It seems conceivable in the (near) future that security trade shows are going to have some click-wrap disclaimer when you register that says "I give my consent to be filmed and biometrically analyzed".
GDPR / ICO Complaint Filed Against Dahua
Published Jun 27, 2019 13:57 PM
IPVM has filed a GDPR complaint against Dahua UK's facial recognition conducted at their booth during this year's IFSEC show.
In this post, we explain the reasoning behind the complaint and the difference between this one and the one we made last year, including:
- Complaint Cause
- Conference vs Exhibitors
- Most Egregious
- Previous Dahua GDPR Claims
- Reasoning
Overall, we hope our case adds clarity on how facial recognition can be used under GDPR.
**************
** ***** ****, *****'* ***** (***** we ******* ** **** **) ******** live ****** *********** ***** ****** ****** and ******** ***** *****, ********** *** results ** * ** ******:
***** ********* ****** *********** ** **** captured ****, ********** ** ***** **** or ********* **** ** * '********' as *** ******* ***** *****:
*******, ***** *** *** ****** *** consent ** ****** ********, *** *** it **** *** ************* *** *** processing **** **** ********. ********, **** saw ** ***** **** ***** ********** biometrics ********** *** ****** ***** ******.
****, ** *** *******, ** * clear ********* ** *** ****, ************ * ************* ********** ****** *** * *** situations.********* *** **** ********* **** * booth ** * ******** ********** ***** conceivably ***. *** **** ****** ********** processing ** *********** **:
*** **** ******* ***given ******** ******* to the processing of those personal data for one or more specified purposes
*********, ** **** ***** * ********* against ***** *** ********* *** **** to *** **'* **** ********** ****** -*** *********** ************'* ******(***) - *** ************* ********* ****.
IFSEC ********** ** **********
** ****,**** ***** * **** **************** *****'* ********** (***) ***** ** attended ***** *** ***** ******* ****** recognition ***** ******* ***** ******* **** attendees.
*** *********** *** *********** *** ***** **** ***** ********** were *** *********** *** *** ******' demos. ******, ** *** *** ********* doing *** ***** ********** **** **** liable. **** ** *** **** ****, we ***** *** ********* ******* ***** UK, *** *****.
Dahua **** *********
**** ***** **** ***** ****** *********** demo *** *** **** ********* ** violation ** *** ****. ***** ****** recognition ********* ** ***** *** ** disclosures ** ******* *** ******'* *****. Moreover, ***** ***** ************ ************* **** Axis, *********, *** ****** (*********) *** not ******* **** ****** *********** ** all.
Dahua **** '*********'
***** *** **** ******* **** ****** before, ************ **** **** **** *************** *** ** ******* *** **** "certified" ** **** ********* ** *** Rheinland, * ******* ****** *******:
** ** *********, ** ******** *** ** **** compliant *** *** **** ****** ****** that ************* ******* ** *** ****** responsibilities ** *** ***. ************, ***** firms **** ****** ******* **** ************** as ****, ***************************.
*********
******* ********** ********** ***** ******** ********* by *** ****, *** ** *** no ***** ****** *********** *** ** regulations - ********* *** **'* ************ camera ************,**** ******,*** ****** ***.********, ***** **** ** **** **** a **** ***, ***** *** ***, if ***, *********** ***** ******* *** facial *********** ****** ** **** ** practice.
*** *** ** **** ********* ** for *** ** ********** ** ******* when *** ***** ****** *********** ** appropriate, *** *** ** ***** **** an ************ ***** ** ******* ******'* consent ** * ***** ****** ******** case.
**********
** **** ****** **** **** ** the **** ***** *** *** ******* the ******. **** ****, *** ********* took ****** ** ***** * ********** so ** **** ****** ** *** case ********.
Comments (26)
U
Undisclosed #1
Jun 27, 2019JH
John Honovich
Jun 27, 2019At least, in the UK, the ICO ruled that it was the responsibility of each individual exhibitor, rather than the show itself. UK ICO Denies IPVM GDPR Complaint Against IFSEC, Decides Each Exhibitor Responsible That's sensible since the show (whether it's IFSEC or ISC West or whoever is not the 'data collector' of the facial recognition systems that exhibitors use, it is the exhibitors themselves).
U
Undisclosed #1
Jun 27, 2019At least, in the UK, the ICO ruled that it was the responsibility of each individual exhibitor, rather than the show itself.
Understood, though I would think that a "service" the shows could offer exhibitors is in notifying the collective audience and gathering their consent.
It would be somewhat difficult, if not impossible, for any exhibitor to handle this on their own if they plan to demonstrate facial analytics openly in their booth. You can't approach the booth and acknowledge consent without likely be captured and analyzed by the cameras in that booth.
Further, how do attendees even know there are potential compliance issues they could run into, if the show organizer does not provide a "top-level" notification?
ICO ruling aside, I think the show needs to either find a way to collect global consent, or ban (and patrol/enforce) exhibitors from displaying anything that violates GDPR.
MC
Mark Costello
Jun 27, 2019John your some arsehole, no better things to be doing than acting like a tabloid newspaper, subscription cancelled
U
Undisclosed #1
Jun 27, 2019I disagree with you on that. I think it is very interesting to see surveillance-related GDPR cases tested and analyzed this way. We have already seen some degree of unwillingness of the ICO to pursue "frivolous" claims, even when backed up by evidence.
I think the initial kick-back of IPVM's first complaint was very informative and telling.There was some early speculation that the governing bodies might rain down obscene fees on anyone violating GDPR. We have now seen, at least in one instance, evidence to the contrary.
Further, Dahua, and others, have to know by this point that GDPR is a "thing", and they might potentially be violating GDPR with in-booth demos. It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.
JH
John Honovich
Jun 27, 2019It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.
Indeed, the opposite, IFSEC and exhibitors knew we were investigating this and that we had filed last year. And even IFSEC posted a sign this year notifying / warning that exhibitors might be asking for consent to do facial recognition:
And, despite, all of that, Dahua still did facial recognition and still made no attempt to get consent.
UI
Undisclosed Integrator #5
Jul 01, 2019I’d agree with you in part on the proviso that the systems in use were in a commercially deployed environment. If this test case was in a shopping mall I’d be with you, but at a security trade show nit a chance!
JH
John Honovich
Jul 01, 2019at a security trade show nit a chance!
If it declares that security trade shows are not subject to biometrics processing rules, that would be fascinating to see. Let's see what the ICO says. That is the point of filing so that the ICO can give some guidance about how these rules are applied in practice.
UI
Undisclosed Integrator #2
Jun 27, 2019I am continuing to question the value of paying the subscription fees to IPVM. Actions like this are not valuable to me as a member.
JH
John Honovich
Jun 27, 2019IPVM does many things - we doing testing, we do reporting, we develop software (e.g., the Calculator), etc. We charge one price for all of it. It's like a buffet, our goal is not to ensure everyone finds everything valuable, it is to ensure we provide enough overall value to justify the cost of membership and what those things are will vary by the member.
#2, if there are specific things we are not doing that would provide value to you, please let us know here.
U
Undisclosed #3
Jun 27, 2019Philosophical question:
is it a violation even if your technology doesn’t work?
JH
John Honovich
Jun 28, 2019While signs do not cover biometric processing such as facial recognition, a Dahua UK partner has pointed out on LinkedIn that Dahua did have a small sign buried inside their stand, as the images below show:
And the zoom in to the small sign:
Interesting, it does not even mention the facial recognition they did, only 'facial images'.
U
Undisclosed #3
Jun 29, 2019
U
Undisclosed #4
Jun 30, 2019Good work. These criminal companies need to be held accountable by someone. Too many laws are being broken by these multinational Chinese companies with virtually no consequences. If a US company went to China and disregarded Chinese law they would certainly be held accountable there.
UI
Undisclosed Integrator #7
Jul 01, 2019If a US company went to China and disregarded Chinese law they would certainly be held accountable there.
it certainly warrants getting a caning.
UI
Undisclosed Integrator #5
Jul 01, 2019Plenty of other stands were processing biometric data, including facial recognition.
Would the reason that Dahua has been singled out be that IPVM staff were (rumoured to have been) asked to leave the stand or that (rumoured) Hikvision took out an injunction to prevent IPVM staff from going on their stand or talking to staff?
The show was tiny this year and very poorly attended...
JH
John Honovich
Jul 01, 2019that (rumoured) Hikvision took out an injunction to prevent IPVM staff from going on their stand or talking to staff
#5, what? Seriously, where do you get these 'rumors' from? First, it's completely false. Second, Hikvision talked to us in their booth. Third, we actually mentioned this in the IFSEC report:
Hikvision was the most knowledgeable of the various companies IPVM spoke with about how GDPR worked
Do a little due diligence before throwing out obviously false things, fair enough #5?
UI
Undisclosed Integrator #5
Jul 01, 2019I have no idea if the comments I made were true as they were 2nd hand rumours... it’s a rumour, clearly marked as that - you can’t do due dil on rumours.
Happy if this is not the case of course as we’d hate for HIK to try to restrain IPVM as there’d be little to read ;)
So did Dahua ask your staff/journalists to leave the stand?
JH
John Honovich
Jul 01, 2019you can’t do due dil on rumours.
Of course, you can. I expect that of my summer job high school assistant, certainly, an industry veteran like yourself can.
The false 'rumor' was: Hikvision had an injunction against IPVM for IFSEC 2019. What can you do to check? Search IPVM for our IFSEC 2019 coverage, pretty obvious, no? It says it right in the middle of the exact report relevant to your 'rumor' that we did speak with them.
So did Dahua ask your staff/journalists to leave the stand?
Again, it's in the IFSEC 2019 report, to quote:
He did so before realizing we were from IPVM. Once we had identified ourselves, he beat a hasty retreat and shouted that he couldn't speak to us.
No, we were not asked to leave the stand and Dahua made clear that they were running live facial recognition including people in the aisle and that they were not requesting consent for performing such facial recognition.
I am happy to answer all questions though if you want to be respected as an industry veteran, you should be able to spend a minute trying to fact check it in the obvious place.
U
Undisclosed #3
Jul 01, 2019you can’t do due dil on rumours.
“Of course, you can.”
but then they’re not rumors anymore ;)
JH
John Honovich
Jul 01, 2019Sure, it's more fun to throw out anything and then shield yourself by saying 'rumor' <sarcasm>
UI
Undisclosed Integrator #6
Jul 01, 2019Hi - I for one will be interested to see where this goes, I'm agnostic about the manufacturer in question, but the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.
Its part of my role to keep abreast of technologies including their application and implications. It allows our BDM's to inform clients of the situation when the question of facial recognition arises. We will provide it if the client requests it, but we are always in a position to inform them where it stands under legislation so they are making an informed choice.
UI
Undisclosed Integrator #5
Sep 22, 2019the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.
I completely agree... we have no legal precedents upon which to base design, implementation or advice.
Tony Porter has been looking at it in depth... and he has also acted upon law enforcement using it in a poorly performing, badly implemented way.
In my opinion, the GDPR and DPA2018 are significantly lacking in the respect of FR systems in particular.
As a country, we need to test this in a number of real life scenarios, to create some sensible, implementable, guidelines. I believe this should happen outside of a legal challenge or we face the probability of a very narrow precedent, which would be less useful to all.
We’ve also lost the legal precedent of implied consent for regular CCTV systems, which could mean that all footage obtained without consent is in admissible! This needs to be addressed because carrying on as before is probably not in the best interests of installers or end users.
JJ
John Jiang
Sep 22, 2019Why IPVM always target DAHUA and HIKVISION, what is the purpose?
U
Undisclosed #3
Sep 22, 2019Why IPVM always target DAHUA and HIKVISION, what is the purpose?
regime change.
JH
John Honovich
Nov 20, 2019Update: The ICO asked us to email Dahua, which we did on July 25, 2019. Dahua finally responded, nearly 4 months later, claiming the usage of notices as justification, copied below:
Our reply to the ICO was:
We do not accept Dahua's response on the basis that:
1. Under the GDPR's Article 9, notices are not a legal basis for processing of special categories of personal data like biometrics, so Dahua's displayed exhibition notices do not apply.
2. Dahua says the data was "captured randomly, not for the purpose of identifying a particular natural person". However, as we mentioned in the original complaint: "importantly, I know my face was compared to a database of persons as theDahuascreen labeled me a 'stranger' but did not do so for others who were stored in the system". The European Data Protection Board has explicitly stated that filming people's faces and comparing them to a database via facial recognition counts as biometrics processing under Article 9 as the "purpose is to uniquely identify natural persons". Notably, the EDPB said this counts as biometrics processing regardless of whether the person filmed was actually in the database or not. Please refer to the EDPB video surveillance guidelines, section 83, page 17.
We will update this report when we have material feedback from the ICO.