Written by Haim Ravia and Dotan Hammer
The European Data Protection Board (EDPB) has published the final guidelines on the use of facial recognition technology in the field of law enforcement. The guidelines emphasize that the use of biometric identification for enforcement purposes requires that national legislation provide an adequate legal basis for processing biometric data. The legislature must authorize the relevant authority to process sensitive personal data for a specific purpose. The legislation should be focused on achieving a defined objective towards specific data subjects, rather than granting general authorization for the use of facial recognition technology for public order purposes.
The final Guidelines largely resemble the draft guidelines published in May 2021. Several additional clarifications were introduced including:
- Effective enforcement by data protection authorities is a central means of protecting the rights of individuals who are at risk due to the use of facial recognition technology. Therefore, member states of the European Union countries should ensure that they allocate adequate resources to allow these authorities to fulfill their supervisory duties.
- The scope of the guidelines is limited to technologies for identification purposes. Other types of processing of biometric information by law enforcement authorities, especially remote processing, may pose similar risks to data subjects. Therefore, certain aspects of the guidelines may be applicable.
- Personal data may only be processed for the training and development of facial recognition technologies when there is a lawful and legitimate basis, following data protection principles codified in the law.
- Human involvement in processing the results of facial recognition technologies may not provide sufficient safeguards to protect data subjects’ rights, considering human biases and errors that may impact the processing.
- The processing of personal data using facial recognition technologies is subject to the accountability principle established in the GDPR. Documentation of the operations performed within the system and the relevant procedural steps (such as data protection impact assessments) is one of the key elements of importance.
Click here to read the EDPB guidelines 05/2022 on the use of facial recognition technology in law enforcement.