Written by Haim Ravia and Dotan Hammer
The European Data Protection Board (EDPB) published for public comments draft guidelines on the use of facial recognition technology (FTR) by law enforcement authorities. According to the EDPB’s draft guidelines, an increasing number of law enforcement authorities use or intend to use FRT for various purposes, including searching for individuals on police watch lists or monitoring individuals’ movements in public areas. While FRT enables effective data processing on a large scale, it also elevates the risk of discrimination and false results.
The draft guidelines are directed to both EU and national lawmakers. They call for the enactment of national legislation on the use of FRT by law enforcement authorities, which will particularize the objectives of biometric data processing for FRT, the personal data to be processed, and the purposes of the processing. Such legislative measures must be appropriate and tailored to the legitimate objectives of processing, and must not exceed the limits of what is necessary to achieve those objectives. In addition, such legislation should only allow the processing of biometric data by law enforcement for specific objectives and should prohibit processing for general-purpose objectives such as “law enforcement”.
The draft guidelines further clarify that law enforcement authorities may not interpret the behavior of data subjects as constituting consent to processing their biometric data. For example, the fact that a data subject publicly published their picture (e.g., on social media), is not sufficient to allow law enforcement to process it into biometric templates and use it for identification purposes without the data subject’s express and freely given consent.
In addition, the draft guidelines require law enforcement agencies to conduct a Data Protection Impact Assessment (DPIA) before using FRT, and to publish the results of the DPIA, or at least its key findings and conclusions. Due to the unique nature of biometric data and its intrinsic high risk to the rights and freedoms of data subjects, the draft guidelines also require authorities to consult national supervisory authorities before such processing and implement appropriate data security measures, especially when using third-party service providers.
Moreover, the draft guidelines adopt the EDPB’s and the European Data Protection Supervisor’s recommendation to completely ban the processing of biometric data in any of following use-cases:
- In publicly accessible spaces.
- For the classification of individuals according to ethnicity, gender, or political or sexual orientation.
- To infer the emotions of a natural person.
- While relying on a database compiled through the collection of personal data on an indiscriminate and mass-scale (e.g., by scraping pictures accessible online).
CLICK HERE to read the EDPB’s draft guidelines on the use of facial recognition technology in the area of law enforcement.