Many of us use facial recognition technology every day when unlocking our phones. This technology is evolving and being used more and more often, including in ways people might not expect, and with associated privacy concerns, including misidentification. For example, many sports stadiums around the world use facial recognition technology to identify banned fans, occasionally resulting in a fan being misidentified and incorrectly banned.
Facial recognition technology understandably raises privacy concerns, both among individuals and data protection authorities.
Canadian data protection authorities have published two major reports investigating the use of facial recognition technology in recent years. In an investigation by Cadillac Fairview Corporation Limited, released in 2020, Canada’s Office of the Privacy Commissioner (OPC) and provincial colleagues found that the use of “anonymous video analytics” technology without consent to collect and analyze biometric facial information to Assessing the age range and gender of mall visitors violated private sector privacy laws.
The following year, another joint report addressed an investigation by Clearview AI, Inc, in which privacy regulators found that a facial recognition technology that relied on a database of over three billion facial images collected from publicly available online sources (including social media ) were collected also violated privacy legislation.
Most recently, on October 28, 2022, the OPC announced the adoption of a resolution at the 44thth Global Privacy Assembly on the appropriate use of personal information in facial recognition technology. This resolution outlines six principles and expectations for organizations wishing to use the technology, including:
- legal basis: Organizations using facial recognition technology should have a clear legal basis for collecting and using biometric data.
- adequacy, necessity and proportionality: Organizations should be able to justify and demonstrate the appropriateness, necessity and proportionality of their use of facial recognition technology.
- protection of human rights: Organizations should specifically investigate and protect against unlawful or arbitrary interference with privacy and other human rights.
- transparency: The use of facial recognition technology should be transparent to affected individuals and groups.
- accountability: The use of facial recognition technology should include clear and effective accountability mechanisms.
- Principles of data protection: When using facial recognition technology, all privacy principles should be followed, including those above.
With increasing concern, awareness, and regulatory reform surrounding the use of facial recognition technology, organizations need to be cautious about their use. Organizations wishing to use facial recognition or other biometric technologies should seek professional legal advice to do so in a responsible manner.