rule of Article 9 GDPR, but there are exceptions. For example, if an entity receives explicit consent from the data subject. Please note, however, that the rules are stricter when processing sensitive personal data and require, among other things, better technical and organisational security measures.
Numerous uses for facial recognition in industry
Trade
Enables authorised persons to access unmanned shops, gyms or similar.
Banking and finance
Identification and verification for banking, financial or similar services.
Security
Identification of wanted persons within, for example, a security object such as an airport.
Examples of when facial recognition for verification can be used in business
To prevent unauthorized access to certain information or a location with valuables, a company can use, for example, facial recognition instead of passwords, access cards or similar. This way, only individuals who are authorized can access it, unlike a password that, for example, a hacker can access.
Use of facial recognition for verification of persons
It is common to use facial recognition to verify people. In other words, using technology to check whether a person is really the person they claim to be.
1 to 1 verification
This processing involves comparing a biometric template of the person, such as the face, with the person standing in front of the camera or sensor. Alternatively, both templates are created at the same time. Such as one template when one person takes a passport image and the other template from the image in the camera. In other words, there is a comparison between two templates.
Identifying people through facial recognition
It is possible to use facial recognition to be able to find a specific person within a group of people, a specific area, in a database or similar. In other words, companies can use the technology of facial recognition to identify a person.
What is the maximum amount of administrative fines that a company can be subject to for infringements of the GDPR?
1 to many identifications
Unlike 1 to 1 verification, which involves comparing a person with one specific template, in this case a person is compared to many in order to identify the person.
Can facial recognition be a too intrusive measure?
Yes, the use of facial recognition can be considered a too intrusive measure in relation to the purpose. Therefore, using facial recognition to streamline something that is easy to implement in a less privacy-sensitive way should be avoided.
Impact assessment
Facial recognition can be a privacy-sensitive processing and constitutes a processing of sensitive personal data. Therefore the company should analyse whether it is first and foremost necessary. In addition, it may be appropriate to carry out an impact assessment. It is because there could be a risk of violating the rights and freedoms of data subjects. The company may also need to request a prior consultation with the national data protection authority.
Airports are not allowed to use facial recognition to check passenger names
The French DPA requested an opinion from the EDPB on the use of facial recognition at airports to verify that it is the same person on the identity documents as on the passenger’s boarding pass. As there is no legal requirement in the EU to verify the consistency of the data, it is considered to be excessive processing of personal data in relation to the purpose.
Penalty for using facial recognition for attendance registration
In Sweden, the Upper Secondary Education Committee in Skellefteå municipality had to pay a fine. They used facial recognition in a pilot project for attendance control in violation of GDPR. The Swedish Authority for Privacy Protection noted that the purpose of checking pupils’ attendance can be done in a less intrusive way than through facial recognition. Nor had the Upper Secondary Education Committee carried out an impact assessment or submitted a request for prior consultation. The supervisory authority considered it to be necessary in this case.
Use of AI for facial recognition
The AI Act in the EU does not allow the creation of databases targeted for facial recognition by untargeted scraping of facial images from the internet or CCTV. In addition, the AI Act prohibits the use of real-time remote biometric identification in publicly accessible locations for law enforcement purposes. However, it may be allowed if it fulfills one of the exceptions in the AI Act.
More about GDPR
Risks of using facial recognition technology
There are several risks associated with using facial recognition technology and it is important to know them before use. For example, there is a risk of discrimination and bias if the technology is trained with a particular group of people. Therefore it is more difficult to identify people who do not fall into that group. Another risk that is important to know about, is that the result is always an estimate and not an exact answer.