#AbreuForward – Global Legal Trends

Facial recognition: ban or regulation? – 02.03.2020

Facial recognition technology is present in our daily life, having been deployed  by companies to change the way we use our phones, our travel and shopping experiences, allegedly increasing our security. This technology has also been seen as a fast, noninvasive method of security for identification of wrongdoers and control of public spaces. However, it is this remote use by public authorities, together with artificial intelligence, which has increasingly become a controversial issue, facing criticism for its use around the world, from protests in Hong Kong, to several U.S. cities with bans over fears that it paves the way for potential privacy violations and mass surveillance.  The non-authorized use of photographs to build a giant database by Clearview AI also sparked the debate and brought light to the dangers of the online availability of photographs of our faces. Against this background, in its white paper on AI, the EU Commission initially considered a general ban of the remote use of the technology up to five years. However, the final document dropped this temporary ban, bringing to the forefront of the discussion the dangers of facial recognition technology, especially when combined with AI.


Though facial recognition is used extensively for strengthening the security in multiple areas, the technology also has the potential to be very dangerous. In practice, it can be hacked, databases can be breached or sold, and sometimes it is just not effective. It is important to understand the interaction of the collection, storage and processing of sensitive personal biometric data within the rigorous requirements of the GDPR and other data protection laws around the world.  The remote use of facial recognition technology frequently breaches the need to give unambiguous, freely given and fully informed consent, as stipulated in the GDPR, as people are not even aware that they are being tracked or that their faces are being used for some other purpose other than for what it was initially authorized or indicated.  The use of the technology to identify potential criminals in public places with AI can also lead to bias or discrimination and, as such, carries specific risks for fundamental rights. Although EU data protection rules generally prohibit the processing of biometric data for the purpose of uniquely identifying a natural person, there are some exceptions that may allow a duly justified, proportionate use, for reasons of substantial public interest, based on EU or national law, provided it is subject to adequate safeguards. Hence, although allowing facial recognition is currently the exception, the Commission AI White Paper, which expectedly will lead to a legislative proposal expected late this year, launched a broad debate to explore with member states, businesses and other organizations whether new exceptions should be added. The Commission will take some time before deciding on how to legislate facial recognition remotely, but will not prevent national initiatives from using the technology according to existing rules. The Commission intends to adopt a risk-based approach to introduce new rules in some areas. The debate is whether we should restrict facial recognition to already identified viable use cases or if facial recognition technology has other potentially beneficial cases that should be allowed.