The new guidelines published by the European Data Protection Board on May 16, 2022 on the use of facial recognition reiterate a position deemed measured, the caution of which now seems confirmed.
On May 16, 2022, the European Data Protection Board (EDPB) adopted guidelines on the use of facial recognition technologies by law enforcement and judicial authorities (prevention, investigation, evidence, application of sanctions, etc.). The full text can be found here, and will soon be subject to a 6-week public consultation. Stay tuned because these public consultations analyze all the contributions including the actors concerned but open to all.
As a reminder, the French name of this independent European body, the EDPD, whose objectives are to guarantee the consistent application of the GDPR and to promote cooperation between the data protection authorities of the European Union is the EDPS ( European Data Protection Board).
The EDPB’s position on the issue of facial recognition has remained stable and consistent since the beginning of the debates which have inevitably accompanied the multiplication of uses around this technology. The EDPD advocates taking a cautious approach to the dissemination of facial recognition, especially in areas as sensitive as those for use by law enforcement and judicial authorities.
In this context, the joint opinion published on June 18, 2021 by the EDPB and the EDPS (European Data Protection Supervisor) on the proposal for a regulation on artificial intelligence already recommended the prohibition in principle of the use of facial recognition technologies in certain areas (we will see which ones below) and a targeted ban in principle that the EDPB reiterates in the guidelines published on May 16. With regard to the other areas which would not be subject to such a prohibition in principle, the EDPB introduces precise requirements nevertheless based on existing data protection legislation in order to prevent any abuse.
An understandable cautious position given the serious implications that facial recognition can have on the fundamental rights of European citizens, whether it concerns the right to protection of privacy, but also more broadly to the protection of human dignity, freedom of thought, conscience and religion. The recent scandal surrounding the practices of the company Clearview AI, prosecuted in multiple jurisdictions and sentenced on May 23 by the British data protection authority to a fine of 7.5 million pounds sterling (8.85 million euros) as well as the obligation to delete the personal data of British residents is an illustration of this. The company would offer its customers, including police and judicial authorities, a service to find online images of a person after entering a photo. “Not only does the company allow the identification” of people whose photo it has collected, “but monitors their behavior and offers it as a commercial service”, denounced John Edwards, the British Information Commissioner. The company Clearview AI would be criticized for having in its possession more than 20 billion images gleaned from the four corners of the globe / web without having established the slightest partnership with the publishers of the sites or services, apps (etc.) in question and therefore without having obtained the consent of the persons concerned.
The prohibitions in principle
The EDPB reiterates in its guidelines the call for a total ban on the use of facial recognition technologies in certain areas where the risk of drift is considered too great. The EDPB denotes four, which are as follows:
- The use of recognition for remote identification of individuals in public spaces,
- The use of facial recognition to deduce from the biometric data of individuals their ethnicity, gender, political or sexual orientation, or any other information that could constitute a ground for discrimination,
- The use of facial recognition to deduce the emotions of a physical person,
- The use of facial recognition in a law enforcement context, relying on a database fed by the collection of personal data on a large scale and indiscriminately, such as by collecting photographs or facial images on the internet.
In these different scenarios, the EDPB thus considers that identification by facial recognition would have a potential for violating the fundamental rights of European citizens far too great for a contrary interest (private as well as public) to justify it.
The supervised areas
In other cases, however, the use of facial recognition may be authorized, provided that a certain number of requirements and guarantees aimed at regulating it in a precise manner are respected. In the guidelines published on May 16, the EDPB focuses on the conditions for the use of facial recognition by law enforcement and judicial authorities.
The EDPB relies in its approach on the many existing regulatory tools. Thus, the European data protection body stresses that the use of facial recognition by state authorities must comply with the various obligations arising from the Law Enforcement Directive, which defines the European framework for data protection in their processing for purposes repressive and judicial.
Let us recall here, to avoid any confusion, the relationship between the Law Enforcement Directive (LED) and the GDPR. These two texts are both part of the European legal corpus of data protection: they however have distinct and complementary fields of application. Indeed, the GDPR only applies to data processing carried out in the context of activities that fall within the scope of European Union law, which is not the case for the sectors of state security or of national defence. This is why the data protection framework with regard to these particular sectors depends on a separate directive, the LED. This is also why a vast majority of the data protection principles laid down by the LED are strictly identical to those described by the GDPR, although a few obligations specifically related to issues of state security and national defense have been included.
Be that as it may, compliance with the LED in the use of facial recognition implies, according to the EDPB, the implementation of the following guarantees:
- A legal basis resting on a legislative measure sufficiently clear in its terms to give citizens an adequate indication of the conditions and circumstances in which the authorities are entitled to use any facial recognition measure.
- The formulation of this legal basis must be subject to the approval of the competent data protection authority.
- The facial recognition measures authorized by the legal basis must be strictly appropriate in order to achieve the objectives stated by the text. In this context, a simple objective of general interest is not sufficient to automatically justify the use of facial recognition: the measures must be targeted and limited to the fight against certain serious forms of crime such as a terrorist act, and not general or undifferentiated.
- The criteria of necessity and proportionality of facial recognition measures must be respected; typically, these are unlikely to be if the data is processed systematically by law enforcement and judicial authorities, and without the knowledge of the data subjects.
- The fact that an individual has published a photograph thereby making it manifestly public does not imply the right for law enforcement and judicial authorities to use the associated biometric data in the context of facial recognition measures.
- Particular attention should be paid to the rights of data subjects with regard to their personal data processed by a facial recognition system. The authorities must therefore pay particular attention to respecting the right to information of the persons concerned, as well as the right of access to their data, or the right of rectification in the event that inaccurate data are stored in a database. .
- A data protection impact study must systematically be carried out before the implementation of any facial recognition system.
The position of the EDPB may seem strict in its guidelines, recommending a total ban for certain sectors, and a firm framework for others. Such caution may nevertheless seem justified, given the major implications that the uncontrolled dissemination of such technology could have in the various economic, political and social spheres of our European community. As we already noted in 2020 in our in-depth dossier devoted to facial recognition, the opportunities offered by this technology are real, as are the risks it entails with regard to respect for the fundamental rights of European citizens. This is why a cautious approach seems appropriate in order to exploit the potential of facial recognition, without it leading us into dystopian social environments towards which less scrupulous countries like China seem to be heading.
A little more personal conclusion
As part of our commitment to promote responsible innovation, we are opposed to innovation being held back by a utopian regulatory vision.
The feedback on the public consultation as well as the practice starting with the implementation of the new obligations will necessarily bring some nuances to these guidelines.