Regulation on surveillance camera and facial recognition technology(2/2)

This article is written by Mr. Yusuke Koizumi, Chief Fellow, Institute for International Socio-Economic Studies（NEC Group）

Stricter regulations on the use of facial recognition technology by EU

The European Data Protection Board (EDPB), an independent European advisory committee for personal data protection, published in July 2019 the draft Guidelines on processing of personal data through video devices.

 

The draft guidelines are to regulate the use of video images and facial recognition technology under the EU’s General Data Protection Regulation (GDPR) of EU, and are containing very strict regulations from the business point of view. Guidelines published by EDPB are specifying legal interpretation of GDPR and can be a basis that supervisory authority of each EU member state enforces GDPR in its jurisdiction.

 

Generally, the processing of personal data by a natural person in the course of a purely personal or household activity is out of the scope of GDPR. This exemption applies also to video surveillance systems. In the draft guidelines, however, this household exemption is not considered to be applied in case that a home video surveillance system is recording public space or neighboring property. As a related case, there is a case that a sports betting café in Austria was imposed administrative fines to the total amount of € 5.280,00 by Austrian data protection authority because the video surveillance system covers public streets beyond the necessary extent for the purposes of the processing.

 

As for the use of facial recognition technology, the draft guidelines offer stricter legal interpretations. For example, there are some new services using facial authentication where passengers are authorized to enter without presenting their passports or boarding tickets at luggage drop-off counter and boarding gate once they registered their facial images at the time of check-in at airport. But there is a restriction that such facial recognition system must be installed only in clearly separated gate and that the facial templates of people who did not give their consent will not be captured. The same regulation applies to the case of facial authentication of people at the entrance of concert venue.

 

Also when the facial authentication system is introduced at the entrance of office, it is regulated that the controller must offer an alternative way to access the building such as presenting employee’s ID card rather than employees would be forced to go through this system.

 

The use of facial recognition technology is only allowed in shops if the controller obtains the explicit and informed consent from all visitors before using this biometric system for the purpose of identifying repeater-customers by face recognition. But this regulation is waived and no prior consent of individual is required when the analysis is made through face recognition system only to know characteristics of the customer such as age and gender and when such analysis is not made to identify the specific individual with facial template.

 

It is also regulated that the controller must obtain the prior consent from not only VIP guests but also all other guests monitored, when a hotel would introduce a face recognition system to identify VIP guests already registered among all guests to the hotel.

 

Other than these cases, it is also regulated that the controller of video surveillance system should generally respond to request from the data subject for a copy of his or her personal data processed through this system and if other data subjects can be identified in the same copy then that part of the copy should be anonymized (e.g. by blurring). It is also regulated that warning sign should be provided at the appropriate location for people to easily recognize the video surveillance system is in motion well before they are entering in the monitored area.

 

The Japan Electronics and Information Technology Industries Association (JEITA) submitted public comments to EDPB especially on the legal interpretation that the prior consent should be obtained from all visitors and customers specified in the draft guidelines. Some media reported that EU is now considering stricter legislation than GDPR on the use of facial recognition technology. The situation is unpredictable even for Japanese industries.