UK ICO Warns of Facial Recognition Surveillance Threat

Concerns Raised Over Facial Recognition Technology Use

The United Kingdom’s primary data protection authority has issued a warning regarding the potentially careless and improper deployment of live facial recognition (LFR) technology within public areas.

Investigations Reveal Non-Compliance

An opinion published today addresses the application of this biometric surveillance method in public spaces, outlining what are termed “rules of engagement.” Information Commissioner Elizabeth Denham highlighted that investigations conducted by her office into proposed implementations of the technology have consistently revealed issues.

“I harbor significant concerns about the possibility of inappropriate, excessive, or even reckless utilization of live facial recognition (LFR) technology. The collection of sensitive personal data on a large scale, without individuals’ awareness, consent, or control, could have substantial repercussions,” she cautioned in a recent blog post.

Applications and Compliance Issues

Reported uses of the technology include addressing public safety and generating biometric profiles for targeted advertising. Notably, none of the organizations investigated were able to fully justify their data processing practices.

Furthermore, of the systems that were activated, none were in complete accordance with data protection legislation. Consequently, all organizations involved either ceased or refrained from implementing LFR.

LFR vs. CCTV: A Key Distinction

Denham emphasized that unlike traditional CCTV systems, LFR and its associated algorithms can automatically identify individuals and deduce sensitive information about them. This capability extends to instantly profiling individuals for personalized advertising or identifying potential shoplifters.

She further explained that LFR represents a significant advancement over CCTV, potentially enabling the integration of facial recognition with social media data and other large datasets.

Human Rights and Privacy Concerns

The remote identification of individuals using biometric technologies raises significant human rights concerns, particularly regarding privacy and the potential for discriminatory practices.

European Opposition and Legal Challenges

Throughout Europe, campaigns like “Reclaim your Face” are advocating for a ban on biometric mass surveillance. Legal challenges have been filed against Clearview AI, a controversial US facial recognition company, aiming to halt its operations within Europe.

EU Regulation and UK Implications

While public opposition to biometric surveillance is strong in Europe, legislative action has been limited. A proposed EU regulation on artificial intelligence includes only a partial prohibition on law enforcement’s use of biometric surveillance, with numerous exceptions.

Calls for a complete ban on LFR in public spaces have been made by MEPs from across the political spectrum, and the EU’s data protection supervisor has urged a temporary ban.

However, the planned EU AI Regulation will not apply to the UK, which is now outside the European Union. The future of the UK’s data protection regime remains uncertain, with potential for weakening of existing standards.

Potential for Regulatory Changes Post-Brexit

A recent report commissioned by the UK government suggests replacing the UK GDPR with a new “UK framework,” aiming to “free up data for innovation and in the public interest.” This includes proposed revisions to AI and “growth sectors.”

The report advocates for the removal of Article 22 of the GDPR, which protects individuals from decisions based solely on automated processing, suggesting it be replaced with a focus on “legitimate or public interest tests.”

The Future of the ICO and Data Protection

The government is currently seeking a successor to Elizabeth Denham, with the digital minister expressing a desire for a replacement who will adopt a “bold new approach” and view data as an “opportunity” rather than a “threat.”

Currently, organizations implementing LFR in the UK must adhere to the provisions of the Data Protection Act 2018 and the UK General Data Protection Regulation, as outlined in the ICO’s opinion.

Requirements for LFR Implementation

Controllers must demonstrate high standards of governance and accountability, justifying the fairness, necessity, and proportionality of LFR use in each specific context. They must also prove that less intrusive methods are ineffective.

Organizations must assess the risks associated with LFR, including potential inaccuracies and biases that could lead to misidentification and harm.

Timing and Concerns Regarding UK Data Protection

The ICO’s opinion on LFR is particularly timely given broader concerns about the direction of UK data protection and privacy policy.

A potential appointment of a more lenient information commissioner, willing to revise data protection rules, could create challenges given the existing public record detailing the dangers of reckless LFR use.

Sensitivity of Biometric Data

The next information commissioner will be fully aware that biometric data is exceptionally sensitive and can be used to infer characteristics like age, sex, gender, or ethnicity.

Furthermore, UK courts have previously recognized facial biometric templates as “intrinsically private” information, highlighting the potential for surreptitious data harvesting.

The Importance of Public Trust

Denham’s opinion underscores the critical need for public trust and confidence in any technology, warning that without it, the benefits of the technology will be lost.

ICO’s Previous Guidance

The ICO has previously published an opinion on LFR use by police forces, setting a high threshold for its implementation. Several UK police forces have adopted facial recognition technology, leading to legal challenges regarding bias.

A Measured Approach

Despite advocating for caution, the ICO opinion stops short of recommending a complete ban on biometric surveillance, acknowledging potential benefits in specific scenarios, such as locating a missing child.

The commissioner maintains that her role is not to endorse or ban technologies but to ensure data protection and privacy are central to any LFR deployment decisions.

Potential Risks to EU Data Adequacy

A significant risk exists that the UK government’s potential weakening of data protection rules could jeopardize the EU-UK data adequacy arrangement.

Without this agreement, UK companies would face increased legal hurdles when processing EU citizens’ data, potentially leading to data flow suspensions.

The Importance of a Thoughtful Approach

Such a scenario would be detrimental to UK business and innovation, and could erode public trust in technology. It is crucial that the UK government carefully considers the implications of regulatory changes.

For now, the ICO continues to provide essential oversight and guidance on data protection matters.