Facial Recognition Concerns and GDPR

Author: Clarip Director of Sales

If you are like me, the daily requirements of your job are enough to keep you busy every day without any additional headaches.  Long-term projects often get pushed to the “back burner” because they are, by definition, long-term.  So it was with most of the clients I encountered as it related to General Data Protection Regulation (GDPR).  “That requirement is months away, and I have enough on my plate” was a common refrain I heard in the summer and fall of 2017.  However, all it takes is a quick look at the calendar to realize that it is officially 2018, and that means that there is no time to waste!  May, 2018 will be upon us in NO TIME!

One of the topics that is taking on new relevance, though clearly still in its infancy, is the relationship between biometric data – e.g. facial recognition software – and the expectations of the law.  In the United States, there is not a single federal law which stipulates how such data can be used and/or monetized.  As such, most CPO’s, CIO’s and General Counsels I encounter rarely give such data a “second thought.”  However, GDPR is different!

GDPR for European Member States does address biometric data and represents a major step forward for data protection and privacy.  According to the standards established in the E.U., “biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.” 

In addition, biometric data is considered especially sensitive because, “it may not be possible (barring drastic measures) to change one’s biometric properties. Whereas passwords can easily be changed in the event of a breach, faces and fingerprints can’t.” Further, as The Economist noted in a recent edition, “the ability to record, store and analyze images of faces cheaply, quickly and on a vast scale promises one day to bring about fundamental changes to notions of privacy, fairness and trust.”  Hence, biometric data presents unique challenges for these CIO’s, CPO’s, and GC’s because as facial recognition software (video surveillance, etc) becomes ever more omnipresent, so too do the privacy expectations therein.

Biometric data is a burgeoning industry that offers tremendous growth potential, both in terms of security as well as sales/marketing. Though the United States has not yet embraced the privacy expectations of our European counterparts, GDPR is likely to change the paradigm. The legal “pandora’s box” is about to explode and it is important that your legal team and you craft coherent, thorough, and honest privacy and disclosure notices (including layered privacy policy with an appropriate just in time notice).  As my father used to say, it is always better to be prepared and not need something than need something and not have it.  Such is the case with facial recognition software – as yet, we don’t know where it will lead us in terms of security and privacy, but we do know we should prepare!

More from Clarip:

Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.

Read the most recent posts on the Clarip Privacy Blog.

Learn more about the Clarip consent management solution.

Find more resources about GDPR, data privacy and the future ePrivacy Regulation.