Do you have to deal with facial recognition? This is what you need to know

Facial recognition entails risks. That is why, in principle, it is prohibited. But there are exceptions to the prohibition. Those exceptions can be found in the privacy law, the General Data Protection Regulation (GDPR). It is particularly important that your personal data are protected properly. Below you can read more about this.

What is facial recognition?

Facial recognition is a technology that uses images (a photo or video) to recognise you automatically or to check that you are who you say you are. The image of your face is converted into another type of format and then stored. After that, a computer can compare the image with other images. By now, the technique has advanced so far that this can also be done with a photo of poor quality or with a photo that is somewhere on the Internet.

For what purposes is facial recognition used?

Facial recognition is often deployed for security to check if someone is allowed access. 
An example: when you fly to a country for which you need to have your passport checked, you can opt for an automatic passport check. You need to have your passport scanned for this check. A system then compares the characteristics of your face in a photo that was just made with the photo in your passport, to check if it is really you. When the photos match, the gate will open and you can walk to your gate.

Risks of facial recognition

The risks associated with facial recognition are substantial. A recording of a face (or another body characteristic, such as a fingerprint) is what is called a biometric personal data. The GDPR says that these are special categories of personal data when used for uniquely identifying someone. 

It is very important that organisations protect such data properly. The law says that too. If they fail to do so, this may have significant consequences for people. You can change a password if it has been leaked, but you cannot change your face. That is why the consequences can be more significant if special categories of personal data are leaked.

A grainy photo is enough to recognise your face everywhere and find out all sorts of things about you: your address, salary, search history and much more. As a result, you could be ‘followed’ on a large scale.
Because the risks are so big, organisations are allowed to use facial recognition in rare situations only. 

When is an organisation allowed to deploy facial recognition?

Facial recognition is in principle prohibited. But there are 3 situations in which facial recognition is permitted: 

• Does facial recognition only have a personal purpose? For example, when you unlock your own mobile phone using a face scan? Then the GDPR does not apply.
• Did you give explicit consent? Then this is an exception to the prohibition. Explicit consent means that you ‘actively and voluntarily’ agree to the use of facial recognition. A number of things are important here. You must, for example, be offered an alternative to facial recognition. The organisation must also inform you properly and note down your consent. Besides, withdrawing your consent must be as easy as giving it. Is that not the case? Then the organisation cannot assume your consent.
• Moreover, consent is (usually) not valid if there is a relationship of dependency. For example between you and your employer, or between you and the government. In that case, you may feel pressured into giving consent, or actually not have a real choice. 
• Is facial recognition necessary for security? Or necessary for verifying who you are? Those are exceptions to the prohibition as well. But if there are other, less intrusive options for the security or (access) control, facial recognition is not permitted.

Example: facial recognition at the supermarket
A supermarket wants to deploy facial recognition for security and combating theft. Safety is important. But there are other ways to secure the shop that are less intrusive for customers and employees. The use of facial recognition is a serious invasion of their privacy. In addition, asking all customers for consent is probably not possible. That is why this supermarket is not allowed to use facial recognition.
 

Your rights regarding the use of facial recognition

If an organisation processes your (special categories of) personal data by using facial recognition, you have a number of rights:

• You have the right of access to your personal data.
• Does it turn out that data are incorrect? Then you can ask to have your data adjusted or supplemented. 
• In some cases, you can also ask to have data removed. 
   

Do you want to know what other rights you have? Take a look at Privacy rights under the GDPR.

Question or complaint

If you have questions or complaints, always contact the organisation that uses your personal data first. Do you have a complaint and are you unable to work it out together with the organisation? Then you can submit a complaint to the Dutch Data Protection Authority (Dutch DPA).