Privacy & Cybersecurity Law Blog

On September 6, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on processing of personal data through video devices (the “Guidelines”). The Guidelines were adopted on July 10, 2019, for public consultation.

In its response, CIPL provided comments both on the processing of personal data through video devices generally, as well as on aspects of the guidelines that relate specifically to facial recognition technology.

CIPL believes the guidelines are overly restrictive in some respects and do not account for certain legitimate uses of video devices and facial recognition. CIPL recommends several changes or clarifications the EDPB should incorporate in its final Guidelines throughout its comments.

With respect to facial recognition technology, CIPL’s comments note, in particular, that:

• Article 9 of the GDPR should be applicable only when the technology is actually used for the specific purpose of uniquely identifying an individual;
• The possible applicable legal bases should not be limited to consent of the individual depending on the circumstances;
• There is a need to differentiate facial recognition from facial characterization and cases of unique persistent identifiers;
• The guidelines should not include a blanket prohibition on making access to services conditional on biometric processing or a requirement that the controller must offer an alternative solution that does not involve biometric processing. The test that must be passed is whether the processing is proportionate or whether a legal obligation to conduct the processing exists.

To read about these recommendations in detail, along with all of CIPL’s other recommendations on the draft guidelines, please view the full response.