Last week it was announced that the Autoriteit Persoonsgegevens (AP) has issued a formal warning to a supermarket for its use of facial recognition.(1) The supermarket had cameras that recorded the facial features of every person who did their shopping there. These facial features were then compared with the previously stored facial features of people who had previously been caught stealing. If that comparison yielded a match, an alarm went off internally. According to the supermarket, facial recognition was used to protect shoppers and staff and to deter shoplifting.
The supermarket's use of facial recognition did not go unnoticed, and after considerable media attention and Parliamentary questions,(2) the AP asked the supermarket in question for clarification late last year. The supermarket in question subsequently disabled the system, but indicated that it would like to use the system again. That, in addition to a letter from the AP to the entire supermarket industry last summer,(3) apparently led to the AP's first formal warning. This is because the supermarket's use of facial recognition is not in line with the (very) strict rules regarding the processing of biometric data.
About that briefly: facial recognition uses the biometric data in a person's face (such as the position of the mouth and the distance between eyes and nose) to identify a person. A fingerprint, iris scan and voice are other examples of biometric data. Biometric data are "special personal data" which, in principle, are subject to a processing ban. However, the Dutch legislator has taken advantage of the space provided by the AVG to make a specific exception to that prohibition for the use of biometric data (in Article 9(4)). The Dutch legislator has hung this exception on the 'hook' provided by Article 9(2)(g) of the AVG. It follows that a Member State can create a basis for the use of special categories of personal data, including biometric data, for reasons of substantial public interest through national legislation.
That basis has been created in the UAVG: biometric data may be processed when necessary for authentication or security purposes. This effectively provides an "additional" basis for processing biometric data so as not to hinder developments in the use of biometrics as a means of identification, according to the legislator.(4)
But it must therefore be possible to justify why, for example, access to a building or information system must be secured in such a way that it must be done with biometrics. That required need for the use of biometrics often seems difficult to substantiate in practice. That the use of biometrics is necessary for reasons of substantial public interest is even more so. One situation in which the use of biometrics is deemed necessary for reasons of substantial public interest is, according to the legislature, the security of access to a nuclear power plant.
In practice, we mostly see situations that fail this (severe) test. For although the AP does not have the necessary manpower to tackle all improper use of biometric data,(5) the warned Jumbo supermarket was not the first to receive a slap on the wrist for this.
Earlier this year, in fact, a company was fined handsomely for processing employee fingerprints.(6) The company (which successfully litigated against disclosure of its name)(7) used a timekeeping system that allowed employees to clock in and out using their fingerprints. Prior to that, in August 2019, the Amsterdam court ruled that an employee of shoe store Manfield had rightly refused to give up her fingerprint for the introduced authorization system for access to the cash registers.(8) Indeed, according to the court, that was in violation of the rules from the AVG and the UAVG. This ruling prompted retail chain HEMA to stop using the same fingerprint scanning system for cash registers and time clocks.(9)
Invariably, the processing of biometric data was deemed unnecessary and disproportionate. As far as I am concerned, this judgment was obvious in the situations given. But the question is whether there are conceivable situations - somewhere between the supermarket and the nuclear power plant - in which the use would be considered necessary and proportionate for authentication or security purposes.
Where this is not the case, the alternative is to obtain explicit consent for processing biometric data. However, this is often impractical or not legally valid. For example, it is difficult for a supermarket to ask express consent of every shoppers. An employee's consent is (generally) not legally valid because it is deemed not freely given due to the existing relationship of authority.
Actually, a person should not suffer any adverse consequences for refusing consent. This means that, in general, an alternative must be provided. For example, a gym that uses a finger scanning system for access will have to continue to offer its members a pass system as well.(10)
The foregoing does not make it easy or attractive to use biometrics. And all the while the legislature intended to promote developments in that area....
(1) https://www.privacy-web.nl/nieuws/formele-waarschuwing-ap-aan-supermarkt-om-gezichtsherkenning
(2) https://www.privacy-web.nl/nieuws/antwoorden-kamervragen-over-het-bericht-over-tientallen-cameras-bij-jumbo
(3) https://www.privacy-web.nl/nieuws/ap-wijst-supermarkten-op-regels-gezichtsherkenning
(4) https://zoek.officielebekendmakingen.nl/kst-34851-3.html
(5) https://www.nissewaard.nl/nieuws-1/autoriteit-persoonsgegevens-ziet-af-van-nader-onderzoek-klacht-fnv-over-gemeente-nissewaard.htm
(6) https://www.privacy-web.nl/nieuws/boete-voor-bedrijf-voor-verwerken-vingerafdrukken-werknemers
(7) https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBLIM:2020:1795&showbutton=true&keyword=ECLI%3aNL%3aRBLIM%3a2020%3a1795
(8) https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2019:6005&showbutton=true&keyword=
More articles by Loyens & Loeff
