Privacy Protection in the Use of Facial Recognition Technologies
The European Data Protection Board (‘EDPB’) has recently adopted the final version of its Guidelines on facial recognition technologies in the area of law enforcement (the ‘Guidelines’).
Facial recognition technology (‘FRT’) brings to the table a series of advantages to the law enforcement authorities in a smoother and more rapid process of authentication or persons’ identification whenever needed to ensure fulfilling their assigned duties assigned at a national level. While law enforcement authorities are executive authorities and mostly have executive powers, a high level of data protection must be ensured when using FRTs to reduce the risk of discrimination and false results.
The Guidelines specifically address European law makers and law enforcement authorities and aims at drawing attention to certain properties of facial recognition technologies and the applicable legal context to ensure a uniform integration of FRTs in the area of law enforcement.
From a technical perspective, the Guidelines distinguish between:
- the process of authentication of a person, which is used to confirm the identity of a person by comparing the image of a determined person with a distinct pre-recorded data; and
- the process of identification of a person, which intends to detect a precise person among multiple subjects from a wider group of persons and which leads to a comparison between the images of each of such persons from a group to an already pre-defined image of a person whose identification is aimed at.
Although such processes have distinct objectives, they both imply genuine data processing of natural persons, with serious consequences when it comes to law enforcement, considering the possible legal effects upon such data subjects.
This is why potential malfunctions in the implementation and actual functioning of such technologies must be overcome, case in which EDBP stresses not only the need to undertake regular and systematic evaluation of algorithmic processing, but also the need of a high-quality data used for both processes.
Another essential aspect regulated by the Guidelines refers to the applicable legal framework, focusing on the EU Charter of Fundamental Rights (the “Charter”) and the Law Enforcement Directive 2016/680 (the “Directive”).
On the one hand, with regard to the Charter, among other, the Guidelines details the applicability and the interference with the rights laid down in the Charter and, on the other hand EDBP examines several areas of the Directive which is a core legal act that deals with processing personal data by data controllers for law enforcement purposes.
The use of the Guidelines is intended to ensure a proper use of facial recognition tools by law enforcement authorities, considering that such tools should only be used in strict compliance with the applicable legal framework and only in cases when they satisfy the requirements of necessity and proportionality. It might be said that EDBP regulated certain aspects through the Guidelines in the light of a stated philosophy that “while modern technologies may be part of the solution, they are by no means a <<silver bullet>>”.