The General Data Protection Regulation (“GDPR”) is a sweeping piece of legislation that fundamentally shifted the relationship between individuals and the companies that collect their data by providing a mechanism, under certain circumstances, for those individuals to retain control of their data. GDPR requires that any entity that wishes to process data have a legal basis for processing, typically on the basis of legitimate interest or consent. Both have their strengths and drawbacks, legitimate interest does not rely on the consent of the individual to process their data; however, it requires an assessment to show why the processing is necessary and this assessment can be challenged.
Processing with the consent of the individual requires that the individual be told how there data will be used, what data will be used, who might have access to their data, and their rights under GDPR. One of those rights is the ability to withdraw their consent at any time, which immediately halts the use of any data collected under consent. This can represent an entity as they must now cease their collection, processing, and storage of that individual’s data, so despite the requirement for an assessment, many entities attempt to use legitimate interest as their basis for processing.
Facial recognition is a hot topic in technology and privacy circles because it’s an extremely potent tool that massively compromises an individual’s privacy. Facial recognition works best when it’s omnipresent, like it is in China, and its presence strips an individual of any expectation of privacy. Margrethe Vestager, the EU Commission’s Digital Affairs executive vice president, has come out against automated facial recognition on the grounds that it is impossible to collect the consent of the individual, and there’s no legitimate interest for doing so. Under GDPR there is personal data, which can be processed through several lawful bases, and sensitive personal data, which includes biometric and genetic information.
An individual’s face, when processed by facial recognition systems, is considered biometric data and as such can only be processed with the consent of the individual. This consent needs to be freely given and able to be removed, which isn’t something that’s in place for facial recognition systems. The collection of such consent would be a monumental task, and the EU commission has previously stated that posting a sign or other language stating that continued use of something represents consent isn’t valid under GDPR. Individuals must consent by taking a positive action (clicking a button), rather than a negative one (unchecking an automatically checked box to remove consent) or a passive one (entering a store after seeing a sign saying that use constitutes consent).