Facial recognition is an automated system that can identify and/or authenticate a person through his image. It can be used to access a place, a computer, a mobile, identify an offender, search for missing persons etc. It can be based on the consent of the person, and be done without his knowledge.
Faced with this multifaceted technology, the law tries to apprehend it.
Personal data processing
Facial recognition is first an automated processing of a person’s image, which constitute a personal data.
The person who wishes to set up a facial recognition system must comply with the regulations on the processing of personal data:
The law of January 6, 1978 « Computer and freedom » modified by the law of June 20, 2018, then by the Ordinance of December 12, 2018;
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (GDPR);
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the processing of data in criminal matters (« Police Justice »).
Biometric data
Facial recognition concern precisely data, described as biometric.
« Biometric data » is defined by the article 4 of the GDPR as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
For this, they are considered as sensitive, as are data that reveal racial or ethnic origin, political opinions, religious beliefs, and health data.
A prohibition principle
The regulation on the processing of sensitive data imposes a prohibition principle (article 9.1 of the GDPR). It specifies that biometric data processing is prohibited for the purpose of uniquely identifying a natural person
Face recognition is a biometric data processing that uniquely identifies a natural person. In these conditions, it is prohibited.
Exceptions
The regulation provides several situations in which this processing may be carried out, and in particular:
• When the data subject has given consent;
• When the processing concerns personal data that are clearly made public by the data subject;
• Where processing is required for public interest purpose (art.9.2 GDPR)
Face recognition integrated into systems (smartphone, computer, etc.)
Facial recognition can also avoid the prohibition principle when it is embedded in a system. For example, it can unlock access to an information system such as a smartphone, or a computer.
In this case, the CNIL distinguishes when the biometric device is embedded in the system, or when it operates from remote servers.
In the former case, the device can benefit from the so-called « household » exemption, and not be subject to the regulation on the processing of personal data (Article 2 (2) c of the GDPR).
In the second case, the law is applicable, and the CNIL recommends carrying out an impact analysis.
Facial recognition in the workplace
Private or public employers may implement biometric access control devices as long as they comply with a standard regulation drawn up by the CNIL.
By deliberation of January 10, 2019, the CNIL adopted a model regulation concerning the implementation of a device whose purpose is the access control by biometric authentication to premises, devices and computer applications in the workplace.
In addition to the above-mentioned applicable regulations, employers wishing to set up such devices will therefore have to comply with this standard regulation.
Facial recognition on behalf of the State
Facial recognition on behalf of the state may be justified by the public interest (Article 6 III of the 2018 Ordinance). It must be authorized by decree of Conseil d’Etat after a notice from the CNIL, when:
• Interested in state security, defense or public security;
• Its purpose is the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal convictions or security measures. (Article 31 II of the Ordinance)
• Is necessary for the authentication or control of the identity of the persons, and that the State acts in the exercise of its prerogatives of public power. (Article 32 of the Ordinance)
Facial recognition in criminal matters
Facial recognition in criminal matters is regulated by the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, which was transposed into the 1978 law by the law of 20 June 2018, then by the law of December 12, 2018. This regulation applies to the automated processing of data:
• For the purpose of preventing, detecting, investigating and prosecuting criminal offenses, or for the enforcement of criminal sanctions, including protection against threats to public safety and the prevention of such threats.
• By any competent public authority or any other body or entity entrusted, for these same purposes, with the exercise of public authority and the prerogatives of public authority
This type of processing is lawful only in cases of absolute necessity, subject to appropriate safeguards for the rights and freedoms of the data subject.
It can only be implemented in the following three cases:
• be authorized by a legislative or regulatory provision,
• Aim to protect the vital interests of a natural person, or
• Relate to data that is clearly made public by the subject data;
Impact analysis
According to the regulation, the controller must perform an impact analysis when the processing is likely to create a high risk for the rights and freedoms of individuals.
Since biometric data is sensitive, an impact analysis is required when it is intended to uniquely identify a natural person, including « vulnerable » persons: students, elderly people, patients, employees, applicants asylum, etc …
When the processing is carried out on behalf of the State, and for penal purposes, the impact analysis must be sent to the CNIL, with a request for an opinion.
Video surveillance (or Security cameras)
The facial recognition system can operate, or be paired with, a video surveillance system in private locations, and videoprotection in public places.
In this case, in addition to compliance with the regulations on personal data, the manager must comply with the rules for this type of device. In private places, he must especially ensure respect for privacy (Article 9 of the French Civil Code, and article 226-1 of the Criminal Code).
In public places, the video-protection system must be the subject of a prefectural authorization (Article L. 251-1 et seq. Of the Internal Security Code).
Law proposition
On November 12, 2018, Senator Roger Karoutchi tabled a bill on facial recognition in terrorist investigations. The purpose of this project is to enable the coupling of the automated fingerprint file (FAED) with that of the « S-files », all connected to a video-protection system.
While some see this project as an additional means of combating terrorism, others are protesting against the violation of our freedoms, including that of coming and going anonymously.
There is therefore a regulation on facial recognition, and the question now is how to make it evolve while respecting our fundamental rights and freedoms.