Over the past decade, the use of facial recognition has developed rapidly for both security and convenience purposes. This biometrics-based technology is used for everything from video surveillance to border controls and unlocking digital devices. This type of data is highly sensitive and is subject to specific legal framework. Claire Levallois-Barth, a legal researcher at Télécom Paris and coordinator of the Values and Policies of Personal Information Chair at IMT provides the context for protecting this data.
What laws govern the use of biometric data?
Claire Levallois-Barth: Biometric data “for the purpose of uniquely identifying a natural person” is part of a specific category defined by two texts adopted by the 27 Member States of the European Union in April 2016, the General Regulation Data Protection Regulation (GDPR) and the Directive for Police and Criminal Justice Authorities. This category of data is considered highly sensitive.
The GDPR applies to all processing of personal data in both private and public sectors.
The Directive for Police and Criminal Justice Authorities pertains to processing carried out for purposes of prevention, detection, investigation, and prosecution of criminal offences or the execution of criminal penalties by competent authorities (judicial authorities, police, other law enforcement authorities). It specifies that biometric data must only be used in cases of absolute necessity and must be subject to provision of appropriate guarantees for the rights and freedoms of the data subject. This type of processing may only be carried out in three cases: when authorized by Union law or Member State law, when related to data manifestly made public by the data subject, or to protect the vital interests of the data subject or another person.
What principles has the GDPR established?
CLB: The basic principle is that collecting and processing biometric data is prohibited due to significant risks of violating basic rights and freedoms, including the freedom to come and go anonymously. There are, however, a series of exceptions. The processing must fall under one of these exceptions (express consent from the data subject, protection of his or her vital interests, conducted for reasons of substantial public interest) and respect all of the obligations established by the GDPR. The key principle is that the use of biometric data must be strictly necessary and proportionate to the objective pursued. In certain cases, it is therefore necessary to obtain the individual’s consent, even when the facial recognition system is being used on an experimental basis. There is also the minimization principle, which systematically asks, “is there any less intrusive way of achieving the same goal?” In any case, organizations must carry out an impact assessment on people’s rights and freedoms.
What do the principles of proportionality and minimization look like in practice?
CLB: One example is when the Provence-Alpes-Côte d’Azur region wanted to experiment with facial recognition at two high schools in Nice and Marseille. The CNIL ruled that the system involving students, most of whom were minors, for the sole purpose of streamlining and securing access, was not proportionate to these purposes. Hiring more guards or implementing a badge system would offer a sufficient solution in this case.
Which uses of facial recognition have the greatest legal constraints?
CLB: Facial recognition can be used for various purposes. The purpose of authentication is to verify whether someone is who he or she claims to be. It is implemented in technology for airport security and used to unlock your smartphone. These types of applications do not pose many legal problems. The user is generally aware of the data processing that occurs, and the data is usually processed locally, by a card for example.
On the other hand, identification—which is used to identify one person within a group—requires the creation of a database that catalogs individuals. The size of this database depends on the specific purposes. However, there is a general tendency towards increasing the number of individuals. For example, identification can be used to find wanted or missing persons, or to recognize friends on a social network. It requires increased vigilance due to the danger of becoming extremely intrusive.
Facial recognition has finally provided a means of individualizing a person. There is no need to identify the individual–the goal is “simply” to follow people’s movements through the store to assess their customer journey or analyze their emotions in response to an advertisement or while waiting at the checkout. The main argument advertisers use to justify this practice is that the data is quickly anonymized, and no record is kept of the person’s face. Here, as in the case of identification, facial recognition usually occurs without the person’s knowledge.
How can we make sure that data is also protected internationally?
CLB: The GDPR applies in the 27 Member States of the European Union which have agreed on common rules. Data can, however, be collected by non-European companies. This is the case for photos of European citizens collected from social networks and news sites. This is one of the typical activities of the company Clearview AI, which has already established a private database of 3 billion photos.
The GDPR lays down a specific rule for personal data leaving European Union territory: it may only be exported to a country ensuring a level of protection deemed comparable to that of the European Union. Yet few countries meet this condition. A first option is therefore for the data importer and exporter to enter into a contract or adopt binding corporate rules. The other option, for data stored on servers on U.S. territory, was to build on the Privacy Shield agreement concluded between the Federal Trade Commission (FTC) and the European Commission. However, this agreement was invalidated by the Court of Justice of the European Union in the summer of 2020. We are currently in the midst of a legal and political battle. And the battle is complicated since data becomes much more difficult to control once it is exported. This explains why certain stakeholders, such as Thierry Breton (the current European Commissioner for Internal Market), have emphasized the importance of fighting to ensure European data is stored and processed in Europe, on Europe’s own terms.
Despite the risks and ethical issues involved, is facial recognition sometimes seen as a solution for security problems?
CLB: It can in fact be a great help when implemented in a way that respects our fundamental values. It depends on the specific terms. For example, if law enforcement officers know that a protest will be held, potentially involving armed individuals, at a specific time and place, facial recognition can prove very useful at that specific time and place. However, it is a completely different scenario if it is used constantly for an entire region and entire population in order to prevent shoplifting.
This summer, the London Court of Appeal ruled that an automatic facial recognition system used by Welsh police was unlawful. The ruling emphasized a lack of clear guidance on who could be monitored and accused law enforcement officers of failing to sufficiently verify whether the software used had any racist or sexist bias. Technological solutionism, a school of thought emphasizing new technology’s capacity to solve the world’s major problems, has its limitations.
Is there a real risk of this technology being misused in our society?
CLB: A key question we should ask is whether there is a gradual shift underway, caused by an accumulation of technology deployed at every turn. We know that video-surveillance cameras are installed in public roads, yet we do not know about additional features that are gradually added, such as facial recognition or behavioral recognition. The European Convention of Human Rights, GDPR, the Directive for Police and Criminal Justice Authorities, and the CNIL provide safeguards in this area.
However, they provide a legal response to an essentially political problem. We must prevent the accumulation of several types of intrusive technologies that come without prior reflection on the overall result, without taking a step back to consider the consequences. What kind of society do we want to build together? Especially within the context of a health and economic crisis. The debate on our society remains open, as do the means of implementation.
Interview by Antonin Counillon