By the EternosCorp Team
Facial recognition guidelines
The Council of Europe adopts guidelines on facial recognition. The signatory states of Convention 108 must take them into account in the texts they adopt. Certain uses are prohibited. The private sector is mostly untouched by the directive
Council of Europe Convention 108
It is sometimes forgotten, but the 1995 directive on the protection of personal data is not the founding text in the matter.
The Council of Europe (not to be confused with the European Union) had in fact adopted, as early as 1981, a Convention No. 108 for the protection of personal data (ETS No. 108). Signed the 28 January 1981, the Convention was the first binding international legal instrument in the field of data protection. According to the original text of the Convention, parties had to take the necessary measures in domestic law to apply its principles in order to ensure, in their territory, respect for fundamental human rights with regard to the application of data protection.
Convention 108 was given a major update in 2018 with the adoption of Convention 108+. Among the new features: the introduction of a general principle of proportionality, a specific protection of sensitive data, a principle of data security, the formulation of a general requirement of transparency. Those familiar with the GDPR will be very familiar with this kind of structure … (overview of new features).
On the 20th anniversary of this founding text, the Council of Europe has started working on a series of works to the issue of personal data protection. Very important, is for instance the adoption on 28 January 2021, of guidelines on facial recognition.
Facial recognition and video surveillance
Facial recognition necessarily implies the capture or retrieval of an image (animated or not), but the not the contrary: video surveillance does not necessarily involve facial recognition.
A surveillance camera in a shop that records the flow of visitors without identifying them is video surveillance, but not facial recognition. Facial recognition is much more intrusive because it identifies or authenticates a person, which calls for a stricter legal framework.
The guidelines explain that facial recognition is a technology for automatically processing digital images of people’s faces in order to identify or authenticate them by means of facial models. The sensitivity of information of a biometric nature has been enshrined with the inclusion of data uniquely identifying a person under the special categories of data in Article 6 of the Modernised Convention for the Protection of Individuals with regard to the Processing of Personal Data (hereinafter “Convention 108+”). The context of image processing is decisive in qualifying the sensitive nature of the data. The processing of images does not, in general, involve the processing of sensitive data, as images are covered by the definition of biometric data only when processed by a specific technical means allowing the unique identification or authentication of an individual.
The guidelines therefore have a very specific scope ratione materiae: they deal with the use of facial recognition technologies, including on-the-fly facial recognition technologies.
A clear legal framework
As we know, any interference with freedoms must be written and justified by law. Beyond the formal aspect (the existence of a text), this requirement also applies to the material content of the norm: the text must be sufficiently precise for everyone to be able to know the consequences of the behaviour they adopt.
The new guidelines highlight the need for a precise legal framework that works without too much intrusion on privacy. The new directive of the Council of Europe requires a democratic process (understand: a text debated in an assembly) of irreproachable quality allowing (1) the population to know exactly what is being done, and (2) the judges or competent authorities to check that the actual use is indeed that provided for by law.
The end does not justify the means
The guidelines are opposed to certain operations and purposes. In particular, the use of facial recognition is prohibited:
- for the sole purpose of determining the colour of the skin, religious or other beliefs, sex, racial or ethnic origin, age, state of health, or social condition of a person (unless appropriate safeguards are provided by law to prevent any risk of discrimination);
- for the purpose of recognizing “affects” (detecting personality traits, inner feelings, mental health or commitment of employees from images of faces to detect personality traits, inner feelings, mental health or commitment of employees);
- for “on-the-fly” surveillance by law enforcement agencies (unless strictly necessary and proportionate to prevent imminent and substantial threats to public security that are documented in advance). This requirement is, as we know, at the heart of an important debate on the use of UAVs in the fight against covid.
And the private sector?
The private sector is treated according to whether it develops and offers these technologies, or whether it uses them. Barring specific situations, the writers of the guidelines seem to consider that the proportionality of the interference is often not defensible and that there is, most of the time, a less intrusive alternative method whose result is substantially the same.
For example, “private entities should not deploy facial recognition technologies in uncontrolled environments such as shopping malls, especially to identify persons of interest for marketing or private security purposes. »
There is an opening, however, for the private sector with consent in “controlled environments for verification, authentication or categorization purposes”. But beware: this consent must be free, which implies the possibility of simple alternatives (e.g. password or identification badge) and excludes overly asymmetrical relationships (e.g. employment contract).
The Guidelines consider that consent is never the appropriate legal basis “for facial recognition carried out by public authorities in view of the imbalance of power between the persons concerned and those authorities”.
More info ?
By taking note of the guidelines and other information documents available below , or contact us at our mail contact (at) eternoscorp.com:
Professor Cécile de Terwagne documentation on convention 108+ : HERE
Further documentation on the concept of jurisdiction in the document :
Legal Opinion_DLAPIL02_2021_The interpretation of the notion of jurisdiction in relation to article 14 of Convention 108+ 2772-9952-0514.1.pdf-min