The Article 29 Working Party (WP29) yesterday published an opinion on facial recognition in online and mobile services.  The WP29 states this technology requires “specific attention” as it presents “a range of data protection concerns”. 

The opinion focuses on facial technology being used in three main contexts: identifying people in social networks; authenticating and verifying users to control access to services; and categorising individuals, e.g., in the gaming context to enhance the user experience, allow/deny access to age-related content, or to display in-game targeted advertising. 

The opinion places a heavy emphasis on the need to obtain the informed consent of individuals prior to processing their data in connection with facial recognition technologies.  Perhaps of most interest to social networks and the public, is the conclusion that facial recognition should not be used to automatically suggest names of people who are not registered users of social networks for the purpose of tagging them in photographs.

Key points from the opinion include:

  • Facial recognition is classified as a biometric.  The WP29 considers facial recognition to fall within the scope of biometrics as, in many cases, it contains sufficient detail to allow an individual to be uniquely identified.  As biometrics allow for automated tracking, tracing or profiling of persons, the WP29 states that the potential impact on the privacy and the right to data protection of individuals is high.
  • A digital image of an individual and a reference template created from an image of an individual are personal data and biometric data.  In some instances, such images and templates also should be considered to be sensitive personal data, e.g., where the images or templates are used to obtain ethnic origin, religion or health information. 
  • As biometric data, facial recognition systems may be subject to additional controls or other legislation in individuals Member States, such as prior authorisation or employment law.  The WP29 will soon be publishing another opinion on biometrics, in which it will explore using biometrics in an employment context.
  • The need to obtain informed consent.  To process this data legitimately, i.e., under Article 7 of Directive 95/46/EC, data controllers who use facial recognition (such as website owners, online service providers and mobile application operators) require the informed consent of the individual prior to commencing the processing. 
  • In the context of social networks, the WP29 recommends that before a registered user uploads an image the user must first be clearly informed that the image will be subject to a facial recognition system, and be given a further option to consent to their reference template being enrolled into the identification database.  The WP29 conclude that non-registered users and registered users who have not consented to the processing “will therefore not have their name automatically suggested for a tag because images in which they appear will produce a ‘no-match’ result”.   
  • Search engines also need to obtain prior informed consent to use photographs in certain circumstances.  The WP29 recommends that search engine providers who access publically available photos and use facial recognition technologies to enhance their search feature (e.g., by allowing users to provide an image of an individual and return results of close matches), must obtain consent from the data subjects to be enrolled into such a facial recognition system.
  • For games consoles that use a gesture control system and process this data in conjunction with facial recognition systems in order to predict the likely age, gender and mood of the game players, the WP29 again recommends that the informed consent of users is required.  Importantly, the WP29 also recommends that such functionality should be switched off by default.  Also, if this technology is used over time or across games, data controllers must provide regular reminders that the system is operating.
  • In terms of the mechanics of obtaining consent, the WP29 states that consent cannot be derived from the general user’s acceptance of the overall terms and conditions of the underlying service unless the primary aim of the service is expected to involve facial recognition.  Instead, users should be explicitly provided with the opportunity to provide their consent for this feature either during registration or at a later date, depending on when the feature is introduced.  Further, for consent to be valid, it’s necessary to furnish users with adequate information about the data processing.
  • In the context of authentication, consent to using facial recognition system to control access to an online or mobile service or device can be obtained in the enrolment process.  Importantly, however, the WP29 states that in order for the consent to be valid, “an alternative, and equally secure, access control system must be in place (such as a strong password)”, and this “alternative privacy friendly option should be the default”.