An investigation by the Information Commissioner's Office (ICO) published today (17 June) found that out of a group of organisations using live facial recognition (LFR) technology in public spaces, none were fully compliant with data protection law requirements.
Following the report, the Information Commissioner published an official opinion on the use of LFR in public places by public organisations and private companies, calling for an effort to ensure the technology does not expand without due regard for data protection.
The opinion follows a previous opinion published by the Commissioner based on an investigation into the use of LFR in a law enforcement context which concluded that data protection law sets high standards for the use of LFR to be lawful when used in public spaces.
Building on those findings, the Commissioner's most recent opinion is based on an investigation into the use of the technology outside of law enforcement.
As part of the investigation, the ICO assessed or investigated 14 examples of LFR deployments and proposals and found an "increasing appetite" to use LFR for marketing, targeted advertising and other commercial purposes.
In a statement on the investigation, the Information Commissioner, Elizabeth Denham, called LFR technology "supercharged CCTV".
Unlike CCTV, LFR and its algorithms can automatically identify individuals and infer sensitive details about them. When used for surveillance, the technology scans people's faces on live video and compares them with a watchlist of individuals of interest. When there is a match, an alert is sent to the organisation using the system so that a person can review and confirm the system has singled out the correct person.
Another use case the Commissioner highlighted is the ability to create biometric profiles involving sex, age, ethnicity and clothing to offer personalised advertising to people in the street.
With the use of IFR in these public contexts, "the risks to people's privacy increases," the Commissioner said.
"I am deeply concerned about the potential for live facial recognition (LFR) technology to be used inappropriately, excessively or even recklessly."
The Commissioner said it was important to guide organisations using the technology before LFR becomes ubiquitous and explain how data protection and people's privacy "must be at the heart of any decisions to deploy LFR".
"The opinion is rooted in law and informed in part by six ICO investigations into the use, testing or planned deployment of LFR systems, as well as our assessment of other proposals that organisations have sent to us," the Commissioner said.
According to the Commissioner, none of the organisations involved in its investigations were able to fully justify the processing and, of the systems that went live, none were fully compliant with the requirements of data protection law. All of the organisations chose to stop, or not proceed with, the use of LFR.
Data protection guidance set out on the report says that organisations deploying LFR in public places must:
- comply with the data protection principles set out in UK GDPR Article 5, namely: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability;
- identify a lawful basis and meet its requirements, as required by UK GDPR Article 6;
- identify, where required, appropriate conditions for processing special category data under UK GDPR Article 9 and criminal offence data under Article 10;
- ensure that data subjects are able to exercise their rights, as defined in UK GDPR Articles 12 to 22, including: the right to be informed; the rights of access, rectification and erasure; the rights to restrict processing and to object; and rights in relation to automated decision making and profiling;
- ensure clarity of controller, joint controller and processor roles and responsibilities where necessary, as required by the UK GDPR Articles 24-9, and be able to demonstrate compliance;
- take a data protection by design and default approach, as required by Article 25;
- undertake a DPIA where required, as set out in UK GDPR Article 35; and
- if the DPIA identifies risks that cannot be mitigated by the controller, consult the ICO, as required by UK GDPR Article 36.
Organisations will need to demonstrate high standards of governance and accountability from the outset, according to the Commissioner, including being able to justify that the use of LFR is fair, necessary and proportionate in each specific context in which it is deployed. They will also need to demonstrate that less intrusive techniques won't work.
"My office will continue to focus on technologies that have the potential to be privacy invasive, working to support innovation while protecting the public," the Commissioner said. "Where necessary we will tackle poor compliance with the law."