The French data protection authority (the CNIL) has published its opinion on the data privacy challenges presented by the use of facial recognition technology, on the one hand recognising the challenges for privacy, the potential for criminal activity and the impact of mistake, whilst on the other the likely benefits for society as a whole.
What is facial recognition technology?
Facial recognition technology is software that collects an image of an individual’s face and produces a template which the software can then use to recognise the face of the individual. The software has a variety of potential uses, such as unlocking smartphones, detecting wanted persons and targeted advertising. Facial recognition technology is one aspect of a wider category of biometric technology which uses processes to identify individuals (such as fingerprints or iris structure).
As biometric data has the ability to identify an individual, it can fall within the definition of personal data under the GDPR.
What are the risks?
Some of the data protection risks posed by the use of the technology, which the CNIL have highlighted include:
- Biometric data can present a substantial risk of fraud or other criminal activity where the data is misused.
- Unlike other types of biometric data (fingerprints for example), facial recognition data can potentially be obtained everywhere in daily life in public spaces, which could make it more open to abuse.
- Facial recognition data could usher in a new unprecedented age of surveillance, whereby video devices, smartphones and advertising boards could be utilised as tools for mass surveillance.
- Advanced facial recognition systems could pose a risk to anonymity in public spaces. Currently, there is no rule that everyone in a public space should be identified. The CNIL considers systems that contribute to the erosion of anonymity could have an adverse effect on these fundamental principles.
- Facial recognition is based on statistical estimates and probabilities and error rates can depend on factors such as gender. This can result in individuals being mis-identified, which can have far-reaching consequences, for example, wrongful arrests by police.
The future use of facial recognition technology
The CNIL highlight three main requirements which, in its view, should guide the process of developing facial recognition technology, whilst protecting the rights of individuals:
- The CNIL considers that some red lines should be drawn, beyond which the use of facial recognition technology should not be permitted. For example, using the technology on children in order to control access to a school where the aims can be achieved by equally effective and less intrusive measures.
- People must be put at the heart of any facial recognition system. In other words, systems should not have intrusive surveillance techniques as their aim.
- Adopting a genuinely experimental approach in relation to facial recognition technology will help develop technical solutions that operate within the legal framework of data protection law.
Broadly, whilst the CNIL notes various benefits of facial recognition technology for society as a whole, it also recognises that there are potential risks in relation to its misuse, which will need to be actively considered and managed in order to protect the privacy of individuals.
It remains to be seen whether the CNIL’s call for a European model to combat these risks, by protecting individuals’ rights by way of appropriate safeguards, as well as strict methodologies for testing facial recognition systems, will come to fruition.