New facial recognition guidelines
On 28 January 2021, the Council of Europe published a new set of guidelines on the use of facial recognition technologies ("Guidelines"). The Guidelines, addressed especially to governments, facial recognition developers, manufacturers, service providers and entities using facial recognition technologies, indicate that AI technologies using facial recognition are an extremely sensitive matter and may pose a real threat to the rights of data subjects, including their right to privacy.
Integrating facial recognition technologies with existing surveillance systems puts at risk the rights to privacy and protection of personal data as well as other fundamental rights. As pointed out in the Guidelines, the use of such technologies does not necessarily require the awareness or cooperation of the people whose biometric data is being processed, since digital images may be accessed on the internet.
To preserve the uninterrupted protection of data (especially sensitive data), the Guidelines propose that the use of facial recognition for the sole purpose of determining a person's skin colour, religious or other belief, sex, racial or ethnic origin, age, health or social status should be prohibited, unless appropriate safeguards are provided for by law to avoid any risk of discrimination. These could include measures authorised for a medical research project, subject to appropriate safeguards enshrined in law. Therefore, facial recognition could be used to help detect diseases.
When it comes to the use of facial recognition in the public sector, the Guidelines clearly state that consent should not be the basis for processing data. Legislators and decision-makers should therefore lay down specific rules for biometric processing by facial recognition technologies for law enforcement purposes. In the private sector, depending on the purpose of the facial recognition, attention must be paid to the quality of the data subject's explicit consent when it is the legal basis for the processing. Simply "passing through an environment where facial recognition technologies are used cannot be regarded as explicit consent."
In general, it is the legislators' responsibility to ensure the accountability of facial recognition developers and providers, including through the creation of appropriate certification mechanisms. The Guidelines also emphasise that any measures taken should evolve over time and be proportionate to the sensitivity of the data, as the privacy of data subjects is of the essence. Those to whom the Guidelines are addressed should now work hard to achieve a perfect balance between the proposed restrictions and continuing technological development.