European Guidance on Facial Recognition Technology
Publication: ZRVP
The European Data Protection Board (“EDBP”) has recently proposed for public consultation the Guidelines on the use of facial recognition technology in the area of law enforcement (the “Guidelines”). In these guidelines, the EDPB underlines that facial recognition tools should only be used in strict compliance with the “Law enforcement” Directive. Furthermore, these tools should only be used if they are necessary and proportionate, as provided for in the Charter of Fundamental Rights of the European Union.
Technology progress related to facial recognition has demonstrated to be a valuable tool for law enforcement authorities, as it could be successfully used to authenticate or identify persons in crowded places. However, its operating principles rely on processing biometric data, which can ultimately lead to intense data processing.
EDBP specifically emphasizes the nature of the technology used either for authentication or for identification of persons (processes slightly different), underlying its probabilistic character which might essentially affect fundamental human rights. In this sense, not only that it is important to consider the results provided by such technology as having potential bugs resulting from hidden errors of processing, but controllers need to provide regular evaluation of the processing algorithm.
The Guidelines also specify that facial recognition tools should be used in strict compliance, among other applicable legal provisions, with the “Law enforcement” Directive (LED). Several relevant provisions provided by LED shall be considered as a support when adopting at a national level future legislative and administrative measures in this respect.
Processing biometrical data shall be allowed only where strictly necessary and subject to appropriate safeguards for the rights and freedoms of the data subject. These requirements should be carefully analyzed as they restrict the margin of appreciation permitted to the law enforcement authority.
Member States shall pay special attention to potential decisions based solely on automated processing. In this sense, EDBP analyses clear thresholds which should be applied when inserting exceptions that allow such decisions, more specifically, processing may be possible only if authorized by Union or Member State law to which the controller is subject, and which provides appropriate safeguards for the rights and freedoms of the data subject.
Among other red-flagged risks, the Guidelines specify also that a ban shall be imposed on any technologies which infer emotions of a natural person. Also, remote biometric identification of individuals in publicly accessible spaces or use of technology which categorize individuals based on their biometrics into clusters according to any grounds for discrimination shall not be allowed, as these might have a high risk of intrusion into individuals’ private lives and should not be applicable in a democratic society.
In line with the unique nature of biometric data, the Guidelines primarily address law makers at EU and national level when inserting legal provisions related to the usage of facial recognition technology.
The EDPB guidelines are open for public consultation until 27 June 2022.