Data protection authority blocks facial recognition from thermal cameras in Quebec
The Canadian province of Quebec has determined that combining thermal cameras with facial recognition or any other identification system violates provincial data privacy laws.
The Commission d’Accès à l’Information (CAI) ruled that storing health information such as temperature is not a covered by a legitimate exception to the data protection rules based on emergency pandemic control measures, referring to a decision rendered earlier in the year.
The Commission ruled this past summer that the collection of biometric data as part of a temperature-screening system does not meet the proportionality criteria demanded for collecting sensitive personal information. The company was required to delete the temperature information of its employees, along with the biometric templates it had stored.
Dutch authority warns retailers
The Netherlands’ data protection authority has warned retailers and other businesses that facial recognition systems for loss prevention are against the country’s privacy laws in a statement. The statement is not a new interpretation, however, as there are some exceptions, but the authority says many businesses do not understand the law.
The AP questioned facial recognition suppliers about who was buying their systems, and found retail, security, sports and entertainment facilities, transportation authorities and municipalities are their main customers.
AP Vice-Chair Monique Verdier suggests that private CCTV systems can recognize a person and be used to track their activities, and the AP notes that GDPR forbids public biometric data collection, unless one of two criteria are met.
If the people being filmed have given explicit permission, as is commonly considered the best practice with commercial loss-prevention systems using facial recognition, or if it is deemed a “substantial public interest,” as in the case of protecting a nuclear power plant.
Verdier recommends shops use CCTV cameras without facial recognition.
The UK’s Information Commissioner Elizabeth Denham CBE chaired a recent gathering of data protection authorities, where resolutions were passed on data sharing for public benefit, the digital rights of children, government access to data and the future of the assembly were on the agenda.
Data protection authorities from around the world met in late October for the 2021 Global Privacy Assembly (GPA) event, bringing together more than 130 data protection and privacy authorities from around the world. The event’s theme was ‘Privacy and Data Protection: A Human Centric Approach.’
Morocco’s CNDP joined the GPA’s executive committee, and Mexico INAI President Commissioner Blanca Lilia Ibarra Cadena was elected to replace Denham as chair as her three-year term concludes.
The CAI, the Office of the Information and Privacy Commissioner for British Columbia, and the Office of the Information Privacy Commissioner of Alberta were awarded for their investigation of Clearview AI, and a report titled ‘Privacy and data protection as fundamental rights: A narrative’ was adopted by the GPA at the event.
A group of data protection authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the UK have shared the commitments offered by video teleconferencing companies in a joint statement.
The companies written to in July by the data protection authorities include Microsoft, Google, Cisco and Zoom.
Their commitments from the video teleconferencing leaders invoke “privacy-by-design and default,” testing, transparency, end-user control and knowing their audience, while the joint signatories are asking for further commitments to use end-to-end encryption, not use data for secondary purposes unless explicitly spelling them out, and to implement data localization policies.