The creation of a European facial recognition file – a good idea ?
According to The Intercept, 10 EU member states’ police departments would call, in a involuntarily published report, for the introduction of EU legislation to create a big European biometric file, which includes facial recognition data.
That idea aims to make law enforcement investigations easier and faster across all EU state. The report would add that this document is shared not only with the 27 EU countries, but also with the United States and some other countries, in order to finally create an International facial recognition database.
A logical continuation ?
On the context of fighting against terrorism, organized or transnational crime and illegal immigration, few countries such as Germany, Austria, Belgium, Spain, Luxembourg, Netherlands and France have signed, in 2005, the Prüm Convention. This Convention has allowed these countries to exchange some biometric data (DNA, fingerprints, vehicle registration…). So, this European facial recognition file would just be an extension of what already exists for other biometric data.
Moreover, since 2006, some discussions were started on data privacy in order to exchange information between EU and US for law enforcement purposes (High Level Contact Group Documents).
Finally, some countries in the world, such as China or USA have already implemented this type of facial recognition database. In fact, China and US are massively using facial recognition cameras and combined these data with all information from social networks. A similar system exists between the US and any country that is part of the Visa Waiver Program : bilateral agreements allows US and European agencies to access fingerprint and DNA databases.
The risks of the creation of a European facial recognition file
Firstly, that can create politic and democratic problems because this file could give the possibility of unjustified, or illegal general surveillance.
Then, there are also cybersecurity risks. This type of file has to be protected from cyberattacks. A facial recognition data leak may have significant consequences. For example, these data can be sold on the dark web and people concerned can be victim of identity theft.
Finally, there are also legal risks related to the processing of personal and sensitive data. These treatments have to be regulated and always be in accordance with the GDPR.
According to the article 4,1 GDPR « ‘personal data’ means any information relating to an identified or identifiable natural person ». Moreover, the GDPR defines sensitive personal data as « data revealing racial or ethnic origin, (…) genetic data, biometric data for the purpose of uniquely identifying a natural person » (article 9,1). In theory, their processing shall be prohibited. So, this European file would process facial recognition data, which are not only personal data, but also sensitive ones.
Nevertheless, personal sensitive data treatments can be allowed for some reasons exposed in the article 9,2, for instance if the « processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued ». It can be the case for example on the context of terrorism, when law enforcement urgently need to find a suspect. So, we can consider that this exception will often be relevant.
However, there is a risk of abuse of sensitive personal data treatments. That is why, at the same time, the French data protection authority, the CNIL, calls for a democratic debate on the new uses of surveillance cameras. On November 15th 2019, CNIL has published a guide in which it explains, using legal, technical and ethic arguments, why it is important to create a facial recognition code in order to regulate this new field of technology and prevent future abuses.