Putting the Brakes on Swift and Sweeping Adoption of Facial Recognition Technologies

By: Nicole Kardell

When it is not clear which way to go, don’t. This is the upshot of an article by Wojciech Wiewiorowski: Facial recognition: A solution in search of a problem? Wiewiorowski is the Assistant Supervisor at the European Data Protection Supervisor (the E.U.’s independent data protection authority), which published his article on their site in late October. The post came out in the midst of a flurry of news stories about biometric data—in particular the deployment of facial recognition technologies. But his cautionary tale was one that framed the other news.

Opinions are all over the map (literally and figuratively) about the proper use of biometric data by companies and governments.  From the U.S. to Europe to China, there are those who are pressing forward to use facial recognition to assist with law enforcement, to secure access to schools and parks, and to facilitate transactions. And there are those who are challenging its use or calling for careful, as opposed to rapid, adoption. To make things more disorienting, some conflicting developments issue from the same authorities or jurisdictions. Here is a rundown of relevant headlines in the last two weeks alone:

• October 28, 2019: NewEurope reported that Sweden’s Data Protection Authority approved the use of facial recognition technology by the police to help identify criminal suspects. This is after the same DPA recently fined a school for using facial recognition technology to track student attendance.
• October 29, 2019: The French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL) ordered high schools in Nice and Marseilles to end facial recognition programs used to secure school entries, noting the schools’ desired ends could be achieved through less intrusive means. This followed an announcement by the French interior ministry this summer of plans to launch a smartphone-based biometric passport app.
• October 31, 2019: The K. Information Commission’s Office (ICO) issued an opinion on the use of facial recognition technology in public places and by law enforcement, providing guidance to law enforcement on—and reminding law enforcement of—the applicability of data protection laws. This followed a September ruling by the Cardiff high court in Wales that it was lawful for police to use facial recognition technology to search for people in crowds.
• October 31, 2019: The ACLU filed a lawsuit in federal court against the US Justice Department, the Federal Bureau of Investigation (FBI), and the Drug Enforcement Administration (DEA) for documents related to their use of surveillance technology, citing concerns over the mass collection of biometric data by government officials “to pervasively identify, track, and monitor us.”
• November 4, 2019: The WSJ reported that a law professor in China filed a lawsuit against a wildlife park and zoo over its new policy to require facial registration for park entry.

What can we make of all these developments? A lot is happening in the world of biometric data collection and processing. Those at the fore are making decisions with a wide-spread impact (including for you and me). And they are making those decisions before the implications are fully understood or vetted. As Wiewiorowski aptly pointed out: “There is no consensus in society about the ethics of facial recognition, and doubts are growing as to its compliance with the law as well as its ethical sustainability over the long term.”

The challenges faced by pro-democracy protestors in Hong Kong bring concerns over use of biometric data to a head, so to speak… Worried about authorities tracking protest leaders online and targeting people to arrest, protestors began to cover their faces. As noted in a New York Times article in July, “Hong Kong is at the bleeding edge of a significant change in the authorities’ ability to track dangerous criminals and legitimate political protesters alike — and in their targets’ ability to fight back.” Hastening challenges to civil liberties in Hong Kong, the city outlawed face masks during protests, with violations punishable by up to a year in prison. The city’s move has only spurred on protestors who are all too familiar with how Mainland China uses “one of the world’s most invasive surveillance systems” to exercise its authority over its people.

For those pushing for the commercial adoption of facial recognition technology, and other technologies that capture biometric data, they should heed the warnings of the European Data Protection Supervisor. There is an important balance to strike in the use of biometric data, factoring the risks as much as the attendant benefits. Excess use by authorities, as highlighted by our Far East friends, is only one risk (even if the most significant). The risk of data breach, the possibility of enforcement action by regulators and lawsuits by private interests, and the costs to brand and reputation are a few others. It is also likely that the E.U. or E.U. member states will be instituting measures to address sound and safe use of biometric data. That is the call of Wiewiorowski in his article. Companies should consider carefully how to use biometric data and to ensure they have stringent policies in place to protect that data and to limit possible misuse. It’s a brave new world. And businesses cannot simply look at the bottom line or projected revenues. For long-term sustainability, business decisions that incorporate use of biometric data need to factor ethical considerations.