French privacy regulator finds facial recognition gates in schools illegal
The intention to use facial recognition integrated in biometric gates at two high schools in France was heavily criticized and opposed by digital rights groups, parents and teachers’ unions, writes Politico, which led to the country’s data protection watchdog CNIL ruling that the initiative is illegal and breaches privacy laws.
In February, opposing groups filed a lawsuit against the decision.
France’s South Region signed a contract in December 2018 with U.S. company Cisco to deliver the technology planned for use in a high school in Nice and one in Marseille for student identification. The pilot project was waiting for CNIL to give the green light before it could start.
Nice had already been testing biometric facial recognition software by deploying more than 2,600 CCTV cameras, as it was waiting for CNIL’s decision.
“This installation cannot be implemented legally,” wrote the head of the Commission Nationale de l’Informatique et des Libertés (CNIL).
“Facial recognition processing is an especially intrusive biometric mechanism, which bears important risks of privacy or civil liberties invasions for the people affected,” the watchdog said. The CNIL also says the stated purpose of the technology to streamline student identification can be achieved by other means.
“It is now up to the region and the high schools, which are responsible for the planned system, to draw consequences.””In a world where facial recognition is in the everyday life of millions of smartphone users, refusing projects as simple and ambitious as ours is baffling,” criticized CNIL’s decision Renaud Muselier, president of the region and a former MEP from the conservative party.
Other countries exploring similar initiatives are Sweden, Denmark, Germany and the U.K. On another note, law enforcement agencies in Denmark, Sweden, and Romania have been looking into implementing a biometric facial recognition system, despite criticism from the data protection community.
In August, a school in northern Sweden ran a similar facial recognition pilot to keep track of students attending school. As a result, the municipality was fined €20,000 (US$22,000) by the country’s digital advocacy group for violating a number of GDPR guidelines.
“The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA,” the European Data Protection Board said of that case.
European privacy laws, however, are not very detailed, so each case has to be analyzed separately.
Although France’s CNIL warned the project was a breach of privacy, the South Region can disregard the watchdog’s opinion and still choose to implement biometric portals in schools.
Earlier this month, the French Interior Ministry announced its plan to use facial recognition technology for registration in the national digital identification program, thus ensuring a secure digital identity for its citizens. This plan was also criticized by CNIL, arguing it would violate the European rule of consent guaranteed by EU’s GDPR.