The Consultative Committee of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108+“) developed Guidelines on Facial Recognition, addressed to legislators, decision makers and businesses (“Guidelines“). The Committee brings together experts representing the 55 states parties to the Convention as well as 20 observer countries,
The Guidelines call for strict rules to avoid the significant risks to privacy and data protection posed by the increasing use of facial recognition technologies. Although of general nature, the Guidelines give some specific instructions on how the facial recognition technologies should be deployed.
- Legislators and decision makers
Facial recognition – the processing of digital images containing individuals’ faces – implies the processing of images as biometric data, because the processing permits the unique identification or authentication of an individual. Biometric data belong to the so-called special categories of personal data, and the processing of such data is subject to particularly stringent conditions.
According to the Guidelines, domestic law applicable to the processing of biometric data through facial recognition should address, among other things:
- the detailed explanation of the specific use of biometric data and the purpose;
- the minimum reliability and accuracy of the algorithm used for the processing (e.g. expressed through an assessment of false positive or false negative errors produced by the software); and
- the duration of retention of the photos used.
The Guidelines identify certain purposes, or modes of use, of facial recognition which should be prohibited or restricted. The former applies to the use of facial recognition for the sole purpose of determining a person’s skin colour, religious or other beliefs, sex, racial or ethnic origin, age, health condition or social condition. Likewise, affect recognition (the use of technology to attempt identifying or classifying human emotions) should also be prohibited. The biometric data processing for identification purposes should be restricted, in general, to law enforcement purposes and carried out in the area of security only. As for the use of live facial recognition in places freely accessible to individuals (such as shopping malls, hospitals, or schools), the Guidelines are less explicit, but they call for maximum caution, i.e. for “a democratic debate on its use and the possibility of a moratorium pending complete analysis”.
- Private entities (businesses)
It follows from Article 5 of Convention 108+ that the explicit, specific, free, and informed consent of data subjects is required for the use of facial recognition technologies. To ensure that consent is freely given, data subjects should be offered alternative solutions (e.g. using a password or an identification badge) that are easy to use.
Private entities sometimes use facial recognition in shopping malls of similar places freely accessible to individuals, especially to identify persons’ interest, for marketing purposes, or for private security purposes. The Consultative Committee considers that such use should be prohibited. Moreover, mere passing through an environment where facial recognition technologies are used cannot be considered as an explicit consent. Therefore, the Guidelines suggest that the use of facial recognition in places freely accessible to individuals should be allowed only to law enforcement authorities, and only if the use is strictly necessary and proportionate to the law enforcement purpose.
- Compliance with the data protection principles and provisions
The guidelines emphasise the importance of transparency and fairness, especially because facial recognition may be used without any cooperation of a data subject. Also, covert use of live facial recognition technologies by law enforcement authorities could be performed only if it is strictly necessary and proportionate to prevent imminent and a substantial risk to public security.
Same as with GDPR, data controllers have to respect the principles of purpose limitation, data minimisation, accuracy, and limited duration of storage. Different storage limitation periods apply to the different phases of the processing:
- if there is no match of the biometric templates, the biometric template of individuals passing through places freely accessible to individuals have to be automatically deleted;
- if there is a match, the biometric templates can be retained for a strictly limited time; and in any case
- the watchlist and biometric templates have to be deleted upon completion of the purpose of processing.
The Guidelines are significant as the first authoritative document of such broad scope to assess compliance of facial recognition with data protection principles and specific requirements. Because of significant similarity between the GDPR and the modernized Council of Europe Convention 108, the Guidelines are likely to be a useful tool when deploying facial recognition technologies in the countries across Europe.
