Privacy & Information Security Law Blog

On March 22, 2012, the Article 29 Working Party (the “Working Party”), adopted an Opinion analyzing the privacy and data protection law framework applicable to the use of facial recognition technology in online and mobile services, such as social networks and smartphones. The Working Party defines facial recognition as the “automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.”

According to the Working Party, a digital image constitutes personal data if it “contains an individual’s face which is clearly visible and allows for that individual to be identified.” The Working Party further stated that facial recognition reference templates that are stored for comparison purposes in identification and authentication/verification systems constitute personal data, and digital images that are further processed to determine ethnic origin, religion or health information constitute sensitive data.

Below are some of the Working Party’s key conclusions regarding the legal basis of the processing for the purpose of facial recognition, as mentioned on pages 5-8 of the Opinion:

• Digital images are considered biometric data and therefore data controllers that engage in facial recognition must obtain prior informed consent of the individuals (e.g., through the registration or enrollment process) for this type of processing or ensure that consent has already been provided if they obtain the images from third parties.
• A data controller may rely on his legitimate interest in complying with data protection rules to perform initial processing (e.g., image acquisition, face detection, comparison) without consent for purposes of determining whether a user has provided consent.
• When facial recognition is used for authentication/verification purposes, an alternative, and equally secure, access control system (such as a password) must be in place.
• If the data controller requests consent for longer-term processing, the controller must provide regular reminders to users that the system is operating and can be switched off.

On pages 8-10 of the Opinion, the Working Party provides the following best practice recommendations on how to address specific risks related to the facial recognition technology:

• Data controllers should implement appropriate security measures to: (1) reduce the risk that digital images are further processed by third parties for purposes not covered by the consent provided; (2) allow users to control the visibility of images that they have uploaded; and (3) secure the data transit (occurring between the acquisition of the image and the remaining processing stages) and the template stored in the controllers’ systems for use in a later comparison by using appropriate encryption means.
• Data controllers can process digital images of non-registered users only if they have a legitimate interest. For example, a data controller may conduct a preliminary identification to prevent images of non-users from further processing.
• Data controllers should provide users with appropriate mechanisms to exercise their access rights with respect to both the original images and the templates generated in the context of facial recognition. 

Finally, the Working Party emphasizes that users should be given the opportunity to withdraw their consent, at which point processing for the purposes of facial recognition should cease immediately.

View a copy of the Opinion.