Government facial recognition policies updated in Canada, Sweden and China
Canada, Sweden and China have all made changes this week in their approaches to national use of face biometric technologies.
The OPC (Office of the Privacy Commissioner of Canada) has announced two core resolutions in response to concerns about facial recognition and intelligent systems. These concerns are a consequence of responses to the pandemic, and the resulting challenges.
Sweden’s International Network of Privacy Law Professionals (INPLP) has published a report stating that Swedish authorities will soon have access to biometric databases for immigration purposes, while law enforcement will be given the right to continued use of facial recognition technology in anti-crime objectives.
Finally, how the consent requirement of China’s first ever civil code regarding the transparent use, protection and collection of citizen’s personal and biometric data, currently in draft form, will be implemented is coming under scrutiny.
Canadian Commissioner recommends action on privacy
Daniel Therrien, Commissioner at the OPC, has outlined necessary actions for privacy and data protection in an annual report to parliament. The actions recommended are the outcome of new resolutions made in areas of facial recognition technologies and artificial intelligence systems, with the underlying theme of supporting privacy as a basic human right.
In the report Therrien summarizes the technological developments surfacing as a result of the pandemic, many of which have introduced ‘benefits as well as risks.’ We have become reliant on technology to maintain an air of normal life in work, socialising, education and health, he states. The platforms which have risen up to the demand have provided us with efficient solutions, and some have become essential for daily work. These platforms, however, are not without their dangers, and Therrien expresses concern that privacy by design is not currently a legal obligation for developers.
Such that some systems are learning our ‘behavioural issues’ and other normally confidential information. Therefore, new and updated frameworks are necessary to keep up with these recent technological advances. Stricter governance for developers and users will ensure that there can be a compromise between both protecting the public, and maintaining privacy, according to the report.
The first resolution to come out of a session of the Global Privacy Assembly (full resolution here) emphasises the ‘intrusive’ nature of facial recognition systems, its “ethical challenges” and its “discriminatory effects.” The resolution that further asserts that this technology is having and will continue to have far-reaching ramifications throughout society. It stresses “an ethical approach to the use of biometric data.”
The Global Privacy Assembly’s call for action therefore seeks agreement on principles for the use of facial image data, to be enacted by working with developers and users in order to mitigate risks and encourage accountability.
The second resolution on accountability in AI development and use (full resolution here) reflects on the ‘permanent Working Group’ (AI WG) established in 2018 to specifically monitor national developments in artificial intelligence. The call for action therefore appeals to governments to work with data protection authorities to ensure compliance with legal frameworks in the development and use of AI systems, keeping in mind consequences for human rights.
Sweden updates regulations
A report from INPLP (International Network of Privacy Law Professionals) details updated regulations for facial image processing data within Sweden. Currently under GDPR in Europe, “processing digital images or videos of a physical person” is generally prohibited and the handling of this type of data should be carefully aligned with GDPR.
The Swedish Data Protection authority (DPA) has thus increased its involvement in this area. In August 2019, it fined a local government €20,000 (roughly US$23,300) which the regulator accused of unnecessary usage of facial imaging technologies in the recording of student attendance.
While the DPA declared the technology’s use disproportionate in a school setting, it does recognise its efficiency in police use. Stores were also given the go-ahead for the sole purpose of “analyzing visitor movement patterns.” To ensure that this is GDPR compliant, they fully anonymize the data. Finally, as of 1 December this year, “special categories of personal data” will be available to Swedish authorities for specific purposes, including immigration. This is part of a Europe-wide drive to get on top of regulation for biometric identification technology.
China’s data protection law may clash with residential security practice
Hangzhou, in China’s Zhejiang Province has enacted a regulation barring residential communities from requiring biometrics for access control, according to Shine.
Earlier this month, China published the first draft of its new Personal Information Protection Law. The legislation is intended to unify rights to privacy, personal information collection and protection, and is the country’s first ever comprehensive law in the area.
The main premise is consent, as detailed in an analysis of the draft by Covington & Burling LLP which compares it to Europe’s GDPR regulations. Chinese citizens will now see a disclaimer before giving consent for their personal data to be processed. IAPP reports that it will also contain ‘opt-in’ agreements, as well as parental consent for minors. The specific uses of the data, as well as ‘collection scope and storage time’ will also be declared.
Yet, according to Shine, many residential communities in China have adopted facial recognition or fingerprint biometrics as a means of security, potentially setting them up for conflict with the incoming national law, in addition to local regulations like that adopted in Hangzhou.