What is live facial recognition technology and can we use it?
The use of live facial recognition technology in the retail sector has been highlighted recently after a cross-party group of MPs criticised Frasers Group for using the technology in its stores, and the ICO launched an investigation into security firm Facewatch. In both cases, the companies used the technology to scan shoppers faces to identify potential shoplifters and other persons of interest. In this article, we look into the use of live facial recognition technology and the steps businesses should take to ensure that their use of this technology is lawful.
Facial recognition technology
Facial recognition technology relies on algorithms to detect and analyse faces and uses this information to create a biometric template that can identify individuals. Facial recognition technology is widely used, typically in “one-to-one” processes such as unlocking your mobile phone, logging into mobile banking apps or passport control, and when used in this way it can make aspects of our lives easier and more secure.
However, live facial recognition technology is deployed in a way that is more akin to traditional CCTV than the “one-to-one” methods. Live facial recognition technology captures and analyses information about anyone who is in a particular area. In the case of Frasers Group and Facewatch, this information was then used to create a database of potential shoplifters against which future data could be screened.
The legal position
The use of the technology in public places in England and Wales relies on a combination of data protection laws and human rights laws.
As facial recognition technology enables the identification of individuals, it involves the processing of personal data and must therefore comply with the UK GDPR and other data protection legislation. This means that any company using this technology must have a lawful basis for processing personal data and must also comply with the other data protection principles in the UK GDPR.
In addition, facial recognition technology involves the processing of biometric data, i.e., personal data consisting of unique physical characteristics of a natural person. Biometric data is a special category of personal data under UK GDPR and is subject to additional protections.
In general, the processing of special category data is prohibited unless the processing falls within one of ten statutory exceptions (which include processing that is carried out with the individual’s explicit consent, data that is necessary to provide medical treatment, for the purpose of employment and to ensure social security). The exceptions are narrowly defined and may be subject to additional restrictions or be specific to the exception in question (e.g., to limit the exception to certain types of controller or category of special data).
Using facial recognition technology lawfully
Therefore, to ensure lawful use of the technology, businesses must ensure that they have both a lawful reason for processing personal data and a valid condition for processing special category data.
Once a business has established a lawful reason for processing personal data, any processing must be balanced against the individual’s rights. Processing is only lawful if it is proportionate and necessary to help the business address its security concerns, and the ICO has indicated that taking the following steps may evidence that a business’s actions are compliant with data protection legislation:
- Appointing a data protection officer;
- Ensuring that relevant policies and procedures are in place;
- Carrying out a data protection impact assessment (which should include an assessment of alternative, less intrusive measures to achieve the businesses aim and evidence of why these cannot be used);
- Continually assessing data collected through use of live facial technology and erasing data where possible; and
- Ensuring protection of vulnerable persons (for example in the case of Facewatch, the company took steps to ensure that no vulnerable person could become a “subject of interest”).
Following its investigation and the introduction of improvements by Facewatch, the ICO concluded that no further investigatory or enforcement action was necessary. Meanwhile, Frasers Group has defended its use of live facial recognition technology in its stores and no regulatory action has yet been taken against it.
However, the ICO has indicated that there is a high bar for use of the technology to be considered lawful and that the finding that Facewatch’s activities are compliant with data protection legislation should not be viewed as a green light for other businesses to use the technology. Instead, the ICO will continue to monitor the use and development of the technology and assess each business on a case-by-case basis.
Sana Shah who helped to write this article is a solicitor within our corporate and commercial team. Connect with Sana on LinkedIn.