A quick look at biometric data in facial recognition software

September 21, 2024
It is not only in Europe that regulators are strict about the use of biometric data in facial recognition software. Recently, the state of Texas in the US secured the largest settlement ($1.4 billion). Namely, Meta had deployed facial recognition software that unlawfully captured and used biometric data of more than a million Texas citizens. In this blog, we briefly discuss what is meant by biometric data (General Data Protection Regulation), for just a moment you may take off your GDPR glasses to look at biometric identification data within the Texas law. Naturally, we conclude with a practical tip for organizations and for you as a privacy professional.

What is biometric data1 (GDPR)?

Biometric data falls under the special categories of personal data. Important not to confuse this with what is scientifically understood as biometric data2. How do you assess whether personal data also qualifies as biometric data3? You can assess this based of three important points4: An important thing to remember is that biometric data is included in the list of processing operations that require a Data Protection Impact Assessment (DPIA). Curious to learn more about a DPIA? Read more about when you need to conduct a DPIA here

Guidance on the use of facial recognition

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, hereinafter: AP) holds the point of view that cameras with facial recognition are in general prohibited. On the website of the AP information can be found when the use of facial recognition is allowed and what rules apply. At the beginning of May, the AP published guidelines that answers frequently asked legal questions about the use of facial recognition. The question still relevant is when processing personal data via facial recognition is a purely personal or household activity. Especially with doorbell cameras with facial recognition intended and unintentionally aimed at public roads. Many individuals use these cameras, and a growing group experiences discomfort as a result.5 Some municipalities6 have therefore decided to inform their residents of the privacy rules regarding the use of cameras and doorbell cameras. If public spaces are filmed, there is a gray area. In principle, you may assume it is not a purely personal or household activity, and the GDPR must be considered.

Texas law CUBI and use of biometric identifiers

Back to the billion-dollar settlement and the unlawful processing of biometric identification data. It is important to know that you will need to remove your GDPR glasses for this case. In the US there is not one general privacy legislation, but it can differ from state to state. The legal definitions for personal data or personal information in US statutes include several distinct elements. These elements potentially influence the scope or what is meant by personal data7. This includes how the laws in different states define “data subjects,” what constitutes data processing, and which entities are obliged to respect the rights of data subjects.

The Texas law “Capture Or Use Of Biometric Identifier” (CUBI). CUBI prohibits a person from capturing an individual’s biometric identifiers (retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for a commercial purpose unless that person informs the individual and obtains the individual’s consent prior to the capture. With certain exceptions, CUBI also restricts the sale, lease, or disclosure of biometric identifiers and requires that a captured biometric identifier be destroyed within a reasonable timeframe.

According to the Texas Attorney General, Meta has deployed a new “Tag Suggestions” feature to improve the user experience by making it easier for users to tag photos with the names of people in the photo. For more than a decade, Meta ran facial recognition software on virtually every face in the photos uploaded to Facebook. Meta automatically enabled this feature without explaining how the feature worked. And without asking permission from the residents of Texas. According to the CUBI law, this is unlawful in Texas, and the Attorney General of Texas has initiated a lawsuit against Meta, after which Meta has settled.

How did this turn out in Europe? Interestingly, in 2018 Meta (Facebook) communicated its compliance with GDPR requirements by requesting permission for “Tag Suggestions” from its users. Then three years later, Meta announced that it would completely end the use of facial recognition (worldwide).8 Although the legal privacy frameworks (GDPR vs CUBI) are certainly not equivalent, the result is eventually the same. Namely that facial recognition software has strict frameworks and cannot easily be used by organizations.

GDPR: facial recognition software and biometric data

Hopefully, you have learned more after reading this article. You may still have the practical question that you as an organization should consider if you want to use facial recognition software? After reading this post you can already guess. In any case, it is recommended to conduct a thorough DPIA prior to the start of the new process or pilot. Not only because of the possible processing of biometric data and therefore a DPIA becomes mandatory. It is a valuable tool to identify those (high) privacy risks. Furthermore, the organization can take the necessary measures to accept, reduce or eliminate those risks.

Are you looking for support in conducting a DPIA? Or do you have another question? At Privacy Company we offer various services to manage several privacy matters in your organization.

1 Article 4 Preamble under 14 General Data Protection Regulation.

2 Biometric recognition, or simply biometrics, is the science of determining the identity of a person based on physical and/or behavioral characteristics. Multiple definitions are used. One of these has been described by Anil K. Jain, among others. - Anil K. Jain et all, Introduction to biometrics, Springer New York 2011, p. 2, https://doi.org/10.1007/978-0-387-77326-1.

3 Identity can also be determined by voice recognition. Rb. Central Netherlands January 9, 2020, ECLI:NL:RBMNE:2020:24.

4 European Data Protection Board, 'Guidelines 3/2019 on the processing of personal data using video equipment', January 29, 2020, https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_nl.pdf

Dutch Data Protection Authority, 'Guidance on the legal framework for facial recognition', May 2, 2024, https://www.autoriteitpersoonsgegevens.nl/documents/juridisch-framework-facial-recognition

5 Recently, a civil court case ruled that the right to privacy carries more weight. The cameras must be covered. A privacy mask was not sufficient. See Rb. Central Netherlands July 16, 2024, ECLI:NL:RBMNE:2024:4256. 

6 Security.nl, 'Municipality of Harlingen reminds residents of privacy rules for doorbell cameras', July 30, 2024, https://www.security.nl/posting/852109/Municipality+Harlingen+wijst+inwoners+op+privacy Rules+voor+deurbelcamera%27s.

Binnenlands Bestuur, 'Amsterdam informs residents about smart doorbells', July 24, 2024, https://www.binnenlandsadministratie.nl/digitaal/motie-over-informatieCAMPAIGN-deurbelcameras-aantaken

7 Bryce Clayton Newell, Nadezhda Purtova, Young Eun Moon and Hugh J. Paterson III, Regulating the Data Market: The Material Scope of American Consumer Data Privacy Law, 45 U. Pa. J. Int’l L. 1055 (2024), https://scholarship.law.upenn.edu/jil/vol45/iss4/4

8 Facebook, An Update On Our Use of Face Recognition, 2 November 2021, https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/

Download
Joy
Consultant