The Article 29 Working Party (WP29) yesterday published an opinion on facial recognition in online and mobile services.  The WP29 states this technology requires “specific attention” as it presents “a range of data protection concerns”. 

The opinion focuses on facial technology being used in three main contexts: identifying people in social networks; authenticating and verifying users to control access to services; and categorising individuals, e.g., in the gaming context to enhance the user experience, allow/deny access to age-related content, or to display in-game targeted advertising. 

The opinion places a heavy emphasis on the need to obtain the informed consent of individuals prior to processing their data in connection with facial recognition technologies.  Perhaps of most interest to social networks and the public, is the conclusion that facial recognition should not be used to automatically suggest names of people who are not registered users of social networks for the purpose of tagging them in photographs.

Key points from the opinion include:

  • Facial recognition is classified as a biometric.  The WP29 considers facial recognition to fall within the scope of biometrics as, in many cases, it contains sufficient detail to allow an individual to be uniquely identified.  As biometrics allow for automated tracking, tracing or profiling of persons, the WP29 states that the potential impact on the privacy and the right to data protection of individuals is high.
  • A digital image of an individual and a reference template created from an image of an individual are personal data and biometric data.  In some instances, such images and templates also should be considered to be sensitive personal data, e.g., where the images or templates are used to obtain ethnic origin, religion or health information. 
  • As biometric data, facial recognition systems may be subject to additional controls or other legislation in individuals Member States, such as prior authorisation or employment law.  The WP29 will soon be publishing another opinion on biometrics, in which it will explore using biometrics in an employment context.
  • The need to obtain informed consent.  To process this data legitimately, i.e., under Article 7 of Directive 95/46/EC, data controllers who use facial recognition (such as website owners, online service providers and mobile application operators) require the informed consent of the individual prior to commencing the processing. 
  • In the context of social networks, the WP29 recommends that before a registered user uploads an image the user must first be clearly informed that the image will be subject to a facial recognition system, and be given a further option to consent to their reference template being enrolled into the identification database.  The WP29 conclude that non-registered users and registered users who have not consented to the processing “will therefore not have their name automatically suggested for a tag because images in which they appear will produce a ‘no-match’ result”.   
  • Search engines also need to obtain prior informed consent to use photographs in certain circumstances.  The WP29 recommends that search engine providers who access publically available photos and use facial recognition technologies to enhance their search feature (e.g., by allowing users to provide an image of an individual and return results of close matches), must obtain consent from the data subjects to be enrolled into such a facial recognition system.
  • For games consoles that use a gesture control system and process this data in conjunction with facial recognition systems in order to predict the likely age, gender and mood of the game players, the WP29 again recommends that the informed consent of users is required.  Importantly, the WP29 also recommends that such functionality should be switched off by default.  Also, if this technology is used over time or across games, data controllers must provide regular reminders that the system is operating.
  • In terms of the mechanics of obtaining consent, the WP29 states that consent cannot be derived from the general user’s acceptance of the overall terms and conditions of the underlying service unless the primary aim of the service is expected to involve facial recognition.  Instead, users should be explicitly provided with the opportunity to provide their consent for this feature either during registration or at a later date, depending on when the feature is introduced.  Further, for consent to be valid, it’s necessary to furnish users with adequate information about the data processing.
  • In the context of authentication, consent to using facial recognition system to control access to an online or mobile service or device can be obtained in the enrolment process.  Importantly, however, the WP29 states that in order for the consent to be valid, “an alternative, and equally secure, access control system must be in place (such as a strong password)”, and this “alternative privacy friendly option should be the default”.   
Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.


Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.