GDPR / ICO Complaint Filed Against IFSEC Show Facial RecognitionBy IPVM Team, Published on Jun 20, 2018
IPVM has filed a complaint against IFSEC’s parent company UBM based on our concern that the conference violates core GDPR principles on biometrics at its London conference.
In this note, we explain what is being done at IFSEC, what the GDPR regulations are for this and why the complaint was made.
Biometrics Processing Based on Informed Consent
According to the GDPR, which went into effect on May 25 and which the UK is party to, biometrics processing like facial recognition is considered a "special category of personal data" and is generally prohibited with important exceptions.
One of those exceptions – the one which would apply to IFSEC – is informed consent with specified purposes. Article 9, section 2(a) of the GDPR states that biometrics are allowed if:
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes [emphasis addded]
Article 7 also states consent notices must be written:
in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language [emphasis added]
IFSEC Booths Facial Recognition Illegal?
Easily a dozen IFSEC booths included demonstrations which had cameras film attendees and analyze their faces, even making age, gender, and behavior estimates. This included Chinese government-owned Hikvision, widely feared Chinese government-controlled Huawei, Chinese mega-manufacturer Dahua plus a variety of small companies from around the world. The images below show a sample of the sheer number of companies using biometrics at IFSEC 2018:
IPVM contacted IFSEC about this and was given the documents attendees agreed to in order to register.
However, none of the notices conference attendees agreed to have any mention whatsoever of biometric/special category processing taking place.
UBM told IPVM the data notice on the back of attendees’ badges provided consent. However, this notice makes no mention of biometric processing nor anything like it. Read it here and see it below:
Vendors Explanation Delete Anyway
A common explanation from facial recognition vendors we spoke to was that they are going to delete this anyway after the show. Whether they are, we cannot be sure. However, the GDPR does not allow non-consented, random biometric processing simply because the company claims they will delete it later. Moreover, vendors were consistently unclear about the need for there to be specified purposes, beyond their desire to sell this.
IPVM filed the case today, June 20th. Receiving a response may take time. IPVM will update our readers on further developments as they happen.
Update August 2018: The investigation has officially started and the UK ICO is contacting UBM / IFSEC:
Why We Filed
Reason 1: Despite heavy manufacturer GDPR marketing, actual practices and products are overwhelmingly unchanged. We are hoping that by drawing attention to this issue, that manufacturers will think more carefully about their use of facial recognition.
Update December 2018