The Convention for the Protection of Individual with regard to Automatic Processing of Personal Data, 1981 (“Convention 108”) laid down by the Council of Europe, holds the pedestal of being the most significant and influential international instrument on data protection legislation. The Convention 108 applies to all data processing activities carried out by both private and public sectors, including data processing by law enforcement authorities and judiciary. Recently, on the occasion of its 40th anniversary, the Convention 108 issued detailed guidelines on the data protection of individuals. These guidelines are in relation to the automatic processing of digital images containing individuals' faces for identification or verification of those individuals by using face recognition technologies, including live facial recognition technologies (“Guidelines”) in order to prevent risks to the rights to privacy and protection of personal data and fundamental rights of the data subjects. The Guidelines primarily target the government and private entities, as well as facial recognition developers, manufacturers, service providers to ensure that such technologies do not adversely affect the human rights and fundamental freedoms of any person, including the right to protection of personal data.
In this article, we summarize important pointers for different stakeholders dealing with facial recognition.
Part 1 - Developers, manufacturers and service providers of facial recognition technologies (“Developers”)
Part 2 - Entities using facial recognition technologies (“Entities”)
Part 3 - Rights of Data Subjects
Part 1 – Stakeholders falling within the category of “Developer” need to follow the below:
1. Accuracy of Data
The Developers will have to take necessary steps to ensure that the data collected is accurate. This would mean that the Developers will have to avoid mislabeling by sufficiently testing their systems and identifying and eliminating disparities in accuracy and most significantly with regard to the demographic variations in skin color, age and gender to avoid unintended discrimination. From a technical standpoint, the technologies developed by the Developers should ensure both the quality of the data and the efficiency of the algorithms. Such algorithms will have to be developed using synthetic datasets based on sufficiently diverse photos of men and women, of different skin colours, different morphology, of all ages and from different camera angles. The Developers need to also ensure that they have adequate systems for back-up in case of system failure if the physical characteristics do not correspond to the technical standards.
2. Renewal of Data
The Developers need to date and record the recognition reliability to ensure that if at any point in time, a particular dataset reliability deteriorates, they will have to renew such images and ask the data subject for a more recent image. The Guidelines suggest that the highest possible level of reliability should be implemented, considering that the use of a facial recognition system might result in significant adverse consequences for the data subject.
3. Awareness
The Developers should undertake necessary awareness activities to enable the Entities (as defined below) using their technologies to apply transparency and respect for privacy and clearly indicate deployment of a facial recognition technology in their services.
4. Accountability
The Developers should incorporate key data protection principles while developing facial recognition technologies, such as, the design and architecture of the technology should include tools to automatically delete the raw data after extracting biometric templates, the technology should be flexible enough to adjust purpose limitation, data minimization and limitation of the duration of data storage, implementation of internal review process to identify and mitigate risks. The Developers should also undertake data protection approach into their own organization practices including assigning dedicated staff, providing privacy trainings to employees or conduct data protection impact assessments upon development of such technologies.
Part 2 – Stakeholders falling within the category of “Entities” need to follow the below:
1. Applicability
The term Entities will primarily cover all the data controllers and data processors in both private and public sectors, wherever applicable.
2. Purpose limitation
The Entities should be able to demonstrate that the use of facial recognition technologies developed by the Developers and used by them, is strictly necessary and proportionate in context of their use and that such use will not interfere with the rights of the data subjects.
3. Transparency and Fairness
The Entities will have to accord sufficient levels of transparency by informing the data subjects the context of the collection, third party sharing and usage of the data and whether the facial recognition technology is a mere feature of their offerings or instead forms and integral part of their products/services and the consequences of the aforesaid on the data subjects.
4. Privacy Policy
The privacy policies of such Entities in addition to the already existing requirements prescribed in Article 8 of Convention 108, should clearly specify the extent of facial recognition data and transmission of such data to third parties, the retention, deletion or de-identification of such data.
5. Safeguards
The data being processed by the Entities need to be collected for explicit, specified and legitimate purposes and ensure that they are complying with data minimization principle of data privacy. The datasets will have to be promptly deleted upon completion of the purpose. The Entities will have to carry out impact assessments before undertaking the processing activities. The Entities should implement the aforementioned principles into their designs. In addition to the legal obligations, the Entities should also endeavor to constitute an independent ethics advisory boards that could be consulted before or during deployments, to ensure an ethical framework is also maintained in relation to facial recognition technologies.
6. Storage limitations for live facial recognition technologies
The Entities should ensure that different storage limitation periods apply to the different phases of the processing, such as, if there is no match of the biometric templates, such templates passing through an uncontrolled environment cannot be retained and will have to be deleted automatically.
Part 3 - Rights of Data Subjects:
The data subjects will enjoy all the rights provided in Article 9 of the Convention 108. It is noteworthy that in case the facial recognition technology is intended to enable a decision to be taken based on automated processing which could significantly affect the data subject, the data subject should be entitled not to have such processing carried out without his/her opinions being taken into account.
In conclusion, the Guidelines provides a holistic approach for data management of facial recognition and biometric data. The Guidelines will help the legislators navigate the legal framework in relation to the growing and varied usage of facial recognition technologies, both in public and private sector, keeping in mind the best interest of all stakeholders.