On October 9, 2020, the CNIL (French Data Protection Authority) clarified its position on the use of facial recognition technology at airports, providing useful guidance for French airports’ managers and service providers in their experimentation of FRTs.
As highlighted by the “Air Transport IT Insight 2018” report, the airline sector is in need of guidance in the deployment of its biometrics and facial recognition tools at a moment when 59% of airports and 63% of airlines plan to deploy facial recognition devices by 2021.
The French Data Protection Authority sets four main principles which must be respected:
- Justify the necessity and proportionality of the facial recognition device
The CNIL recalls that “the criteria of necessity and proportionality must be assessed with particular vigilance when it comes to the processing of biometric data […]. Thus, the deployment of facial recognition devices in airports will have to be an answer to specific needs”.
- Obtain the prior consent of the passenger
The deployment of facial recognition devices “must be based on the prior collection” of the person’s consent, which must be “free, specific and informed”. In order to respect this fundamental principle (set out in article 9.2.a. of the GDPR), technical and organizational measures, such as the “activation of facial recognition cameras only after an action by the passenger concerned”, must be implemented.
- Keep biometric data under the control of the passenger concerned
The CNIL reiterates “the need to favor their conservation on a medium of which the person has the exclusive use and control”, so as to reduce the risks of misuse, compromise or misappropriation of biometric data. In practice, according to the CNIL, this could lead to two possible options:
- Either the biometric data is stored on an individual medium of which the passenger has control and exclusive use (on a secure mobile application on his phone, on a badge, a card, etc.);Either the biometric data is stored in the database in an encrypted form making it unusable without the communication by the passenger of an element or secret allowing it to be decrypted”.
- Conduct a data protection impact assessment (DPIA)
The DPIA is mandatory when the data processing is “likely to generate a high risk for the rights and freedoms of the data subjects”. Regarding the specificity of airports, the CNIL affirms that a DPIA must be conducted before the implementation of the data processing, whether it is experimental or not.