GDPR / ICO Complaint Filed Against IFSEC Show Facial Recognition

Author: IPVM Team, Published on Jun 20, 2018

IPVM has filed a complaint against IFSEC’s parent company UBM based on our concern that the conference violates core GDPR principles on biometrics at its London conference.

The complaint was filed with the Information Commissioner’s Office (ICO), the UK’s data supervisory authority which monitors GDPR compliance. Any IFSEC attendee can make such a complaint here.

In this note, we explain what is being done at IFSEC, what the GDPR regulations are for this and why the complaint was made.

Biometrics Processing Based on Informed Consent

According to the GDPR, which went into effect on May 25 and which the UK is party to, biometrics processing like facial recognition is considered a "special category of personal data" and is generally prohibited with important exceptions.

One of those exceptions – the one which would apply to IFSEC – is informed consent with specified purposes. Article 9, section 2(a) of the GDPR states that biometrics are allowed if:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes [emphasis addded]

Article 7 also states consent notices must be written:

in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language [emphasis added]

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

IFSEC Booths Facial Recognition Illegal?

Easily a dozen IFSEC booths included demonstrations which had cameras film attendees and analyze their faces, even making age, gender, and behavior estimates. This included Chinese government-owned Hikvision, widely feared Chinese government-controlled Huawei, Chinese mega-manufacturer Dahua plus a variety of small companies from around the world. The images below show a sample of the sheer number of companies using biometrics at IFSEC 2018:

IPVM contacted IFSEC about this and was given the documents attendees agreed to in order to register.

IFSEC Notices

However, none of the notices conference attendees agreed to have any mention whatsoever of biometric/special category processing taking place.

UBM told IPVM the data notice on the back of attendees’ badges provided consent. However, this notice makes no mention of biometric processing nor anything like it. Read it here and see it below:

Neither does IFSEC’s privacy policy nor their terms and conditions make any mention of biometrics/facial recognition/special category processing.

Vendors Explanation Delete Anyway

A common explanation from facial recognition vendors we spoke to was that they are going to delete this anyway after the show. Whether they are, we cannot be sure. However, the GDPR does not allow non-consented, random biometric processing simply because the company claims they will delete it later. Moreover, vendors were consistently unclear about the need for there to be specified purposes, beyond their desire to sell this.

Case Filed

IPVM filed the case today, June 20th. Receiving a response may take time. IPVM will update our readers on further developments as they happen.

Update August 2018: The investigation has officially started and the UK ICO is contacting UBM / IFSEC:

Why We Filed

Reason 1: Despite heavy manufacturer GDPR marketing, actual practices and products are overwhelmingly unchanged. We are hoping that by drawing attention to this issue, that manufacturers will think more carefully about their use of facial recognition.

Reason 2: There is no 'case law' on how facial recognition can be used under GDPR. Can a generic privacy policy cover biometrics? Can the 'purpose' of using biometrics be no greater than simply selling security systems? We are hoping that a response from the ICO can help clarify when, where and how facial recognition can be used.

2 reports cite this report:

Belgium Bans Private Facial Surveillance on Jul 06, 2018
Belgium has effectively banned the use of facial recognition and other biometrics-based video analytics in surveillance cameras for private,...
IFSEC 2018 Final Show Report on Jun 20, 2018
IPVM attended the IFSEC show for the first time this year. The Chinese took over the show, centered on Hikvision, flanked by Dahua, Huawei and a...

Comments (36)

Only IPVM PRO Members may comment. Login or Join.

(pssst...edit your story title to say "complaint" rather than "compliant")...A Friend.

I'm either dislexic or missing the funny. Doesn't the title say, "complaint?"

We fixed it, sorry for not updating / clarifying in the comments.

Have you had a chance to look at some EU/Western based facial recognition companies and quiz them re: GDPR, for example Herta (Spanish company)?

The answers were roughly the same from Western and Chinese companies, as mentioned in the post, mostly about deleting the data. No one had a very crisp, GDPR specific citation response (i.e., yes, we can do this because we comply with GDPR section X, Y, Z, etc.)

This is going to get interesting, one could argue that the very act of recording faces and the possibility of a human looking at them to determine or process individual data as defined in art.9 GDPR also contravenes GDPR.
This would effectively mean most if not all CCTV installations are not GDPR compliant.
Using the same argument you can also say that no more data is recorded in the act of facial recognition than a standard CCTV recording, and no more processing is carried out automatically than would be done by a human looking at the recording.
I am sure the intended purpose of GDPR is not to effectively outlaw CCTV so the second scenario would seem logical
However I think that once you get in to recording and comparing captured images against stored images in a database, the question of EXPLICIT permission really does become a real question that needs looking at.

Using the same argument you can also say that no more data is recorded in the act of facial recognition than a standard CCTV recording, and no more processing is carried out automatically than would be done by a human looking at the recording.

You could argue that but that is clearly not how the GDPR is specified. See Article 9: "Processing of special categories of personal data", key relevant quotes:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. [emphasis added]

I'm just going to stir the pot here a little, but do the photos that have been taken covering the show and uploaded here also violate the GDPR ?

Should all faces be blurred before uploading ?

Genuinely curious to see where the line gets drawn...

Should all faces be blurred before uploading ?

Genuinely curious to see where the line gets drawn...

That's a reasonable question. The 'line' is drawn on "special categories of personal data", e.g. biometrics, not just taking a picture.

Processing of personal data revealing racial or ethnic origin.......biometric data for the purpose of uniquely identifying a natural person

someone could claim that a photo taken of their face fits the above, and since permission was not expressly given, it could be argued that the photos are in breach...

again, just more pot stiring, but isn't that why we are here ;)

No company can publish your personal data, like your face or a video of you, without consent. So in theory you are right.

To take it away from this forum, if the local gasstation prints a screengrab of me and hangs it on the wall or publishes it on their facebookpage it is a violation (and rightly so).

No company can publish your personal data, like your face or a video of you, without consent.

That's incorrect. There are legitimate interest grounds, citing the ICO:

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Good luck.

How did you identify who to file the complaint with?

How did you identify who to file the complaint with?

It's the ICO - "The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

I am not sure of a close US equivalent but the ICO is well known in the UK for this role.

Actually those data collection/handling was done by exhibitor 3rd parties not by UBM. UBM is about the bar codes as you shown a copy of a badge.

You should file complain against those manufacturers who used those technologies.

It is pretty much the same, if IPVM have an event, and I start to collect data on that, and somebody make a complaint to you.

Attila, that is a reasonable explanation. However, in this case, IFSEC / UBM effectively took responsibility for their exhibitor's data collection. I made sure to get feedback from IFSEC / UBM before filing the complaint and their direct answer was that the consent on the back of the card covered the facial recognition being done by their exhibitors.

Think about if IFSEC / UBM took your approach and said each manufacturer need to get consent, etc. That would logistically handicap all their customers / manufacturers. Each one would have to hide / partition the facial recognition and get explicit consent at any booth to go into the facial recognition area. I am not saying this would be bad but if I am IFSEC / UBM I'd rather apply my consent to all booths. Thoughts?

Hi John,

I'm curious if you will also be filing with other trade shows. There have been several since the GDPR that I've attended where facial/biometric data has been shown/captured. I imagine with ASIS (GSX) coming up in a few months, everyone will be showing/capturing data there as well.

ASIS (GSX) is in Las Vegas, not the EU, and therefore is not covered by the GDPR. The State of Illinois in the US has a similar biometric regulation so if there was a show there, we would certainly consider it.

We also will be covering Essen (in Germany this fall) and would file a similar complaint if the same situation occurred.

Voice recording might be another area for investigation, since Nevada is a two party state.

There are a couple of privacy laws that could apply. Nev Rev Stat 205.473, 595.970 to personal information in a trade show context. For example encrypting transfer of PII, I wonder how many show badge reader systems encrypt... is this covered in the agreement for the badge, is there a PII transmission, not sure but there might be something there.

Reading this:

biometric data for the purpose of uniquely identifying a natural person

I am taking this to mean facial recognition, not just detection. The images you posted have gender/age/expression type of information, not "This person is John H." Also, they are not identifying anything like religion or political affiliation or anything else in the "prohibited" list. So is this in violation?

The images you posted have gender/age/expression type of information, not "This person is John H."

No, that's incorrect. We posted 8 images and many of them are clearly face / person information, e.g., I am copying the first image from our list above.

They are scanning every face that passes those cameras "for the purpose of uniquely identifying a natural person". Even if my name (or yours) is not in the system, I could be falsely identified as someone else i.e., "This person is Tom the terrorist", etc.)

Your complaint here seems to be about real time processing. If you're saying it's invalid to gather this information, is your complaint equally valid for post processing? I.e. nobody should be recording any video of anyone at all, because company X can go through it forensically and harvest the same information?

What happens if someone records video in the EU, then sends it outside the EU, and that company gathers this information? This is all just a mess.

nobody should be recording any video of anyone at all, because company X can go through it forensically and harvest the same information?

Recording video itself is not the issue. Using facial recognition to search through video is an issue, i.e., they would have to have consent or some public safety exception to perform it in the EU.

Related: GDPR For Video Surveillance Guide

Good to see that people are taking action to cases that break the privacy law. The combination of the enormous increase in the number of installed security cameras and the recent gain in image recognition possibilities with deep learning makes privacy a serious issue. "Big Brother" is becoming a serious thread nowadays. With the new GDPR law, Europe is trying to protect its people by limiting the amount of privacy that will be invaded by the mass surveillance concept. To imply this rule, every citizen can file a complaint to a offender of the law. That is a great way to maintain the law. Kudos for IPVM for taking action in this case. Let's take privacy very serious!

Interesting case and wondering whee it will go.

On the same day GDPR went into effect, Belgium issued a new CCTv law effectievely forbidding ANY automated processing of personal data based on CCTV footage. Only exception is ANPR. All other, such as facial recognition, are forbidden in Belgium at the moment.

Would be interested to know if there are any other countrys, EU or non-EU, that go this far.

To be clear, it concerns CCTV images that are compared to personal data stored in a database or other file. Hence face detection is allowed, recognition is not

Interesting case, lets see what happens.

When it comes to using facial detection the guidelines (published in Dutch) are not conclusive and refer also to the previously applicable laws.

That set of laws gave the following info, it could be allowed if:

• a. The research serves a general interest,
• b. the processing for the relevant investigation or the relevant statistics is necessary,
• c. asking for explicit consent proves impossible or requires a disproportionate effort
• d. the performance is provided in such a way that the privacy of the person concerned is not disproportionately harmed.

Next to this, the GDPR demands data minimization.

For a case where a face recognition camera is used at a mall, you could argue that point C is applicable: 'requires a disproportionate effort´. You can´t ask everyone entering the mall to sign a waver.

When you combine that with data minimization you could build it in such a way that only shoplifters are registered and blacklisted to alert the security team when they enter.

If the face camera only gives a notice when the blacklist is triggered and if the proces of who views the video and how they do so is registered... it should be no problem.

No faces would be registered, only a trigger when an unwanted guest appears.

Update: We have not received a response yet from the ICO. However, we did send a copy to the UK Surveillance Camera Commissioner (Tony Porter's office) and they provided the feedback below, emphasizing this is the role of the ICO to cover:

The Surveillance Camera Commissioner regulates the overt use of surveillance camera systems by relevant authorities in England and Wales pursuant of the Protection of Freedoms Act 2012. Relevant authorities are defined in the legislation and include the police, local authorities and parish councils. The Surveillance Camera Commissioner does not have authority to regulate the use of surveillance camera systems operated by other organisations, nor does he have powers which enable him to inspect or audit CCTV systems, enforce laws or otherwise impose a financial or other sanction.

The Commissioner does not have access to legal advice and the question that you raise relates to matters which are outside of his scope, namely compliance with the General Data Protection Regulation (GDPR) by a non-relevant authority at a recent IFSEC event.

The EU’s GDPR is supplemented by the UK’s Data Protection Act 2018, which is separately regulated by the Information Commissioner’s Office (ICO). I note that you have already submitted a complaint to the ICO and they are the appropriate regulatory body to liaise with in respect of any enquiries arising from that legislation.

Well that was a well practiced little tap dance. Looks like they spent plenty of time getting ready to duck and dodge any attempt to get help from them.

Update: A response from the ICO acknowledging our complaint and confirming that it is in queue:

Thank you for your email regarding your data protection concern about UBM Plc.

Your case is currently in our work queue waiting to be allocated to a case officer. We deal with a large number of concerns and aim to deal with them in date order.

Once your case has been allocated, the assigned case officer will contact you to advise you of the next steps.

In the meantime, if you have any additional information which you would like us to consider, please forward it on to the case quoting the above reference number.

Thank you for your patience in this matter and we shall be in touch shortly.

We will update as we get more feedback though ICO gives no sense of how long the queue is nor how long we might have to wait.

Update: The investigation has officially started and the UK ICO is contacting UBM / IFSEC:

"Your case is currently in our work queue waiting to be allocated to a case officer. We deal with a large number of concerns and aim to deal with them in date order. "

two things:

1. Replying to cases in chronological order - without any prioritization effort - means that nobody even looks at each complaint as it comes in. So, egregious cases with obvious violations take no precedence over neighbor squabbles about cameras pointing at each others yards.

This indicates that the ICO doesn't really care about what they are purportedly enforcing, and instead have already become just another governmental agency who can be expected to fight for more and more tax dollars each year so they can hire more case officers.

2. Even unintentionally, the amount of complaints seems to be more than the ICO can handle effectively. Any intentional effort to overload the ICO with complaints could render the effort to enforce the GDPR more useless.

Just curious on IPVMs view on the GDPR. Whilst taking advantage of the right to challenge under the act, is the intention to “test” the legislation or is it to challenge the exhibitors on a genuine concern of the abuse of the handing of personal data? If there is genuine support of the GDPR regulation, why is IPVM not pushing for a similar standard within the US that has a pretty appalling record on personal data and total disregard for CCTV data use and retention.

Could IPVM not push to clean up the domestic situation as well as challenging the efforts in place within the EU? To me, that would be worthwhile campaign for IPVM to hang its hat on and a real benefit to the industry.

That would be a very noble cause. Don’t point to a source of threat while in your home land so many things are off.

NSA and Facebook don’t have a great track records when it comes to use of personal data.

While John may disagree IPVM has turned very political in the last years, mostly looking outward not inward.

If the industry is what you aim to improve, pushing for better legislation and rule sets would be a very worthy cause. Push the level of the installer to a standard that makes more sense. Not by bashing a few brands, but by starting at the basics. Fight the trunkslammers not the brand you feel they sell.

"Just curious on IPVMs view on the GDPR"

reading the rest of your words after that intro, it sounds like you are not curious at all.

Instead, you frame your post like a question to get the answer you needed - in order to set up the remainder of your post that attempts to guilt-shame challenge John to start a 'worthwhile' campaign to clean up the appalling record of the US surveillance market.

So is it the way of framing it you object to, or the actual question he is putting out there?

my post is clear that it is the framing of the false question by UD#10 that I found disingenuous.

For instance, I disagree with a couple of the points in your post as well, but at least you were up front with your criticisms so i did not feel the need to call out any disingenuous motives on your part.

Related Reports

Ascent / MONI Faces Lender Lawsuit and Debt Crisis on Sep 13, 2018
ASCMA, aka Ascent, aka Brinks Home Security, aka MONI, aka Monitronics is being sued by a group of their lenders who allege: As of June 30,...
Congressional Letter Urges Sanctions Against Dahua and Hikvision For Human Rights Abuses on Sep 04, 2018
17 US Congresspeople sent a letter to the Secretary of State and Treasury urging sanctions against Chinese officials plus Dahua and Hikvision,...
France Political Scandal Reveals Video Surveillance Problems on Aug 22, 2018
In what French media describes as "the most damaging crisis yet for" French President Marcon, a political scandal has revealed major gaps in the...
Video Analytics Integration Guide on Aug 16, 2018
Video analytics is hot again (at least conceptually) but integrating video analytics with VMSes can be challenging. This is especially significant...
SimpliSafe Violating California, Florida, and Texas Licensing Laws on Aug 14, 2018
IPVM has verified that DIY security system provider SimpliSafe, founded in 2006 and acquired in June of 2018 at a billion dollar valuation, is...
Nortek Sues SDS, Battle Over Unpaid Bill and Cancelled Lines on Aug 13, 2018
Nortek and SDS legal battle continues. As IPVM reported, SDS sued Nortek alleging bribery and antitrust violation. However, Wave fired back at SDS,...
Axis / Avigilon Legal Battle Rises on Aug 09, 2018
In what is shaping up to be high-powered, will-not-back-down battle, Axis and Avigilon are squaring off in multiple legal contests. In 2017, IPVM...
Struggling Ascent Hiding Under Brinks on Aug 07, 2018
The market cap of Brinks Home Security, Monitronics, MONI, Ascent Capital Group (whatever one calls them) is down 96% over the past 5 years as the...
RealNetworks Free School Facial Recognition on Aug 03, 2018
The company that created RealPlayer is moving beyond media delivery and into the security space with a new facial recognition platform they have...
Hikvision Drops ASIS / GSX, Ex-Dahua ISS CMO Takes Advantage on Aug 02, 2018
The fallout of the Ban Bill has begun and it is hurting the already beleaguered ASIS GSX show next month. Mega-exhibitor Hikvision has now...

Most Recent Industry Reports

BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...
Chinese Government Praises Hikvision For Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact