Facial recognition: a GDPR fine and some further regulation?

Facial recognition is certainly a hot topic just now. I blogged yesterday about the judgment in Bridges, which saw the Divisional Court dismiss challenges – principally on privacy and data protection grounds – to the use of automated facial recognition technology in a policing context. It would be a mistake, however, for data controllers to assume that the legal and regulatory environment is generally relaxed and permissive about facial recognition. Here are two interesting recent developments to bear in mind alongside the Bridges judgment.

First, the Swedish data protection authority (Datainspektionen) issued its first GDPR penalty in August – and it was about facial recognition. Specifically, the penalty was imposed on a school that used FR as part of a pilot project in a classroom, aimed at automating the registration process in order to save teaching time. This is all explained in this very useful piece on the IAPP blog by Sofia Edvardsen.

The Swedish authority was not impressed, and issued a fine for three types of GDPR contravention: namely (1) contravention of the purpose limitation and data minimisation principles under Article 5, (2) processing biometric data without a lawful processing condition, contrary to Article 9, and (3) failure to undertake a data protection impact assessment (Article 35) and to consult with the Swedish DPA (Article 36). The fine was SEK 200k (around US$29k).

Leaving aside questions about the amount of the fine, this outcome may strike some as rather harsh, given for example that: the pilot worked on the basis of explicit opt-in parental consent; the data was stored on a secure local computer that was not connected to the internet, and the school appears to have attempted some sort of prior risk assessment.

From what we know so far, the case bears out a number of potential GDPR pitfalls, such as:

  • Proportionality is fundamental (hence the Article 5 contraventions): there is a weighty public interest in crime-prevention (see the Bridges judgment), but automating the school register was deemed a less compelling objective behind intrusive activity.
  • What was wrong with the consent? It appears that it fell down because of the structural power imbalance between parent and school. The GDPR tells us to beware of such imbalances (see Recital 43) – but surely it must be possible to give valid consent to a school pilot like this?
  • As I discussed in my post yesterday, the Court in Bridges was content to cut the data controller a fair amount of slack in terms of its DPIA. One gets the sense from Bridges that the Court was reluctant to skewer the whole project on the grounds of an inadequacy in documentation. The Swedish school was given a much harder time – and the case shows that a solid DPIA can be a crucial factor.

The Swedish fine is of course very different from Bridges in a number of ways, and shouldn’t be taken as a wide precedent about FR. But it is a useful cautionary tale, particularly if we bear in mind that the GDPR aspires to harmonisation (i.e. the analysis applied by Sweden’s regulator should in principle chime with what other regulators would do in similar cases).

The second development to note on the FR front is that, according to this piece in the Financial Times, the European Commission is in the early stages of planning for bespoke legislation – presumably to supplement and dovetail with the GDPR – aimed at regulation FR and other forms of artificial intelligence technology.

This chimes nicely with a point made in the Bridges judgment yesterday, where the Divisional Court surmised that, before too long, the current legal framework (anchored in the GDPR and Law Enforcement Directive) would not be fit for purpose when it comes to ensuring that such technology is operated in a way that respects privacy rights.

Don’t hold your breath for anything swift by way of new regulation though. Remember that the GDPR is already supposed to dovetail with a supplementary EU law on Privacy and Electronic Communications. The current Directive has passed its sell-by date, but the Regulation that will replace it has been mired in disputes between EU member states, and it doesn’t like we’ll be getting the final output any time soon (see here).

Robin Hopkins @hopkinsrobin