June saw the publication of a formal “Opinion” by the Information Commissioner’s Office (ICO) on the data protection and privacy implications use of live facial recognition (LFR) technology. It only deals with the use of the technology in "public places", but it defines this term so widely (“any physical space outside a domestic setting, whether publicly or privately owned”) that effectively anywhere except within the home will be covered. It is essential reading for anyone using, or considering the use of, such technology. Almost concurrently, the combined European Union Data Protection Authorities (of which the ICO is, of course, no longer a member) issued an Opinion going even further, and calling for a general ban on the use of facial recognition in publicly accessible areas.
The ICO is already understood to have investigated a number of instances of the deployment of LFR in such public spaces (one example being its use – and subsequent cancellation - at Kings Cross, in 2019).
The overarching theme of the Opinion is that a prior risk assessment (a formal “Data Protection Impact Assessment”, or “DPIA”) is essential before a decision is made to deploy LFR. Not only can a DPIA inform the decision-making process, but it also functions as a helpful (in fact, now, an essential) insulation in the event of complaints or regulatory investigations.
DPIAs can be short and simple, but the more complicated the issues, and the more potentially intrusive the technology, the more detailed the DPIA needs to be. Almost unavoidably, some complex legal issues will arise, especially around the subject of proportionality – that is, does the end justify the means? The risks of getting this wrong, especially now the ICO has issued this Opinion, are not to be ignored: the law (now primarily consisting of the UK GDPR and the Data Protection Act 2018) allows for fines of up to £17.5 million for serious infringements, and, increasingly, there is the risk of compensation claims from affected data subjects.
LFR may have perceived commercial and operational benefits, but there are already reputational risks in using it. These recent regulatory opinions are hard-hitting, and businesses now cannot avoid factoring in compliance and legal costs into their decision-making in this area.