The Personal Data Authority (AP) has investigated eight vacation parks that use facial recognition to access swimming pools and playgrounds. All investigated vacation parks appeared to violate the privacy law. For example by not informing their guests that they could also visit the swimming pool without facial recognition. Under pressure from the AP, 7 of the parks investigated have adjusted their working methods, but 1 vacation park has not yet done so. If that remains the case, the AP may impose other measures, such as a fine or penalty.
The AP launched the investigation because of tips from citizens. "People were surprised," says AP vice president Monique Verdier. "Where they used to enter the pool with a pass or wristband, now suddenly facial recognition was being used. For adults, but also for children. Just to get into the pool. Is that allowed just like that? That's what they wanted to know."
The General Data Protection Regulation (AVG) places strict conditions on the use of facial recognition. "The deployment is basically prohibited. And for good reason," says Verdier. "Once such a facial scan is made of you, you lose control. You can then be identified and tracked anywhere. Your face is unique and you can't just swap it out for another one."
In principle, in only 3 cases facial recognition is allowed:
If the facial recognition has only a personal or household purpose, such as unlocking a phone.
If the facial recognition is necessary for authentication or security. There is no such need easily. There must be a compelling public interest. For example, the security of a nuclear power plant or state secret information.
If the person whose face you are scanning gives express permission to do so.
Thus, in the case of access control for a swimming pool, only option 3 is possible: explicit consent. There are quite a few conditions on how an organization should ask people for permission to use facial recognition.
For example, the organization must keep people well informed so that they really know what they are saying "yes" to. They must also be free - and feel free - to say "no. That means, among other things, that there must also be an alternative. In this case: for example, that you can also gain access with a pass or wristband.
The AP's investigation found that all vacation parks did not comply with the law. The AP found several violations:
Sometimes parks didn't even ask for permission. Or not clearly enough.
Guests sometimes could not use an alternative to facial recognition. Or there was an alternative, but the resort did not let guests know on its own.
Other resorts did not adequately inform guests about facial recognition. And about the rights guests have once an organization uses their personal data for facial recognition.
Guests were often given no information about how long the resort keeps the data and who receives the data.
Verdier: "This is very serious. You shouldn't pressure people to give up their biometric data. Yet that was what happened here: people pay for a nice vacation, including a swimming pool, and are presented with a fait accompli: if you want to swim, you have to give up your data. That is forbidden."
The AP has imposed an order on the vacation park that is currently not in compliance with the law. The resort will be given until early December to adjust its facial recognition practices. If the park does not do so, the AP can proceed to other measures. Verdier: "The company has then had enough opportunity to comply with the law. Another measure, such as a fine or a penalty, may then be necessary."
