Information commissioner warns against use of facial recognition technology

The information commissioner has said she is “deeply concerned” about the use of live facial recognition (LFR) technology

In a blog, Elizabeth Denham said none of the investigations conducted by the ICO to date have been able to justify the processing and of any systems that went live. Further, none were fully compliant with the requirements of data protection law.

She acknowledged how facial recognition can make of our lives easier, efficient and secure. However she said that when it is used to scan people’s faces in real time and in more public contexts, “the risks to people’s privacy increases.”

She said: “I am deeply concerned about the potential for live facial recognition (LFR) technology to be used inappropriately, excessively or even recklessly. When sensitive personal data is collected on a mass scale without people’s knowledge, choice or control, the impacts could be significant.

“We should be able to take our children to a leisure complex, visit a shopping centre or tour a city to see the sights without having our biometric data collected and analysed with every step we take.”

Denham noted that unlike CCTV, LFR and its algorithms can automatically identify who you are and infer sensitive details about people. Additionally she said it can be used to instantly profile people to serve up personalised adverts or match their image against known shoplifters as they do their weekly grocery shop.

She claimed there is “the potential to overlay CCTV cameras with LFR, and even to combine it with social media data or other ‘big data’ systems – LFR is supercharged CCTV.”

Denham also said that in the US, “people did not trust the technology”.

She said: “Some cities banned its use in certain contexts and some major companies have paused facial recognition services until there are clearer rules. Without trust, the benefits the technology may offer are lost.”

The commissioner said it wasn’t her role to “endorse or ban a technology but, while this technology is developing and not widely deployed, we have an opportunity to ensure it does not expand without due regard for data protection.”

Data protection and privacy

As such, the ICO has published a Commissioner’s Opinion on the use of LFR in public places by private companies and public organisations. It explains how data protection and people’s privacy “must be at the heart of any decisions to deploy LFR.”

It also explains how “the law sets a high bar to justify the use of LFR and its algorithms in places where we shop, socialise or gather.”

Organisations will need to demonstrate high standards of governance and accountability from the outset, including being able to justify that the use of LFR is fair, necessary and proportionate in each specific context in which it is deployed. They need to demonstrate that less intrusive techniques won’t work.

Organisations will also need to understand and assess the risks of using a potentially intrusive technology and its impact on people’s privacy and their lives. For example, how issues around accuracy and bias could lead to misidentification and the damage or detriment that comes with that.

“My office will continue to focus on technologies that have the potential to be privacy invasive, working to support innovation while protecting the public. Where necessary we will tackle poor compliance with the law,” said Denham.

The commissioner also said the ICO will engage with government, regulators and industry “to make sure data protection and innovation can continue to work hand in hand.”