Why new Guidelines on Facial Recognition
Due to the number of frequently asked questions the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (“AP”), has received about the use of facial recognition, the AP has released a guidance about the use of facial recognition.
The importance of these guidelines rely on the outlining of two main exceptions regarding the deployment of facial recognition technologies. Significantly, the deployment of AI is also mentioned in the Guidelines.
1st Exception: Facial Recognition to protect security targets (i.e. hazardous substances)
One exception to facial recognition being prohibited is when it is necessary for authentication or security purposes. The Dutch General Data Protection Regulation Implementing Act (“UAVG”) contains the example that facial recognition may be used for the security of a nuclear power plant.
The guidance issued by the AP now contains the new example of the security of hazardous substances that could be used in the production of bombs. In 2023, the AP approved the code of conduct of port companies handling international shipping. The security of such hazardous substances can occur with facial recognition under strict conditions, such as a Data Protection Impact Assessment (“DPIA”) that was carried out before the use of facial recognition, and which shows that there is a need and significant public interest to do so.
2nd Exception: Facial Recognition for personal use
The conditions under which facial recognition may be regarded as ‘personal’ or ‘domestic use’ has also been defined by the AP. If it is for personal, domestic use of the household exemption applies, the General Data Protection Regulation (“GDPR”) is not applicable. The guidance contains the example of unlocking a mobile phone with facial recognition. This is allowed, but only if the biometric data is stored on the phone itself and user decides what happens to that data. The user must have the choice to use facial recognition or to unlock with mobile phone a PIN code.
The guidance further confirms that the prohibition of using facial recognition also applies to confirming identity. The uncertainty about whether the processing ban on special categories of personal data applies to facial recognition with the aim of confirming someone’s identity has been removed. The AP has concluded that the processing ban does indeed apply in this case. Therefore, the use of facial recognition to catch thieves and other people in supermarkets in the Netherlands is not permissible.
Questions about Facial Recognition, the GDPR, and AI?
With the further development and use of AI, we believe that more Data Protection Authorities will follow the AP’s example and publish guidance about the use of AI and facial recognition. Does your organization have any questions about the use of facial recognition or the conducting of a DPIA? Feel free to contact us, the Experts in Data Privacy, by filling the form below or emailing us at info@dpoconsultancy.nl.