The Article 29 Working Party (WP29) yesterday published an opinion on facial recognition in online and mobile services.  The WP29 states this technology requires “specific attention” as it presents “a range of data protection concerns”. 

The opinion focuses on facial technology being used in three main contexts: identifying people in social networks; authenticating and verifying users to control access to services; and categorising individuals, e.g., in the gaming context to enhance the user experience, allow/deny access to age-related content, or to display in-game targeted advertising. 

The opinion places a heavy emphasis on the need to obtain the informed consent of individuals prior to processing their data in connection with facial recognition technologies.  Perhaps of most interest to social networks and the public, is the conclusion that facial recognition should not be used to automatically suggest names of people who are not registered users of social networks for the purpose of tagging them in photographs.

Key points from the opinion include:

  • Facial recognition is classified as a biometric.  The WP29 considers facial recognition to fall within the scope of biometrics as, in many cases, it contains sufficient detail to allow an individual to be uniquely identified.  As biometrics allow for automated tracking, tracing or profiling of persons, the WP29 states that the potential impact on the privacy and the right to data protection of individuals is high.
  • A digital image of an individual and a reference template created from an image of an individual are personal data and biometric data.  In some instances, such images and templates also should be considered to be sensitive personal data, e.g., where the images or templates are used to obtain ethnic origin, religion or health information. 
  • As biometric data, facial recognition systems may be subject to additional controls or other legislation in individuals Member States, such as prior authorisation or employment law.  The WP29 will soon be publishing another opinion on biometrics, in which it will explore using biometrics in an employment context.
  • The need to obtain informed consent.  To process this data legitimately, i.e., under Article 7 of Directive 95/46/EC, data controllers who use facial recognition (such as website owners, online service providers and mobile application operators) require the informed consent of the individual prior to commencing the processing. 
  • In the context of social networks, the WP29 recommends that before a registered user uploads an image the user must first be clearly informed that the image will be subject to a facial recognition system, and be given a further option to consent to their reference template being enrolled into the identification database.  The WP29 conclude that non-registered users and registered users who have not consented to the processing “will therefore not have their name automatically suggested for a tag because images in which they appear will produce a ‘no-match’ result”.   
  • Search engines also need to obtain prior informed consent to use photographs in certain circumstances.  The WP29 recommends that search engine providers who access publically available photos and use facial recognition technologies to enhance their search feature (e.g., by allowing users to provide an image of an individual and return results of close matches), must obtain consent from the data subjects to be enrolled into such a facial recognition system.
  • For games consoles that use a gesture control system and process this data in conjunction with facial recognition systems in order to predict the likely age, gender and mood of the game players, the WP29 again recommends that the informed consent of users is required.  Importantly, the WP29 also recommends that such functionality should be switched off by default.  Also, if this technology is used over time or across games, data controllers must provide regular reminders that the system is operating.
  • In terms of the mechanics of obtaining consent, the WP29 states that consent cannot be derived from the general user’s acceptance of the overall terms and conditions of the underlying service unless the primary aim of the service is expected to involve facial recognition.  Instead, users should be explicitly provided with the opportunity to provide their consent for this feature either during registration or at a later date, depending on when the feature is introduced.  Further, for consent to be valid, it’s necessary to furnish users with adequate information about the data processing.
  • In the context of authentication, consent to using facial recognition system to control access to an online or mobile service or device can be obtained in the enrolment process.  Importantly, however, the WP29 states that in order for the consent to be valid, “an alternative, and equally secure, access control system must be in place (such as a strong password)”, and this “alternative privacy friendly option should be the default”.   
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.