Dutch grocer thinks loophole makes face biometrics legal in its store
A year after shutting off its facial recognition system under regulatory pressure, a Dutch supermarket wants to plug it back in, and the government is saying no.
The Netherlands’ Data Protection Authority has warned the store’s owner not to use the biometric capability on cameras at its entrance. Doing so, according to the regulator, would violate Dutch privacy rules.
It is not clear if the warning, issued December 15, was a final result of the authority’s action last December or if it was a response to store executives saying they had found a regulatory loophole.
The supermarket’s name has not been revealed in government documents or media reports. The regulator published its account of the situation (in Dutch here).
(An article in DutchReview describes a Dutch outlet of the Jumbo supermarket chain tussling with the Dutch Data Protection Authority over face scanning systems.)
A Translate version of the announcement states that the business wanted to spot thieves and other people posing threats before they could enter the store. Store executives reportedly told the government that only the images of people who have been caught stealing were stored. How long they were stored could not be determined.
Images of those not subject to shopping bans were erased in “seconds.” It is not clear how images of newly successful shoplifters were obtained. The biometric data storage is an issue, but more problematic is the indiscriminate recording and analysis, the authority said, citing the EU’s General Data Protection Regulation.
The GDPR allows supermarket surveillance if subjects give their explicit permission. Regulators reported that the store owner put notices at their entrance, but that was judged too passive to be considered explicit consent.
The second loophole allows the use of facial recognition systems if their use will serve the public interest. The authority has said the store’s deployment does not fit that definition.
It is not known if the store can appeal further.
The Dutch regulator handed out a fine of nearly $800,000 earlier this year for a GDPR violation related to a fingerprint biometric time and attendance system.
Earlier this year, a very similar clash occurred in Portland, Oregon. In that case, a regional food store wanted to put facial recognition systems at the entrance of its stores to dissuade criminals.
The move met with vocal opposition from residents.