The regulation of facial recognition at international level.
Contrary to the strict European Union’s regulation on facial recognition and its restrictions, things are not the same at international scope. In China, technologies based on artificial intelligence are widely used. Therefore, Facial recognition technology has become an integral part of people's daily life and is applied not only for private purposes (eg for home security or payment solutions) but also for public interest (eg police surveillance systems and traffic controls). Furthermore, many companies and organizations are also using facial recognition to improve their customer experience and increase business efficiencies. That phenomenon is favored by the lack of a relative regulatory framework on data facial rights. Considering that, personal information covers the sense and content of the aforementioned term and is defined as «information that can identify the individuals and that involves privacy of individuals» under the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks («NPC Decision») effective as of 28 December 2012. This definition has known several amendments through specific laws. Special emphasis shall be given on the Cybersecurity Law 2016 which offers, implicitly, a special provision on facial recognition; In particular, according to Article 76 of the CSL, ««personal information» refers to various kinds of information recorded by electronic or other means which, whether independently or combined with other information, can be used to identify a natural person, including personal biochemical information», which then implicitly covers personal facial information. In addition, the updated Personal Information Security Specification («the Personal Information Specification») pointed out the concept of «sensitive personal information» which can be derived from such a procession of data rights and so can cover facial recognition issues. Of course, there are imposed strict restrictions on controllers when processing sensitive personal information, such as encryption when transmitting and storing sensitive personal information and a separate disclosure and consenting process. Since then, Face recognition cameras have been deployed in many parts of China to target security checks in public places, such as subway stations and shopping malls. The Minister of Public Security and Chinese police are using those systems of electronic monitoring of human behavior in streets in order to prevent illegal acts. Furthermore, companies such as ZTE, Dahua and China Telecom propose the adoption of new rules and international standards for the integration of face recognition, video surveillance and license plate registration.
However, many concerns have been raised regarding the lawfulness of facial recognition.
Several Chinese cities have imposed stricter laws and requirements on that technology since there are clear risks for human privacy.
Like China, in the USA there does not exist any specific regulation on Facial Recognition Technologies. Nevertheless, many states use them for purposes of public interest. The Los Angeles Police Department has widely used, during last decade, facial recognition software via surveillance cameras in order to detect suspects of law infringements. Despite that, many states demonstrate their strong fears about the dangers for human privacy due to the use of facial recognition technology. At this point it should be noticed a controversial facial recognition bill in California which finally didn’t come into force since it met a huge criticism. Introduced as Assembly Bill 2261, the bill would provide a framework by which companies and government agencies could legally engage in facial recognition, provided they give prior notice. The utility of facial recognition was never questioned. Especially, in the era of Covid-19 the aforementioned technology is widely applied and offers great services in the health environment via several measures, such as tracking potential patients of Covid-19 via specific masks. However, that method would lead to an uncontrolled and undefined surveillance in the workplace since the prior consent was not necessary. For that reason, many California cities did not finally proceed to the adoption of the bill. According to the latest evolutions, facial recognition technology meets strong criticism at legal level since Portland, Oregon became the first jurisdiction in the country to ban the private-sector use of facial recognition technology in public places within the city, including stores, restaurants and hotels. Through the adoption of specific regulation which will come into force on 1st January 2021 «private entities» will be prohibited from using «face recognition technologies» in “places of public accommodation” within Portland, except (1) to the extent necessary to comply with federal, state or local laws; (2) for user verification purposes to access the user’s own personal or employer-issued communication and electronic devices; or (3) in automatic face detection services in social media applications.
Russia is another country where facial recognition technology is lawful and is widely used. In particular, in Moscow, a network of 100,000 cameras equipped with facial recognition technology are being used to make sure anyone placed under quarantine stays off the streets. A Russian court reaffirmed in its decision the lawfulness of such technology ruling that it does not causes any breach of privacy rights. Certainly, there are several requirements for the conformity of facial recognition with data protection principles. Therefore, the cameras are controlled from a purpose-built coronavirus control centre. Images and personal details of those under quarantine are put on a database so they can be recognised by the cameras. The centre can also be used to monitor social media for «fake news» on the coronavirus, according to officials, and track international arrivals from virus hotspots. However, serious concerns are raised since Russian national authorities seek to expand facial recognition technology. In particular, many privacy groups and digital rights lawyers allege that the national data protection legislation which enables the undefined procession of data rights for the purposes of protection of public security is unproportioned and incompatible with fundamental rights and freedom. According to those allegations, since there is no judicial or public oversight over the surveillance methods in Russia, including facial recognition, there is a potential infringement of the European Convention of Human Rights, mainly of the article 8 regarding the protection of private life. The principles of proportionality, necessity and accountability are violated so facial recognition should be limited. At this point, it should be noticed that the European Court of Human Rights in Strasbourg has already ruled that Russia's legal provisions governing communications surveillance did not provide adequate safeguards against arbitrariness or abuse, and that therefore a violation took place of Article 8 of the European Convention of Human Rights. Consequently, Moscow’s use of facial recognition could be contested at the European Court of Human Rights.
Facial recognition is also legitimate and legal practice in Canada where it has been initially used for purposes of border controls. Therefore, in order to guarantee public and national security, the police authorities proceeded to the expansion of facial recognition technology without any special requirements for the protection of human privacy. That expansion can be easily explained but not justified by the fact that Canada doesn't have a policy on the collection of biometrics, which are physical and behavioural characteristics that can be used to identify people digitally. Because of that, there are no minimum standards for privacy, mitigation of risk or public transparency, according to the Office of the Privacy Commissioner of Canada's website. Consequently, facial recognition systems can be used. Due to the strong criticism regarding the lawfulness of the technology in case, the Canadian Commissioner of the Office of Privacy has recently outlined necessary actions for privacy and data protection in an annual report to parliament. Through the emission of two specific recommendations on artificial intelligence and its legal requirements, the Commissioner admits the necessity and the great value of the use of facial recognition platforms, especially in the era of the pandemic due to Covid-19. Those platforms offer significant help and support in order to prevent the expansion of the pandemic and to protect public health. Nevertheless, stricter rules governing their use should be adopted in order to guarantee human privacy. In that vein, governments must cooperate with data protection authorities to ensure compliance with legal frameworks in the development and use of AI systems, keeping in mind consequences for human rights.
The thorough analysis which preceded demonstrated some useful conclusions. First of all, it is evident that the European Union’s policy on data privacy and artificial intelligence seems to provide more efficient and safe guarantees for the protection of fundamental rights in comparison to relevant international legislations. The European Union continues to be the safeguard of fundamental rights and freedoms and consolidates the European area of justice. Regarding the legal treatment of the challenges produced by the rapid and ongoing evolution of the technology, it is clear that facial recognition constitutes an inherent action of the EU digital strategy. Without any doubt, it includes processing of special categories of personal data. Despite the fact that existing European legislation on data rights could be applied, such as the General Data Protection Regulation, the Directive 2016/680 and the Directive PNR, the adoption of specific regulatory frameworks at national level is urgent. Certainly, all safeguards for the protection of fundamental rights must be implemented. However, due to the special nature of facial recognition and the continuous evolution of technology, all EU member states should adopt new laws on this issue. Therefore, national data protection authorities must cooperate and issue safe guidelines which would lead to the later adoption of laws.
Regarding the material scope of the proposed legislative package on facial recognition, it should be noticed that, in accordance with the relevant provisions of the GDPRits use could be legal and legitimate for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security. Furthermore, due to the rapid expansion of the pandemic caused by Covid-19, facial recognition technology could be used for the purposes of protection of public health. In all those cases, the establishment of strict conditions of application of facial recognition is of primary interest. In summary, the duration of use should be defined, the recipients of the act should not be children as well as it must be ordered by national authorities, such as police and judicial authorities. Furthermore, adequate and effective safeguards must be put in place against abuse of power, in accordance with the European Court of Human Rights. Such adequate and effective safeguards would require prior authorization by the competent Minister. In addition, the lawfulness of the measures should be examined either by a judicial authority or by an independent legal body. Under those specific conditions, facial recognition can meet not only the requirements set out under the European legislation on data rights but also the challenges posed by the EU digital strategy. Otherwise, uncontrolled facial recognition will lead to a new form of Orwellian society where technology will not serve the person but will eliminate human dignity.