It depends, could we answer, but let’s deal with this question in a Galician style, that is to say asking more questions that will guide us in the application of GDPR.
What is a personal data?
According to article 4.1 of GDPR, “personal data means any information relating to an identified or identifiable natural person (...) by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Therefore, a personal data is any information relating to an identified or identifiable natural person, but
When a natural person can be deemed identifiable?
According to whereas 26 of GDPR an information will meet the divine stage of personal data where it permits the identification of a natural person with the available technology and at a reasonable cost. Well, we have solved two questions, but some more are still waiting for an answer to understand facial recognition regulation in GDPR.
What are biometric data?
The definition is found at article 4.14 of GDPR: “‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Taking into account this, any pack of physical and/or behavioural data allowing to identify uniquely a person is suspected of the crime “biometric data”, in particular if it contains images or fingerprints. Such understanding can be right for fingerprints, but not for images, because without the suitable software the image of a person is not enough to provide a unique and unmistakable identification of such person. Indeed, whereas 51 of GDPR reinforces such view, emphasizing the use of technological means for unique identification instead of the kind of data being used: “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”
So that, a set of images, for instance those obtained in a CCTV system, shall only be included in the category of “biometric data” in case the system uses technology allowing to uniquely identify the persons whose image is reproduced in it. In other words, the images of a CCTV would be considered biometric data where facial recognition tools are applied.
The transcendence of this third question lies in the article 9.1 of GDPR, which forbids the processing of the “special categories of personal data”, including, among others, “biometric data”:
“1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.”
Therefore, facial recognition falls in the gaol of “special categories of personal data”, being forbidden for all business, as simple as this. So, here we are, facing again the first frightening question:
Can I use facial recognition in my business?
As it is commonly said, when God shuts a door, He always opens a window. Salvation, as usual, comes in the form of several exceptions to the general prohibition, which are contained in the point 2 of the same article 9 of GDPR. Among such exceptions, letters a, b, f and g are especially applicable to facial recognition:
- “The data subject has given explicit consent to the processing of those personal data for one or more specified purposes”. These terms are suitable for systems where the consent of the enrolled persons is verifiable, especially for control of access, but also for CCTV, in case the system (i) gives enough information and the opportunity to accept to all people acceding the facilities and (ii) does not capture the images of passers-by. In fact, recent Guidelines 3/2019 on processing of personal data through video devices adopted on 10 July 2019 by the European Data Protection Board, states that when explicit consent is alleged for the processing of biometric data, the system shall avoid the capture and processing of “biometric templates of non-consenting persons”.
- “Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security”. This exemption allows the use of access control facial recognition tools in the workplace, as entrance/exit/presence control of workers or visitors (as opposed to registered workers).
- “Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”. This letter permits to use facial recognition to prepare, issue or defend against any kind of legal action and are especially applicable for forensic uses, that is to say applying facial recognition to footage in order to identify or track a suspect. Of course, it will be more difficult to justify facial recognition use in real time, only in the basis of this exception, but the system should be GDPR compliant as long as we can prove that (i) it is a necessary mean for identification and (ii) we are using it in a proportional way.
- “Processing is necessary for reasons of substantial public interest”. This final exception faces us with the last question of this quiz.
What are such reasons of substantial public interest?
Unfortunately, the expression “substantial public interest” is not defined in the GDPR. At least it is clear that some sort of serious public interest should be at stake.
In the case of facial recognition, this public interest fits finely with live facial recognition in CCTV, provided that public security reasons can be alleged. In other words, the system would be GDPR compliant if it is safeguarding any kind of facilities or open spaces facing intense security threats, either because of being a critical infrastructure (chemical industries, power facilities, water supplies, transport means, etc.), because of the amount of people gathered therein (stadiums, concert halls, malls, open crowded areas, etc.), or by any other reason implying a “substantial public interest”.
Summing up, the question can I use facial recognition in my business? may be answered with a yes, instead of an it depends, at least in the following four cases:
- For access control or even CCTV (i) giving enough information and the opportunity to accept to all people acceding the facilities and (ii) not capturing the images of passers-by
- For access control in the workplace.
- For forensic uses and even in live managing of CCTV systems, in order to prepare, issue or defend against any kind of legal action.
- For real time CCTV where public security reasons can be alleged.