Morocco extends facial recognition moratorium to year-end, proposes biometric authentication service
Morocco’s moratorium on the use of biometric facial recognition has been extended until the end of 2020, with a decision by the country’s CNDP (National Commission for the Control of the Protection of Personal Data) that leaves open possible trials and deployments of the technology in certain specific situations.
Experiments with facial recognition and other biometrics may be allowed, on a case-by-base basis, and the CNDP has committed to studying any solution that may contribute directly or indirectly to reducing health risks during the state of emergency brought on by the coronavirus pandemic, according to the announcement.
The CNDP notes in the announcement that it is currently prioritizing health risk management, and plans to partner for assessments of the “proportionality in relation to the targeted purposes” of any technology that could contribute to the management of the crisis, according to a Google translation. The deliberation also makes recommendations regarding “the architecture of identifiers at the national level and the establishment of a national system of trusted third parties for biometric authentication mechanisms.”
The Commission says that businesses have asked for the authorization of biometric systems, and facial recognition systems in particular, and it has taken the economic importance and challenges related to its deployments into consideration. CNDP expresses commitment to supporting the emergence of a data-driven economy with benefits added through data governance, and has reservations about service providers each holding their own biometric databases, often hosted outside of the Commission’s jurisdiction.
A national decision on the use of a third-party database for authentication, whether in the public or private sector, is necessary, and a trusted third-party system could be set up according to the technical specifications of the new version of the National Electronic Identity Card. Idemia recently won a contract to supply biometric eID cards in the country.
Specifically, CNDP notes that authentication data and usage data must not be stored together, and specific sector identifiers can be used to put granular policies on data protection.
“The CNDP thus recommends, at the national level, an architecture of identifiers which takes into account constitutional, economic, societal and technical requirements,” the body says in its deliberation document.
The CNDP intends to confirm claims by vendors that their technology enables matching without biometric data storage, and the DGSSI (General Directorate for Systems Security Information) will be consulted on the cybersecurity requirements of the prospective national trusted third-party identity authentication system.
Plans for exiting the moratorium are also included in the document.