Just as we’re seeing examples of your face becoming your passport in Asia (or as Huawei rather catchingly calls it ‘the face of convenience’), the EU seems to be moving in the opposite direction. Calling time on the increasing use of facial recognition technology, which has been reported to generate too many false positives amongst women and some ethnic minority groups, the EC has indicated that it could ban the use of the technology for the next five years in public spaces to give regulators chance to work through the privacy and accuracy issues. It is not alone in its concerns, with a bipartisan group in the US Congress and a dozen states also demanding action. San Francisco and Oakland, plus a growing group of other US cities, have already banned the tech.
In the draft white paper setting out its proposals, the EC said it wants to introduce “a sound methodology for assessing the impacts of this technology and possible risk management measures”. Although the use of biometric data falls under the remit of GDPR and its considerable penalties – which protects EU citizens from being the “subject [of] a decision based solely on automated processing, including profiling” – the EC wants to introduce specific regulation regarding the use of biometric data in the EU.
This move highlights two opposing views on facial recognition tech. While there are many use cases aimed at making the environment safer, more secure and easier to navigate – for example, by detecting criminals and terrorists or substituting for less secure forms of ID – its use is becoming increasingly controversial.
In Kings Cross, London, for example, it was recently revealed that facial recognition technology was in use without any warnings to the people visiting the area. The British data protection watchdog Big Brother Watch has warned that the “secret” use of facial recognition tech in public places in the UK was “epidemic”. And in 2019 Sweden’s data protection authority fined a municipality £17,000 for using the tech to track school attendance. France’s data regulator has also said using the technology breaches current EU data rules.
It has to be said that dystopian narratives run alongside the introduction of any new technology and have done so for hundreds of years. Fears about biometric tech are as old as the technology itself, and yet it has been successfully and securely used in many scenarios for some years. A full five year hiatus also means an uncertain future for the advanced plans, trials and use cases of facial recognition tech in the EU. Germany, for example, plans to roll out facial recognition in 134 railway stations and 14 airports. While France is considering the legal and ethical basis for embedding facial recognition in its video surveillance systems. While last year it was revealed that 600 law enforcement agencies were already working with a little known start-up (Clearview) that had scraped 3 billion images from social media and internet sites – the system is said to be uncannily accurate at matching faces to its database to identify individuals.
While a pause to consider the risks may on the face of it seem sensible, there are other risks in doing so. Life and tech does not stop simply because we want it to, and it doesn’t move at the ponderous speed of the EU. Asian countries are already ahead in this area and are not slowing down with their own deployments of the tech. The risk is that these countries, as well as the vendors that supply them, will gain increasing real-life experience at scale, putting them in what might become an unassailable lead, as well as putting European economies and vendors at a disadvantage. Will we be more secure when it’s an Asian firm supplying the tech, than if it were a British, French or Finnish firm doing it?
There are also a lot of unanswered questions, such as:
- Since concern is centered only on public spaces it begs the question as to what exactly constitutes a public space? Is a privately-owned stadium going to be subject to the same rules as the high street in your local town? Is a stadium different to a cinema or a theatre?
- Will some spaces be permitted to introduce the technology on the basis of overriding security benefits? Will highly risky or controlled spaces such as airports and stadia be permitted to introduce the technology for safety purposes such as anti-terrorism, anti-theft or crowd control? Will the tech be permitted to monitor access to dangerous environments such as building sites?
- What penalties will be imposed for non-compliance? Will these be in addition to GDPR fines?
- Will government agencies be exempt from any regulations imposed on the private sector? Or will there be a nuanced approach with some agencies exempt and others subject to the regulations? How will exempt agencies be governed and what will citizens’ rights be?
- How will regulations be enforced on companies that sit outside the region (such as US or Asian companies)?
The whole issue leaves the UK, in particular, in an uncertain position. Regulations are unlikely to be introduced before the end of 2020, by which time the UK should have left the European Union, meaning it will not be obliged to follow any rules imposed.
“Technology has to serve a purpose and the people. Trust and security will therefore be at the centre of the EU’s strategy,” it has said.
Omnisperience believes there are several sensitive balances to be struck here:
- utilising a promising technology while managing any potential misuse
- having sufficient time to introduce sensible rules while not handicapping European companies from either benefitting from the tech or developing it further due to undue delays in deciding the rules under which they can operate.
In the end, the UK may be in the most favourable position with regards to facial recognition technology – outside the ponderous timescales and restrictions of the EU and therefore free to experiment but also to adopt any regulations it feels will be of benefit in the long run to its citizens’ privacy and security. Also at stake is the opportunity for B2B service providers to help businesses adopt such technology in a sensible and compliant fashion.