In a recent blog, the Information Commissioner highlights the ICO’s concerns with the use of live facial recognition technologies.
The focus on the article relates to an ongoing case (R (Bridges) v Chief Constable of South Wales Police) which led to the ICO looking at how the police are trialing facial recognition technology and makes the point that “any organisation using software that can recognise a face amongst a crowd then scan large databases of people to check for a match in a matter of seconds, is processing personal data” and therefore GDPR applies.
In the article, the Information Commissioner says
For the past year, South Wales Police and the Met Police have been trialling live facial recognition (LFR) technology that uses this software, in public spaces, to identify individuals at risk or those linked to a range of criminal activity – from violent crime to less serious offences.
We understand the purpose is to catch criminals. But these trials also represent the widespread processing of biometric data of thousands of people as they go about their daily lives. And that is a potential threat to privacy that should concern us all.
LFR is a high priority area for the ICO. My office has been conducting an investigation, monitoring the trials carried out by the police. The relevant forces piloting this technology have cooperated with our investigation and the ICO has learned a lot from our deep dive in examining how it works in practice. Legitimate aims have been identified for the use of LFR. But there remain significant privacy and data protection issues that must be addressed, and I remain deeply concerned about the rollout of this technology.
Whilst a lawful basis for processing any personal data is always required, biometric data that is used for identification purposes is considered, by the GDPR, as “special category” data which also requires a specific lawful condition to apply for it to be lawful. And as this is a new technology or way of processing data, the ICO highlights the need to carry out DPIA and implementing appropriate policies and controls around its use.
We should expect more from the ICO (as well as the outcome of the legal case) on such processing in the future and how it applies to businesses as well as the police.