Your Face is Personal Data
2019-07-10
After San Francisco has banned face recognition, here is hope for privacy also in Europe. Europe’s privacy watchdogs are looking to beef up restrictions for the use of facial recognition in a move that will affect how governments and big tech companies use this technology. Data protection agencies will discuss new guidelines this week at a joint meeting in Brussels that would reclassify facial recognition data as “biometric data,” which under European privacy rules requires explicit consent from the person whose data is being collected. Under the GDPR, biometric information — a category under which the technology would soon fall — is considered as “sensitive data,” meaning that its collection is prohibited unless individuals give explicit consent or the information has been made public.
These guidelines which are not yet public, will have potentially far-reaching impact at a time when facial recognition tools are becoming more widespread in public spaces and consumer technology. More stringent demands for consent could challenge police forces and security services that are turning to facial recognition to keep tabs on crowds, with experiments already under way or completed in London, or at Berlin’s Südkreuz railway station.
They are also likely to affect tech companies like Facebook. The social media giant reintroduced its use of facial recognition in Europe last year following a ban. The company had used the onset of the General Data Protection Regulation (GDPR) as a chance to ask users whether they want to opt in to using the platform’s facial recognition tool for automatic tagging of their photographs. At the time, privacy activists argued that the consent was not valid because even users who opted out would have their biometric data scanned.
If companies and governments fail to obtain a higher level of consent, they may not be able to deploy facial recognition tools. Current tools for obtaining consent for video surveillance, like signs informing people they being recorded, are not likely to meet the higher standard of consent required for collection of biometric data.
The guidelines are expected to go through a public consultation process before being finalized by the authorities.