The Article 29 Working Party (WP29) yesterday published an opinion on facial recognition in online and mobile services.  The WP29 states this technology requires “specific attention” as it presents “a range of data protection concerns”. 

The opinion focuses on facial technology being used in three main contexts: identifying people in social networks; authenticating and verifying users to control access to services; and categorising individuals, e.g., in the gaming context to enhance the user experience, allow/deny access to age-related content, or to display in-game targeted advertising. 

The opinion places a heavy emphasis on the need to obtain the informed consent of individuals prior to processing their data in connection with facial recognition technologies.  Perhaps of most interest to social networks and the public, is the conclusion that facial recognition should not be used to automatically suggest names of people who are not registered users of social networks for the purpose of tagging them in photographs.

Key points from the opinion include:

  • Facial recognition is classified as a biometric.  The WP29 considers facial recognition to fall within the scope of biometrics as, in many cases, it contains sufficient detail to allow an individual to be uniquely identified.  As biometrics allow for automated tracking, tracing or profiling of persons, the WP29 states that the potential impact on the privacy and the right to data protection of individuals is high.
  • A digital image of an individual and a reference template created from an image of an individual are personal data and biometric data.  In some instances, such images and templates also should be considered to be sensitive personal data, e.g., where the images or templates are used to obtain ethnic origin, religion or health information. 
  • As biometric data, facial recognition systems may be subject to additional controls or other legislation in individuals Member States, such as prior authorisation or employment law.  The WP29 will soon be publishing another opinion on biometrics, in which it will explore using biometrics in an employment context.
  • The need to obtain informed consent.  To process this data legitimately, i.e., under Article 7 of Directive 95/46/EC, data controllers who use facial recognition (such as website owners, online service providers and mobile application operators) require the informed consent of the individual prior to commencing the processing. 
  • In the context of social networks, the WP29 recommends that before a registered user uploads an image the user must first be clearly informed that the image will be subject to a facial recognition system, and be given a further option to consent to their reference template being enrolled into the identification database.  The WP29 conclude that non-registered users and registered users who have not consented to the processing “will therefore not have their name automatically suggested for a tag because images in which they appear will produce a ‘no-match’ result”.   
  • Search engines also need to obtain prior informed consent to use photographs in certain circumstances.  The WP29 recommends that search engine providers who access publically available photos and use facial recognition technologies to enhance their search feature (e.g., by allowing users to provide an image of an individual and return results of close matches), must obtain consent from the data subjects to be enrolled into such a facial recognition system.
  • For games consoles that use a gesture control system and process this data in conjunction with facial recognition systems in order to predict the likely age, gender and mood of the game players, the WP29 again recommends that the informed consent of users is required.  Importantly, the WP29 also recommends that such functionality should be switched off by default.  Also, if this technology is used over time or across games, data controllers must provide regular reminders that the system is operating.
  • In terms of the mechanics of obtaining consent, the WP29 states that consent cannot be derived from the general user’s acceptance of the overall terms and conditions of the underlying service unless the primary aim of the service is expected to involve facial recognition.  Instead, users should be explicitly provided with the opportunity to provide their consent for this feature either during registration or at a later date, depending on when the feature is introduced.  Further, for consent to be valid, it’s necessary to furnish users with adequate information about the data processing.
  • In the context of authentication, consent to using facial recognition system to control access to an online or mobile service or device can be obtained in the enrolment process.  Importantly, however, the WP29 states that in order for the consent to be valid, “an alternative, and equally secure, access control system must be in place (such as a strong password)”, and this “alternative privacy friendly option should be the default”.   
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.