UK Facewatch GDPR Compliance Questioned

By: IPVM Team, Published on Aug 27, 2019

Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of retailers. Facewatch even keeps a database of suspects, only deleting profiles after two years "if you’re never seen stealing again".

UK Facewatch GDPR Compliance Questioned

While Facewatch says it "fully complies" with the GDPR and meets its critical "Substantial Public Interest" standard, we find some issues with this, chiefly:

  • Facewatch's main GDPR compliance claim comes from a private sector lawyer it hired, rather than a government or independent GDPR authority
  • Experts IPVM spoke with questioned whether catching shoplifters actually is Substantial Public Interest and criticized the private lawyer for stating Facewatch's system could potentially prevent "terrorism"
  • The Substantial Public Interest standard, contrary to the claims of Facewatch's CEO, is very vaguely defined in the law
  • While Facewatch says it is so GDPR compliant it can be used outside the UK, its retail solution would be illegal in at least two GDPR countries
  • The EU has recommended much shorter storage periods for retail

Facewatch does say it closely follows existing guidance from the ICO, the UK's data protection agency/GDPR enforcer, which it submits GDPR compliance documentation to (such as Data Protection Impact Assessments.)

But the UK currently has no facial recognition legislation, and a national outcry over the technology is sparking demand for clear regulations, potentially leading to a tougher interpretation of the GDPR and a harm to Facewatch's business model. In this post, we take an in-depth look at Facewatch and the GDPR, including:

  • Facewatch Basics: How It Works, Pricing, Scope, Etc
  • Facewatch GDPR Compliance Claims
  • "Businesses in other Countries Can Use Our Solution With Confidence"
  • What the GDPR Says About Facial Recognition
  • "Substantial Public Interest" Justification Questioned
  • EU Recommends Far Shorter Retail Storage
  • Potential Regulatory Risk Amid Unprecedented Scrutiny
  • Facewatch Response
  • Conclusion

How Facewatch Works

Facewatch sells systems to retailers that allows them to scan the face of every customer going into a store and instantly compare it to their own watchlist:

Facewatch scans the face of each customer as they enter the premises. Each face is converted into an algorithm and sent to the Facewatch watchlist where algorithmic templates are compared. If there is no match, the data is deleted. Where there is a match, an alert is generated. Alerts can be sent to multiple users enabling appropriate action to be taken.

The company claims on its website its solution can reduce theft "by at least 35% in the first year". Their promotional video, embedded below, overviews their offering:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Watchlist Kept for Two Years

Facewatch says faces on its watchlist are kept for two years, after which they are deleted "if you’re never seen stealing again". (Unmatched faces are not stored).

Facewatch members can add someone to the list as long as they claim that person has been involved in shoplifting or other misbehavior. There is no need for a legal court order, charge, or conviction.

Facewatch is the one maintaining the watchlist, not the stores themselves, making the company a "Controller" under the GDPR, i.e. it is directly responsible for the data. Because its stores span across the UK, Facewatch speaks of its "unique position as a national data controller", but this is not a GDPR/legal term - it is not mentioned anywhere in the law, and "national data controller" has only been used by the EU to describe national-level data authorities like the ICO, not private firms.

Scope

In 2016, Facewatch told the BBC that their system has been used by "10,000 premises" so far; more recently, it told the Financial Times that it will soon be used by "550 stores across London".

Price "A Lot More Affordable Than You Think!"

The price of the system is not public, however, Facewatch is not aiming at the high-end enterprise market, stating on its website that its solution is "a lot more affordable than you think!"

Facewatch also sells facial recognition to UK police; a pricing document from 2019 shows it charges about $2,700 per camera annually for a minimum 3-year license (around $8,100 total):

Technical Details

Facewatch's website states that its solution is "simple to deploy", using a "standard HD CCTV camera" and an Intel NUC mini-PC. While Facewatch does not identify camera brands, it lists itself as an "authorized partner" of Axis on its homepage:

Facewatch Claims "Fully GDPR Compliant"

Facewatch claims it is "Fully GDPR Compliant":

Facewatch does comply with the GDPR in some ways, stating for example:

Our customers are businesses (Subscribers) who must display signage saying that Facewatch facial recognition is in operation. [GDPR's Article 12]

And Subject Access Request [GDPR's Article 15]

Facewatch also told IPVM it submits Data Protection Impact Assessments (Article 35) to the ICO for each retail outlet and for its national suspect database. The ICO did not respond to our request to confirm this, but it's highly unlikely Facewatch wouldn't submit DPIAs, which would be a very obvious GDPR violation and is something a Swedish school was recently fined for.

"Businesses in other Countries Can Use Our Solution With Confidence"

Facewatch claims its GDPR compliance is so good, you can use its system pretty much anywhere:

The solution meets General Data Protection Regulation (GDPR) compliance, protecting businesses from being held liable for violating privacy laws. “In setting up Facewatch, we worked with multiple government agencies to confirm the rules of using our watchlist,” said [Facewatch CEO Nick] Fisher. “The laws in the UK on meeting the Substantial Public Interest test are the toughest in the world. That means businesses in other countries can use our solution with confidence.”

This is false. Belgium bans private sector facial recognition explicitly based on its interpretation of the GDPR. IPVM also reached out to France's Data Protection Agency, the CNIL, and they told us private facial recognition for retail "is outlawed in France" based on both the GDPR and prior French law.

GDPR Issue: "Substantial Public Interest" Justification Questioned

The GDPR doesn't mention facial recognition but bans biometrics processing in Article 9 with a few key exceptions. Facewatch's core legal justification rests on one those exceptions -"substantial public interest":

Facewatch says it meets this standard, even stating that its technology has the "potential to prevent" terrorism:

because Facewatch is processing data on a national level and is demonstrated to reduce/prevent crime in subscriber properties with the further potential to prevent and detect crime at all levels including terrorism, it is in the Substantial Public Interest. [emphasis added]

Expert: Facial Recognition for Shoplifting Disproportionate

However, whether Facewatch meets the Substantial Public Interest standard is not so clear-cut. Its chief justification is the quote above, which is a legal opinion from a London lawyer Facewatch hired named Dean Armstrong, rather than a governmental official or agency.

IPVM found experts who questioned Armstrong's opinion, particularly given Facewatch's focus on shoplifting. Subhajit Basu, an associate IT law professor at the University of Leeds said facial recognition for shoplifting was disproportionate:

I have not seen any evidence that the technology is necessary for the retail sector. I am yet to be convinced that it is proportionate and effective considering how invasive the technology is.

Basu said that while "public interest" has an "air of democratic propriety", it could be interpreted in many ways, especially given the lack of clear guidance:

It is not that straightforward, so they are using the concept of public interest, which is a nebulous concept

Terrorism Claim "Artificially Inflating the Public Interest"

Eerke Boiten, director of De Montfort University's Cyber Technology Institute, said Dean Armstrong's opinion about Facewatch having the capability to stop terrorism "sounds like artificially inflating the public interest":

As terrorism, unlike shoplifting, isn’t restricted to taking place in shops, accepting this would mean that there’s a valid justification for any facial recognition taking place anywhere.

Boiten also critiqued Dean Armstrong's opinion that "it is necessary to provide alerts to business subscribers to prevent or detect unlawful acts" [emphasis not added]:

It certainly isn’t necessary in the logical meaning of the word – there are other things that prevent crime besides facial recognition

Key Issue: No Detailed Definition of Substantial Public Interest

The GDPR itself has no explanation of what meets this standard. Neither does the latest EU GDPR for Video Surveillance guidelines. The UK's 2018 data protection act (DPA), which implements the GDPR, also does not define this standard, even though Facewatch's CEO has claimed UK laws on Substantial Public Interest "are the toughest in the world".

The closest the 2018 DPA gets to adding clarity is stating that biometrics are allowed if "preventing or detecting unlawful acts", which are "necessary for reasons of substantial public interest" which is not defined:

(This is the same clause interpreted by Dean Armstrong in Facewatch's favor).

Other Issue: Long Length of Storage

Facewatch keeps suspect data for two years "if you’re never seen stealing again". This is a very long time, and EU authorities typically recommend far shorter storage periods, even though the GDPR has no set storage limits. The EU's provisional GDPR for Video Surveillance Guidelines state that for fighting vandalism in everyday retail, "a regular storage period of 24 hours is sufficient":

The EU adds:

In general, legitimate purposes for video surveillance are often property protection or preservation of evidence. Usually damages that occurred can be recognized within one or two days.

While the EU does not mention shoplifting per se, "property protection" for retail is essentially the same.

ICO Response

IPVM asked the UK's data regulator and GDPR enforcer, the ICO, if it thought that Facewatch met the "substantial public interest" and other potential GDPR issues with the firm's business model. However, we received a generic response:

Organisations wishing to automatically capture and use images of individuals in public spaces need to provide clear evidence to demonstrate it is strictly necessary and proportionate for the circumstances and that there is a legal basis for that use.

Facewatch Response: Public Interest "Matter of Judgement"

Facewatch told IPVM over email and in spoken interviews that it was confident it met the substantial public interest, regardless of the experts' criticisms:

Clearly substantial public interest is a matter of judgement and in our judgement and that of our QC [Queen's Counsel, i.e. the lawyer they hired] and DPO [Data Protection Officer] we are comfortable that we can meet this test. There are views on both sides - if like us you spoke to the shopkeepers and shop staff being put out of business, being assaulted and losing £X per week you would get a very different view.

Every single thing you buy has been increased in price by 1% if not more because of people stealing, the extra cost of guards, cameras, cabinets, extra staff.

What’s important to remember is that Facewatch is preventing and deterring crime: it’s not just shoplifting. One of the biggest problems is retail violence and abuse of staff and everything else

Regarding the EU's recommended storage period for retail, Facewatch said IPVM was "comparing apples and pears!":

The rules for CCTV retention are quite different from FR data. Facewatch does not keep/store or hold FR data at all unless the data has matched a watch list of known thieves from an individual store

If anything, though, facial recognition data (as a "special category of personal data" under the GDPR) is even more sensitive than CCTV footage, although the GDPR gives no explicit storage limits in either case.

Regarding the fact that Facewatch's retail solution is banned in at least two GDPR countries, Facewatch responded:

It’s often accepted that the UK tends to set the standard when it comes to establishing legal position and [CEO Nick Fisher's] comment earlier this year was supporting that. Facewatch confidently believe that facial recognition and the communication of its use in a particular area acts as a deterrent to crime.

Unprecedented UK Face Rec Scrutiny

Facial recognition is under heavy scrutiny in the UK after the Financial Times recently revealed that a prominent London development at Kings Cross is covertly using the technology. This sparked an ongoing ICO investigation which is also looking into "whether the current [regulatory] framework has kept pace with emerging technologies", while the UK Biometrics Commissioner has called for laws tackling both private and public use.

Facewatch itself is facing rising scrutiny from the media and activists, with major UK newspaper The Observer publishing a detailed profile of the company and similar ones, stating they raise "concerns about civil liberties" and quoting the prominent privacy organization Big Brother Watch calling for a total "moratorium" on facial recognition:

On August 19, Big Brother Watch announced it had lodged a complaint with the ICO "about the epidemic of private facial recognition surveillance in the UK" after the organization released a report about private facial recognition use (which did not mention Facewatch.)

However, Big Brother Watch's director has published a blog post directly criticizing Facewatch and its business model:

The watchlists used by retailers are privately compiled, often populated with 'undesirable’ people not guilty of any crime whatsoever.

The link goes to this Big Brother Watch tweet criticizing a Facewatch ad:

Big Brother Watch are not alone, with mainstream human rights org Liberty tweeting that facial recognition "violates our privacy" and "must not be normalised" in response to the Observer article.

Potential Regulatory Risk for Facewatch

The risk for Facewatch is that, with all the (mostly negative) attention about UK facial recognition, new and much clearer laws/regulations interpret the GDPR much more strictly. However, Facewatch said it is not concerned and in fact embraces the prospect of legislation:

We are very keen for legislation to be introduced and are confident that our business model is a positive force for good.

Facewatch said that unlike Kings Cross, it is not being investigated by the ICO and is actually "working with them closely as part of their current FR review." The ICO did not reply specifically when we asked about Facewatch being investigated, instead, they sent another generic statement:

The ICO is currently investigating the use of facial recognition technology by law enforcement in public spaces and by private sector organisations, including where they are considering partnering with police forces. This is a priority area of work for the ICO.

Conclusion

The lack of clear facial recognition rules in the UK has led to various interpretations of the GDPR but this looks likely to change.

How that impacts Facewatch remains to be seen. It could end up being a boon for the company, but if it does not, it will clearly highlight the risk of touting GDPR compliance claims prior to the actual rules being fully detailed.

As Facewatch themselves told us in one of our interviews:

There aren’t really any regulations at all and that’s part of the problem.

Comments (2) : PRO Members only. Login. or Join.

Related Reports

Hikvision CEO And Vice-Chair Under PRC Government Investigation on Nov 14, 2019
In a surprising and globally covered move, Hikvision CEO Hu Yangzhong and Vice-Chairman Gong Hongjia are being investigated by China's securities...
Camera Field of View (FoV) Guide on Nov 13, 2019
Field of View (FoV) and Angle of View (AoV), are deceptively complex. At their most basic, they simply describe what the camera can "see" and seem...
Wireless / WiFi Access Lock Guide on Nov 12, 2019
For some access openings, running wires can add thousands in cost, and wireless alternatives that avoid it becomes appealing. But using wireless...
Hikvision Global News Reports Directory on Nov 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Biggest Low Light Problems 2019 on Nov 08, 2019
Over 150 integrators responded to our survey question: "What are the biggest problems you face getting good low-light images?" Inside, we share...
Rhombus Cameras, VMS and Analytics Tested on Nov 06, 2019
Rhombus boasts they have created "the new standard in Enterprise, cloud-managed video security" and told IPVM in January 2019 they offer twice the...
90+ Companies Profile Directory on Nov 05, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
IP Camera Mount Shootout - Axis, Bosch, Dahua, Hanwha, Hikvision, Vivotek on Nov 04, 2019
Which manufacturers offer the best or worst mounts? We bought and tested ~50 IP camera mounts and related components from Axis, Bosch, Dahua,...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...

Most Recent Industry Reports

ADT Stock Surges - "Leading The Commercial Space" on Nov 15, 2019
Don't call it comeback... but maybe call it a commercial provider. ADT, whose stock dropped by as much as 2/3rds since IPOing in 2018, has now...
Gatekeeper Security Company Profile - Detecting Faces Inside Vehicles on Nov 14, 2019
Border security is a common discussion in mainstream US news and politics, as is the use of banned Chinese equipment by US Government agencies....
Hikvision CEO And Vice-Chair Under PRC Government Investigation on Nov 14, 2019
In a surprising and globally covered move, Hikvision CEO Hu Yangzhong and Vice-Chairman Gong Hongjia are being investigated by China's securities...
Camera Field of View (FoV) Guide on Nov 13, 2019
Field of View (FoV) and Angle of View (AoV), are deceptively complex. At their most basic, they simply describe what the camera can "see" and seem...
UK Big Brother Watch: Hikvision Is 'Morally Bankrupt' on Nov 13, 2019
UK civil liberties advocate Big Brother Watch has condemned Hikvision as being 'morally bankrupt' following IPVM exposing Hikvision marketing...
Color Low Light Mega Camera Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Panasonic, Speco, Sony, Vivotek on Nov 12, 2019
This is the biggest color low light shootout ever, testing 20+ super low light models from 10 manufacturers: Increasingly, each manufacturer...
Wireless / WiFi Access Lock Guide on Nov 12, 2019
For some access openings, running wires can add thousands in cost, and wireless alternatives that avoid it becomes appealing. But using wireless...
Hikvision Global News Reports Directory on Nov 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Hikvision Markets Uyghur Ethnicity Analytics, Now Covers Up on Nov 11, 2019
Hikvision has marketed an AI camera that automatically identifies Uyghurs, on its China website, only covering it up days ago after IPVM questioned...
Open vs End-to-End Systems: Integrator Statistics 2019 on Nov 11, 2019
Preference for open systems is on the decline, according to new IPVM statistics. We asked integrators: For video surveillance systems, do you...