Facial recognition technology offers a range of possibilities for controlling access to certain premises or events, for example, to prevent shoplifting or to maintain safety and order at public events. The use of such technology, however, must take into consideration applicable privacy laws and regulations including, notably, the European Union General Data Protection Regulation (2016/679, “GDPR) in the EU Member States along with relevant national laws and regulations of those Member States.
Article 9 GDPR concerns processing of so-called special categories of personal data, i.e. personal data that is sensitive by nature which includes biometric data for the purpose of uniquely identifying a natural person. Facial recognition applications typically involve such biometric data which are directed to specific identification of a person. The accuracy of identification depends upon multiple factors such as the quality of images used and the application of particular algorithms.
Processing of special categories of personal data is prohibited under Article 9 GDPR unless certain exceptions apply. Exceptions to processing biometric data under the GDPR, especially with respect to access control applications, must meet at least one of the following conditions:
1. the data subject has given explicit consent to the processing of personal data for one or more specified purposes, or
2. processing is necessary for reasons of substantial public interest, based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Thus, unless consent obtained in accordance with the GDPR can be used as a valid legal ground, the valid legal ground must be based on national laws and regulations of the EU Member States. Thus, acceptable use of facial recognition applications for access control may vary between EU Member States. There is no one-size-fits-all answer as to whether a legal ground exists which necessitates a case-by-case assessment. Fortunately, a few national data protection authorities have already provided certain guidance.
The Danish football team Brøndby IF obtained approval from the Danish Data Protection Authority (“DDPA”) for use of facial recognition technology to identify persons who have previously been banned from accessing games in order to prevent and reduce football hooliganism.
Brøndby IF conducted a data protection impact assessment (“DPIA”) under Article 35 GDPR and requested consultation from the DDPA under Article 36 GDPR, prior to implementing the system. Indeed, impact assessment and consultation prior to use are the two most important steps to take prior to utilizing facial recognition systems. In the proposed system in Denmark, security personnel would receive an alarm signal when the system detected a potentially banned person. Security personnel could then check to confirm whether the person identified by the system was actually on the list of banned persons.
The legal ground for processing personal data under these circumstances was based on substantial public interest. While there has been some debate whether this creates sufficient substantial public interest, football games can be considered mass events where the use of facial recognition technology serves a substantial public interest by securing the safety of the attending public.
The Danish example demonstrates that establishing a basis under national law for substantial public interest is the key factor especially in preventive access control cases where consent-based processing is potentially unavailable. When using substantial public interest as a basis for processing, the DPIA and prior consultation with the DDPA are critically important.
DPIA under Article 35 GDPR must be carried out if the planned processing of personal data is likely to result in a high risk to a person´s rights and freedoms. This is especially important when any of the following are involved:
DPIA also may be required after a processing operation has been added to the competent data protection authority’s list or is based on a requirement set in national laws and regulations. The Finnish Data Protection Authority, for example, requires a DPIA to be conducted when biometric data is processed using facial recognition solutions for access control whenever such processing involves any of the following:
Further, a prior consultation under Article 36 GDPR is required if the DPIA indicates that the planned processing would result in a high risk to data subjects and the controller has been unable to introduce measures to lower the risk.
Importantly, prior consultation cannot take place until the controller has conducted the DPIA. Thereafter, the competent data protection authority must be consulted, for example, if data subjects could face significant or irreversible consequences that may be difficult to overcome. Controllers are required to request the prior consultation also in situations where national laws oblige them to consult with, and/or obtain prior authorization from, the competent data protection authority. Thus, with respect to facial recognition solutions for access control, especially when conducted on a large scale, prior consultation appears to be necessary in order to ensure that all legal requirements are met.
Facial recognition technology offers many possibilities for access control, but such technology is subject to particularly strict requirements under the GDPR since it involves processing of biometric data and, as such, falls under the scope of Article 9 for special categories of data. Establishing a valid legal basis may vary somewhat country-by-country within the EU because of differences in application of national laws and regulations. The use of DPIAs and prior consultation with DPAs is of utmost importance in such cases.