On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to deploy this technology on an experimental basis.  In this blog post, we summarize the main principles that the CNIL says airports should observe when deploying biometric technology.

  1. Ensure that the facial recognition technology complies with the General Data Protection Regulation (“GDPR”) principles of necessity and proportionality.  The guidance indicates that airports should take into account the purposes for which the technology will be deployed, the data that will be collected and the impact on the rights and freedoms of the individuals.  The guidance specifically mentions that, in some cases, the use of facial recognition technology to avoid the formation of queues appears proportionate for security reasons.
  2. Obtain prior valid consent.  The guidance indicates that consent should be the legal basis for the processing, and thus should meet the requirements for consent under the GDPR – e., be freely given, specific and informed.  In this regard, the CNIL adds:
    • airports should provide an alternative to individuals who do not consent to the use of facial recognition technology;
    • airports should also allow individuals to withdraw their consent;
    • consent should not be tied to or mixed with the acceptance of the terms and conditions of a ticket;
    • individuals should receive enhanced information about the use of facial recognition technology and its alternative(s); and
    • facial recognition technology should be used only on individuals who have provided their prior consent (for example, it should blur the picture of other individuals in the background and indicate the control zones).
  3. Ensure that biometric data is stored securely and is under the individual’s control.  The CNIL’s guidance states that personal data collected through facial recognition should only be kept in one of two ways.  The first option is to store the data on a storage medium over which the passenger has control and which he or she can exclusively use (for example, on a secure mobile application, or on a badge or card).  Alternatively, the data can be stored in a database in encrypted form, making it unusable without the decryption key held by the individual.  At each stage of the journey (for example, luggage drop-off, passing security gates, boarding), individuals should be given the choice whether or not to use the technology.
  4. Conduct a data protection impact assessment (“DPIA”).  According to the guidance, parties deploying facial recognition technology should conduct a DPIA, which should clearly indicate whether the technology is deployed on the basis of the laws transposing the Law Enforcement Directive (Directive 2016/680) and/or if it is implemented on behalf of the State acting under its powers as a public authority.

The CNIL’s guidance mentions that, according to a study of the SITA (Société Internationale de Télécommunications Aéronautiques) published by in 2018, more than half of the participating airports were considering deploying facial recognition at their airports.  As the use of this technology in airports becomes more popular, we can expect more guidance from the supervisory authorities on this topic.  For example, in July 2020, the UK Information Commissioner’s Office assessed the use of facial recognition technology at Heathrow Airport (see here).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.