Businesses Forced To Grapple With Facial Recognition Compliance Conundrum
Table Of Contents:
My Face Or Yours?
The growing use of facial recognition technologies leaves businesses facing a serious privacy and regulatory compliance conundrum.
Facial recognition technology can be used to identify or confirm a person’s identity using their face. The technology identifies and measures facial features in an image or video before comparing information with a database of known faces to find a match.
Public Spaces
Facial recognition technology can be used with CCTV for public safety, particularly around airports and train stations. Still, deployments in both the US and Europe have sometimes been controversial.
Facial recognition in uncontrolled environments is unreliable, privacy advocates argue.
Aside from potential threats to individual privacy from facial recognition-enabled mass surveillance, there are also concerns that the technology in the context of public spaces could lead to gender bias and racial profiling – not least because some algorithms exhibit more false positives against people of colour.
The European Union proposed a moratorium on facial recognition in public spaces three years before quickly abandoning the idea.
Use of the technology in border controls such as airports or within secure facilities to enforce strict access controls, by contrast, is far more reliable. Well-engineered facial recognition biometrics can also be used as an authentication mechanism for logical systems or applications.
The EU’s General Data Protection Regulation (GDPR) imposes strict requirements on processing biometric data, including consent, transparency, purpose limitation, and privacy impact assessment (to guard against mission creep) alongside data retention and minimisation rules.
Secure Authentication
Mainstream businesses increasingly rely on facial recognition to control access to physical spaces or authenticate users through ID verification services. These can align with compliance to GDPR – but only providing careful data protection impact assessments that consider privacy and compliance requirements are completed first.
“In the face of rapid technological advancements, businesses must stay agile not only in adoption but also in understanding the associated risks.” Dave Holloway, CMO at ISMS.online commented.
Acuity Law partner Declan Goodwin added: “I have seen examples where facial recognition software/hardware vendors have sold systems to businesses without the purchaser having fully considered the compliance requirements first.
“Once the compliance requirements have been worked through, the purchaser has realised that they cannot implement the system they have bought in a compliant way or is flawed.”
Goodwin explained: “For example, employee consent is required before the system can be used to clock employees in and out of work, and such consent can be withdrawn at any time, making the benefits of the new technology very limited. The ICO is trying to assist data controllers with such technology via their [recent] consultation on draft biometric data guidance.”
Compliance Frameworks Offer A Blueprint
Alex Wilkins, director and data privacy expert at ProCompliance, told ISMS.online that “frameworks and standards, including ISO 27001, ISO 27701, and NIST CSF, play a crucial role in helping businesses position themselves to achieve compliance” when rolling out facial recognition technologies.
For example, the ISO 27001 standard provides a systematic approach to managing and protecting sensitive information, including data used by facial recognition technology. “Implementing ISO 27001 can help businesses identify risks, establish controls, and create a robust information security management system (ISMS),” according to Wilkins.
ISO 27701 offers a privacy extension to ISO 27001 that explicitly addresses privacy management.
Businesses that use facial recognition technology to ensure they handle personal data in compliance with privacy regulations, such as GDPR.
“While not specific to facial recognition, NIST CSF is a comprehensive framework for managing cybersecurity risks,” Wilkins concluded.
Matt Lewis, technical research director at NCC Group, has researched the impact of facial recognition technology and its implications on privacy for businesses.
Facial Recognition Risks and Controversies
There have been several controversies related to facial recognition technology.
In February 2023, Madison Square Garden announced that it would ban the use of facial recognition technology at its venues after a backlash from activists and customers who objected to mass surveillance at the venue.
In 2022, it was revealed that Clearview AI had amassed a database of over three billion facial images without the consent of the individuals depicted. The UK Information Commissioner’s Office fined the facial recognition company more than £7.5m for violating privacy laws.
Compliance And Facial Recognition
While concerns about misuse of facial recognition ought to be taken seriously, the technology can have beneficial applications.
Clarency, a financial compliance specialist, processes approximately $6 billion annually in cross-border payments and uses facial recognition technology for assurance and compliance.
The technology offers financial inclusion to excluded regions and members of society that have historically been excluded from financial services, according to Clarency.
“A great many of our transactions involve regions that banks largely exclude,” Jem Shaw, head of communication at Clarency told ISMS.online. “The facial recognition is part of an enhanced due diligence programme that allows us to transact compliantly in such regions.
Clarency routinely captures photo ID and, in some cases, a live video of involved counterparties for identity verification.
“The subjects readily accept the requirement as it allows them to transact legal, safe and compliant business that would otherwise be impossible,” Shaw added.
Clarency also uses facial recognition technology for home remittances and cash payments.
“We provide a method of tracing cash from payment-in through to its digitisation for onward transmission to the receiver,” Shaw explained. “This is driven by facial recognition at the point of payment.”
Banking compliance regulations, which typically mandate that data needs to be stored for a minimum of six years, contain a conflict with the demands of GDPR. Clarency uses data vault technology to reconcile these seemingly conflicting requirements.
“We can expire, delete or amend information in the vault following GDPR requirements,” Shaw explained. “Should an individual request the erasure of personal data, we can do so immediately. Access can be controlled with unlimited granularity, down to individuals, organisations, expiry dates, number of views, and so on ad infinitum.”
Facial recognition technology “throws up all sorts of questions about whether this technology could undermine fundamental privacy rights and how it can be kept in check,” according to Natalie Cramp, chief exec at data science consultancy Profusion.
Cramp continued: “However, facial recognition tech offers many benefits – from improving security measures, enhancing digital experiences and safeguarding businesses against theft to even helping find missing people.”
Rebecca Harper, head of cybersecurity analysis at ISMS.online, concluded: “Facial recognition has its merits, but like any tool, it’s about how you use it. Compliance can’t be an afterthought.”