On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French). The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to deploy this technology on an experimental basis. In this blog post, we summarize the main principles that the CNIL says airports should observe when deploying biometric technology.
- Ensure that the facial recognition technology complies with the General Data Protection Regulation (“GDPR”) principles of necessity and proportionality. The guidance indicates that airports should take into account the purposes for which the technology will be deployed, the data that will be collected and the impact on the rights and freedoms of the individuals. The guidance specifically mentions that, in some cases, the use of facial recognition technology to avoid the formation of queues appears proportionate for security reasons.
- Obtain prior valid consent. The guidance indicates that consent should be the legal basis for the processing, and thus should meet the requirements for consent under the GDPR – e., be freely given, specific and informed. In this regard, the CNIL adds:
- airports should provide an alternative to individuals who do not consent to the use of facial recognition technology;
- airports should also allow individuals to withdraw their consent;
- consent should not be tied to or mixed with the acceptance of the terms and conditions of a ticket;
- individuals should receive enhanced information about the use of facial recognition technology and its alternative(s); and
- facial recognition technology should be used only on individuals who have provided their prior consent (for example, it should blur the picture of other individuals in the background and indicate the control zones).
- Ensure that biometric data is stored securely and is under the individual’s control. The CNIL’s guidance states that personal data collected through facial recognition should only be kept in one of two ways. The first option is to store the data on a storage medium over which the passenger has control and which he or she can exclusively use (for example, on a secure mobile application, or on a badge or card). Alternatively, the data can be stored in a database in encrypted form, making it unusable without the decryption key held by the individual. At each stage of the journey (for example, luggage drop-off, passing security gates, boarding), individuals should be given the choice whether or not to use the technology.
- Conduct a data protection impact assessment (“DPIA”). According to the guidance, parties deploying facial recognition technology should conduct a DPIA, which should clearly indicate whether the technology is deployed on the basis of the laws transposing the Law Enforcement Directive (Directive 2016/680) and/or if it is implemented on behalf of the State acting under its powers as a public authority.
The CNIL’s guidance mentions that, according to a study of the SITA (Société Internationale de Télécommunications Aéronautiques) published by in 2018, more than half of the participating airports were considering deploying facial recognition at their airports. As the use of this technology in airports becomes more popular, we can expect more guidance from the supervisory authorities on this topic. For example, in July 2020, the UK Information Commissioner’s Office assessed the use of facial recognition technology at Heathrow Airport (see here).