Facial recognition technology: regulations and use

• the identification of criminal suspects;
• the verification of an individual's ID to provide access to computing platforms or other electronic devices; and
• CCTV surveillance.

However, these technologies are also prone to misuse and data and privacy infringement. This article discusses the use of such technologies in Austria, along with the regulations which govern them and how they may be used in the future.

Facial recognition technology regulations

EU regulations
Article 4(14) of the EU General Data Protection Regulation (GDPR) defines 'biometric data' as:

personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Under Article 9 of the GDPR, biometric data is a special category of personal data. Therefore, its use must comply with extra protection requirements. The use of facial recognition software by Austrian and European law enforcement authorities is subject to EU Directive 2016/680/EU.¹

In January 2021 the Council of Europe (COE) issued guidelines on how to develop and use facial recognition technology without infringing data subjects' privacy and data protection rights.² The guidelines provide that the following topics must be considered:

• lawfulness (ie, the processing of biometric data must rely on an appropriate legal basis);
• the involvement of supervisory authorities in legislative and administrative matters prior to and during projects;
• the certification of developers, manufacturers, service providers and entities;
• data protection principles; and
• data subject rights (ie, rights may be restricted only where such restriction is provided for by law, absolutely necessary and proportionate).

Austrian regulations
The Safety Bundle 2018 amended:

• the Security Police Act (SPG);
• the Criminal Procedure Law; and
• the Federal Telecommunications Act.

These amendments enable law enforcement authorities to access and process public surveillance camera data (eg, data from cameras in train and metro stations, public places, airports, schools and hospitals) in real time to "fulfil their tasks" in cases of ongoing or imminent danger.³ This right can be exercised without judicial or court permission. While this provision enables authorities to access surveillance data, it does not expressly permit the use of facial recognition technology.⁴ However, according to the Ministry of the Interior (BMI), other regulations (ie, Sections 64(2) and 75 of the SPG) do provide for the use of facial recognition technology.⁵

Use of facial recognition technology

While critics have stated that the openness of the wording of Sections 64(2) and 75 of the SPG means that they cannot be used as a valid legal basis for implementing random technologies for forensic purposes (eg, facial recognition), the BMI has confirmed that it bought facial recognition software in 2019 and piloted it in 581 cases between December 2019 and June 2020. During these tests, the programme successfully identified only 83 unknown criminal suspects by matching digital images to a forensic evidence database which contained approximately 10 million pictures – a success rate of slightly more than 14%.⁶

Minister of the Interior Karl Nehammer has emphasised that this technology should be used only to identify unknown perpetrators suspected of intentionally committing a criminal offence. It must not be used for real-time surveillance because the Austrian legal system does not provide for such use. After the test run, the facial recognition technology was incorporated in the normal course of business in the Federal Criminal Police Office and used 931 times up to 1 October 2020.⁷ Following criticism from various data protection entities, the BMI renamed the technology 'digital picture matching' but continued to use it without an explicit legal provision.

While Austria uses only its own forensic databases to identify suspects, it is leading negotiations regarding an amendment to the Prüm Convention.⁸ This treaty enables signatory EU member states to access databases which contain DNA profiles, fingerprints and other biometric personal data (as well as vehicle registration databases) for law enforcement purposes. Austria and the other members of the working party wish to extend the convention to merge the databases into a single database that also includes digital pictures linked to the biometric data. Such a vast database of EU citizens is unprecedented.

Comment

Facial recognition technology has many useful applications but undoubtedly poses various risks, including:

• its lack of accuracy – studies show high failure rates, particularly in the identification of people from minority ethnic groups⁹ and people displaying a facial expression;¹⁰
• the fact that the underlying algorithms of facial recognition software are often business secrets, meaning that authorities which use it cannot understand the logic involved;
• the potential for its misuse (eg, to identify climate change protestors or human rights activists);
• the 'chilling effect' (ie, its potential to inhibit, deter or discourage the legitimate exercise of fundamental natural and legal rights); and
• the potential for criminals to hack into its databases.

While Austria complies with many of the COE guidelines, it still lacks an explicit legal basis regarding the use of facial recognition technology. It must also improve data subject rights. Further, no suitable domestic safeguards or certifications exist to guarantee the transparency and fairness of facial recognition data processing. Therefore, Austrian privacy experts worry that the use of facial recognition software may result in the gradual extension of power (eg, the use of real-time surveillance and data processing without a valid legal basis).

Endnotes

^{1 EU Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.}

^{2 Consultative Committee of the convention for the protection of individuals with regard to automatic processing of personal data, Convention 108, Guidelines on Facial Recognition, COE, 28 February 2021.}

^{3 Federal law amending the Security Police Act, the Road Traffic Act 1960 and the Telecommunications Act 2003, Federal Law Gazette (29/2018).}

^{4 Section 53(5) of the SPG.}

^{5 Anfragebeantwortung, 21 June 2019 (3406/AB XXVI GP) and Anfragebeantwortung, 20 November 2020 (3457/AB XXVII GP).}

^{6 Anfragebeantwortung, 4 September 2020 (2662/AB XXVII GP).}

^{7 Anfragebeantwortung, 20 November 2020 (3457/AB XXVII GP).}

^{8 Convention between the Kingdom of Belgium, the Federal Republic of Germany, the Kingdom of Spain, the French Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands and the Republic of Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration, 27 May 2005.}

^{9 "Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification", Joy Buolamwini and Timnit Gebru, 2018.}

^{10 "The Effects of Facial Expressions on Face Biometric System's Reliability", HAAlrubaish and R Zagrouba, 2020.}

This article was first published on International Law Office, 16.04.2021.
authors: Florian Terharen