Facial recognition in supermarkets: it has its advantages, but there are also disadvantages and privacy risks. The Dutch privacy supervisor sent a formal warning to a Dutch supermarket because of its use of facial recognition. When are you allowed to apply facial recognition, and is it out of sight for supermarkets? I Chu Chao, IT lawyer, takes a closer look at this question in two blog articles.
In this part 2: Legal analysis of facial recognition.
The legal aspects of facial recognition
The application of facial recognition is in principle not permitted under the General Data Protection Regulation (GDPR), because this falls under the definition of ‘biometric data’ (article 4 sub 14 of the GDPR):
“personal data resulting from a specific technical processing related to the physical, physiological or behavioral characteristics of a natural person that allows or confirms unambiguous identification of that natural person, such as facial images or fingerprint data.”
Not all faces are ‘biometrics’
Not all images of faces fall under the definition of ‘biometric data’. It only concerns biometric data if the facial images are used to technically (automatically) ‘identify’ someone, or to ‘confirm’ someone’s identity. A facial recognition system does not store a complete ‘facial image’, but it is rather a technical processing of facial features. This can look like a ‘code’ with ‘coordinates’ of facial patterns. Only this ‘code’ is saved.
A new ‘code’ is then created from another face and this new ‘code’ is compared (‘matched’) with the previously stored ‘code’. These ‘codes’ still fall under the definition of ‘biometric personal data’, because on the basis of the ‘code’, the identity of a natural person can be established or confirmed.
General prohibition and the exception
The use of ‘biometric data’ is generally prohibited in the European Union, as laid down in Article 9(1) of the GDPR. Article 9(2) of the GDPR lists the exceptions to this general prohibition. One of the relevant exceptions for facial recognition is included in Article 9(2)(g) of the GDPR:
“the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, while ensuring proportionality with the aim pursued, respecting the essence of the right to the protection of personal data and taking appropriate and specific measures to protection of the fundamental rights and interests of the data subject”
The Dutch legislator formulated this exception in a broader sense, in the Article 29 of the Dutch GDPR Implementing Act (UAVG):
“In view of Article 9(2)(g) of the Regulation [GDPR], the prohibition on processing biometric data for the purpose of uniquely identifying a person does not apply if the processing is necessary for authentication or security purposes.”
It seems that the Dutch legislator wanted to accommodate the use of biometrics for security purposes. For example, in the Explanatory Memorandum, the legislator mentions the example of ‘information systems that must be secured’. Unfortunately, besides the security of nuclear power plants, no other examples of permissible use of biometrics are mentioned. This does not have to be problematic, because according to the legislator, you need to make your own assessment whether the identification with biometric data is necessary for authentication or security purposes.
Privacy authority is stricter than legislator
However, the Dutch privacy authority (AP) sees it differently; the AP states that there should always be a ‘necessity for reasons of substantial public interest’, such as the security of a nuclear power plant. The AP follows a narrow interpretation of article 9 paragraph 2 sub g GDPR, which states that for this exception a ‘substantial public interest’ must exist.
This interpretation of the AP is stricter than that of the Dutch legislator; Article 29 of the Dutch GDPR Implementing Act (UAVG) no longer mentions ‘the necessity for reasons of public interest’, but only ‘authentication and security purposes’. There is therefore a difference between the GDPR (‘AVG’) and the UAVG.
Is another exception possible?
Article 9(2)(f) of the GDPR may contain another exception for the use of biometric data. It states that the general prohibition does not apply “if the processing is necessary for the establishment, exercise or defense of legal claims”. According to recital 52 of the GDPR, the “legal claim” may be an extrajudicial legal claim. If the enforcement of a retail ban is considered an “extrajudicial legal action”, then supermarkets can directly invoke an exception under the GDPR, instead of the UAVG.
Legal basis for the use of facial recognition
Under the GDPR, any processing of personal data requires a legal basis, as listed in Article 6 GDPR. ‘Consent’ is one of the legal bases, as is ‘legitimate interest’ (Article 6(1)(f) GDPR). The ‘legitimate interest’ basis is often used for processing operations where another basis is not possible or illogical. For example, camera surveillance or fraud prevention. Legitimate interest seems to be the most appropriate legal basis for facial recognition.
Application of ‘legitimate interest’: the three test questions
In order to apply ‘legitimate interest’ as a legal basis, three test questions must be answered:
- Is the interest legitimate? (‘Purpose test’)
- Is the processing necessary? (‘Necessity test’)
- Have I sufficiently balanced all interests? (‘Balancing test’)
Each of the test questions is discussed below:
Interest must be legitimate (‘Purpose test’)
Security of property can be a justifiable interest. Enforcement of a shopping ban may also fall under this. In the press release about the warning to the supermarket, the AP unfortunately does not say anything about the possible legitimate interest of the supermarket.
The processing must be necessary (‘Necessity test’)
The second test question is whether the processing of personal data is necessary. This question is more difficult to answer, as it is difficult for supermarkets to prove it. While automated facial recognition may help in enforcing shopping bans in supermarkets, this goal can also be achieved in other less intrusive ways, such as ‘regular cameras’ without facial recognition. A 2014 study shows that automated facial recognition does not yet outperform ‘human recognition’. However, facial recognition technologies are developing at a high speed and it is expected that it will surpass human capabilities at some point. But we are not there yet. The ‘necessity test’ will therefore not be met in practice.
All interests must be balanced (‘Balancing test’)
The third test is perhaps the most important: the balancing of interests. In this case there are several players who all have their own interests:
- Supermarkets have an interest in a (cost) efficient manner for preventing shoplifting. In addition, supermarkets have an interest in enforcing imposed shopping bans and in detecting shoplifters.
- Supermarket employees have an interest in a safe working environment, and in knowing whether people with a shopping ban are inside the store. They also have an interest in protecting their privacy, also at work.
- Supermarket visitors have an interest in protecting their privacy. It is in their interest that their facial image is not stored and used for facial recognition without their knowledge. This is the core objection of the Dutch privacy authority (AP) against facial recognition:
“Facial recognition turns us into walking barcodes (…). Every time you enter a shop, stadium or event hall with facial recognition, that system scans your face, without asking.”
The rights of data subjects under the GDPR, including the right to information, the right to access, and the right to object against profiling are in conflict with the main condition for a ‘well trained’ facial recognition algorithm, which is the input of many images, often from unknown or unclear sources.
Supermarket visitors have an interest in not being incorrectly identified as a person with a shopping ban. In a ‘false positive match’, where the system incorrectly ‘recognizes’ someone as a person with a shopping ban, an innocent person can be denied access to a store. It is then difficult to prove that you do not have a shopping ban. This is at odds with the fundamental right to a fair trial and the presumption of innocence until proven otherwise.
A shopping ban is not a criminal, but a civil remedy. Shoppings bans can be imposed without a criminal report, as criminal reports are not always filed with the police. Even without a prosecution or a conviction, a shopping ban can remain to be in effect. It is therefore important that the enforcement of shopping bans is handled very carefully. The use of automated facial recognition, which still has a high error rate, is then too risky.
Conclusion: no lawful use of facial recognition in sight
The technical developments in facial recognition are rapidly advancing. Many companies want to use it. However, due to a different interpretation of the GDPR by the Dutch privacy authority and the legislator, it remains unclear when facial recognition is allowed at all. This makes it practically impossible and too risky to apply facial recognition in supermarkets.
If you would like to know more about the legal aspects of facial recognition, please send me a message via the contact page.