On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to deploy this technology on an experimental basis.  In this blog post, we summarize the main principles that the CNIL says airports should observe when deploying biometric technology.

  1. Ensure that the facial recognition technology complies with the General Data Protection Regulation (“GDPR”) principles of necessity and proportionality.  The guidance indicates that airports should take into account the purposes for which the technology will be deployed, the data that will be collected and the impact on the rights and freedoms of the individuals.  The guidance specifically mentions that, in some cases, the use of facial recognition technology to avoid the formation of queues appears proportionate for security reasons.
  2. Obtain prior valid consent.  The guidance indicates that consent should be the legal basis for the processing, and thus should meet the requirements for consent under the GDPR – e., be freely given, specific and informed.  In this regard, the CNIL adds:
    • airports should provide an alternative to individuals who do not consent to the use of facial recognition technology;
    • airports should also allow individuals to withdraw their consent;
    • consent should not be tied to or mixed with the acceptance of the terms and conditions of a ticket;
    • individuals should receive enhanced information about the use of facial recognition technology and its alternative(s); and
    • facial recognition technology should be used only on individuals who have provided their prior consent (for example, it should blur the picture of other individuals in the background and indicate the control zones).
  3. Ensure that biometric data is stored securely and is under the individual’s control.  The CNIL’s guidance states that personal data collected through facial recognition should only be kept in one of two ways.  The first option is to store the data on a storage medium over which the passenger has control and which he or she can exclusively use (for example, on a secure mobile application, or on a badge or card).  Alternatively, the data can be stored in a database in encrypted form, making it unusable without the decryption key held by the individual.  At each stage of the journey (for example, luggage drop-off, passing security gates, boarding), individuals should be given the choice whether or not to use the technology.
  4. Conduct a data protection impact assessment (“DPIA”).  According to the guidance, parties deploying facial recognition technology should conduct a DPIA, which should clearly indicate whether the technology is deployed on the basis of the laws transposing the Law Enforcement Directive (Directive 2016/680) and/or if it is implemented on behalf of the State acting under its powers as a public authority.

The CNIL’s guidance mentions that, according to a study of the SITA (Société Internationale de Télécommunications Aéronautiques) published by in 2018, more than half of the participating airports were considering deploying facial recognition at their airports.  As the use of this technology in airports becomes more popular, we can expect more guidance from the supervisory authorities on this topic.  For example, in July 2020, the UK Information Commissioner’s Office assessed the use of facial recognition technology at Heathrow Airport (see here).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I assist companies in navigating EU laws on technology, with a focus on data protection, cybersecurity, and consumer protection. My goal is to make complex regulations, such as the GDPR, AI Act, Unfair Commercial Practices Directive, and Digital Services Act, more accessible and…

I assist companies in navigating EU laws on technology, with a focus on data protection, cybersecurity, and consumer protection. My goal is to make complex regulations, such as the GDPR, AI Act, Unfair Commercial Practices Directive, and Digital Services Act, more accessible and relevant to everyday business operations.

Regarding data protection and privacy, I guide businesses on GDPR, ePrivacy Directive, and EU marketing laws, covering topics like international data transfers and privacy-focused marketing. Regarding cybersecurity, I help with risk assessments, incident response planning, and staying informed about regulations such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I assist companies in ensuring their terms are enforceable, their online platforms clearly provide required information, and their practices comply with rules against banned commercial activities.

Fluent in several languages and experienced in international contexts, I am committed to integrating compliance smoothly into business operations, enabling companies to succeed in the dynamic digital environment.