Click to open contact form.
Your Global Partners in the Business of Innovation

French Regulator Issues Guidelines for Using Facial Recognition Technology at Airports

Publications / November 01, 2020

Article written by Haim Ravia, Dotan Hammer and Adi Shoval

The French Data Protection Authority (“CNIL”) issued its guidelines on the use of facial recognition technologies in airports. According to the CNIL’s guidance, the use of facial recognition in airports is permitted but only if the GDPR’s conditions for the processing of special categories of data are met.

The CNIL reiterates that the use of such technologies must be proportionate and for a legitimate purpose. For example, one legitimate purpose is sequencing and scheduling passenger boarding to avoid crowds and long queues for security reasons.

In addition, controllers must obtain the free, specific, and informed consent of passengers in a way that allows a passenger to choose between having their facial image processed and an alternative that does not involve this type of processing and is not inferior. This means that, for example, offering a special incentive, such as “frequent flyer” club advantages to those who agree to have their facial image processed, is forbidden because it creates a lesser alternative that is not equivalent to the facial recognition option. The data subject’s consent should be given specifically for a particular facial recognition processing purpose and should not be bundled with consent provided for other purposes, such as consent to the terms of sale of a passenger ticket. Also, the passenger must be allowed to withdraw his consent at any time.

The CNIL also requires that the biometric information remains within the sole control of the passenger. For example, by storing this sensitive information solely on the passenger’s mobile device or a smart card given to them instead of storage in a central database. Alternatively, biometric information can be stored in a central database but only to the extent that the information is encrypted and the encryption key is stored only on the passenger’s mobile device.

The data controller must also perform a data protection impact assessment as required by the GDPR for data processing that involves special categories of data.

CLICK HERE to read the CNIL’s guidance (in French).

MEDIA HIGHLIGHTS