The challenges of facial recognition for citizens in a video camera environment (CPDP 2020 Highlights)
Facial recognition technologies have become central to the interests and concerns of governments, citizens and the private sector alike. In Europe, many countries are seriously considering the use of facial recognition technologies, with the United Kingdom leading the way. The use of live facial recognition in the public space provides a dense legal agenda. It is for this reason that a panel on the issue was organized at the CPDP 2020. This panel, made up of both institutional actors and human rights organizations, addressed the issue by focusing on the impact that facial recognition technologies can have on citizens based on the use made by the police in the United Kingdom.
1. According to the SCC: Legitimate use but insufficient legal framework.
The first panelist was Tony Porter, the Surveillance Camera Commissioner in the United-Kingdom (UK). Briefly, he recalled the context in which facial recognition was introduced in the UK. He rejected the general question of banning, or not, this technology for focusing more on specific issues such as: surveillance, data protection or data transfer. He
Indeed, its main concerns were that the legislation is not clear enough but also that police officers find themselves into situations where they do not know whether their actions were legal or not. In his view, the use of facial recognition – by the police – is legitimate, but infrastructure is not sufficient enough, particularly from the point of view of societal expectations.
After welcoming the fact that the decision in Bridges case set out guidelines, he however recalled that the courts, when they considered it necessary, had at five occurrences stopped the use of facial recognition by the police.
He concluded his intervention by relaying a discussion he had had with various government’s politicians in which he called for a change in legislation in favour of clearer and more transparent texts that would take into account three major points: a fundamental review of oversurveillance, a judicial oversight and the need of confidence of the public.
2. The ICO sees itself as an authority both in control and in guidance.
The next speaker was Steven Wright, who works in the Information Commissioner's office, which is the UK's Data Protection Authority. He wished to review the state of usage and legislation in the United Kingdom. Facial recognition is thus used by the public and private sectors, for law enforcement purposes, in shopping centers or football stadiums but also in public spaces. This diversity means that many different legal bases have to be taken into account.
For the private sector, this technology is attractive for commercial purposes. Nonetheless, it must be legal, necessary, justified and proportionate. For police forces using these technologies to fulfill their duty, a balance between privacy protection and surveillance technologies must be reached. For this reason, police must provide strong evidence that AFR is strictly necessary, balanced and effective in each specific context.
While recognising the principle of prohibiting the processing of sensitive data, he stressed that the Data Protection Act 2018 provides for exceptions, notably for law enforcement, as allowed by EU Directive 2016/680. In concrete terms, he indicated that ICO's recent work has been to provide means to comply with legislation to law enforcement authorities. He then called for good information governance not to be seen as an obstacle to innovation, but also as a help.
Particular emphasis was placed on ICO's expectations that a clear legal basis be put in place that demonstrates that the process is fair, legal, transparent and appropriate. Before recalling that the ICO had the authority to fine a company up to 4% of its turnover, he stressed the need for a risk assessment prior to processing as well as data protection by design.
He concluded his intervention by recalling that the ICO was following very closely the uses of facial recognition, particularly in the field of law enforcement. In that sense, by carrying out investigations and researches, this monitoring on the uses of facial recognition led, inter alia, the ICO to publish a report in October 2019. Finally, he reaffirmed that the Data Protection Act 2018 applied to all stages of the use of personal data (collection, storage, use, etc.) while insisting on the need to assess all applicable texts comparatively.
3. For Liberty, the future of facial recognition must be its prohibition.
After two institutional actors, the floor was given to a member of the Liberty organization: Hannah Couchman. By recalling her association's commitment to a campaign in favor of banning facial recognition as well as the central issue of the protection of minorities, she thus positioned her discourse in the field of the protection of human rights, taking examples:
Her starting point was to state the definition of privacy as: “the ability of individuals to determine what they want to be and what they want to share with others”, hence pointing out that facial recognition is a threat to privacy.
She went on to demonstrate that these surveillance technologies are changing the way we act, which affects the very symbolic right to protest. For instance, taking the first facial recognition test deployed during demonstrations as proof, she regretted that we have to change our lifestyles to escape this surveillance.
Concerning discrimination: she argued that even with perfect and 100% reliable technology, its use was likely to discriminate against people of colour through police over-surveillance. She expressed indignation at the possibility of increasing surveillance of certain categories of people in order to perfect facial recognition before worrying about the increase of police surveillance capabilities offered by this new cloud of technology.
According to her, one problem was the collusion between states and the private sector. In this way, she denounced the fact that police admitted sharing sensitive data with private actors, which led some companies to build an economic business based on surveillance. Finally, in terms of transparency, she deplored the fact that transparency systematically comes up against trade secret.
She ended her plea by calling for a ban on facial recognition: “Even if we address all the questions raised: it will always be disproportionate, it will always threaten our ability to live freely and it will always be use in a discriminatory way. This kind of tool is about oppression and control: it has no place in our schools, in our train stations, in our football stadiums or our shopping centers. It has no place in our streets.”
4. For the FRA, the current conditions do not allow a sufficient assessment of the risks to fundamental rights.
The last speaker was a member of the Fundamental Rights Association: David Reichel. He presented an overall of the organization's researches and analysis related to the uses of facial recognition in the United Kingdom but also in France and Germany.
The organization was thus able to make three major observations which – according to them – should guide the legal analysis.
The first stems from the fact that there is no truly comprehensible review of who is using facial recognition neither for the purposes of its uses.
The second issue was a lack of transparency with regard to the rules for the drawing up of watch lists. According to the agency, the purpose of the processing is assessed in particular in the light of the database used. The lawfulness of the process is therefore closely linked to an appreciation of the rules governing the drawing up of the watch lists, using the example of large immigration or security databases to illustrate this point.
The third statement he raised was that the private sector is a major user of facial recognition.
Returning to fundamental rights considerations, he highlighted the fact that, despite the absence of any significant study on that topic, citizens seemed, a priori, uncomfortable with the use of facial recognition.
Recognizing the possibility of restraining certain fundamental rights, he recalled that it was subject to strict compliance with three criteria: provision by law, necessity and proportionality. In the absence of precise rules on the establishment of watch lists, he therefore deplored the difficulty of being able to assess these criteria, and therefore the legality of limitations.
At some point, he agreed with Hannah Couchman by underlying that beyond the problems of accuracy of facial recognition, even a perfect technology raises problems for fundamental rights. That is why it has placed the protection of privacy and the protection of personal data at the center of its concerns.
Beyond these core problems, nevertheless, right to non-discrimination, freedom of expression and assembly, but also the right to good administration must be taken into account in a case-by-case basis.
Finally, he suggested minimum guarantees by calling for the implementation of Fundamental Rights Impact Assessments separate from Data Protection Impact Assessments as well as the creation of independent supervisors.
In conclusion, this panel, which focused on the implications of facial recognition for citizens, showed that many issues require significant legal reflection in terms of the protection of civil liberties and fundamental rights. Consequently, the eagerness of certain stakeholders to generalize facial recognition seems to have to be tempered.