GDPR / ICO Complaint Filed Against Dahua

By IPVM Team, Published Jun 27, 2019, 09:57am EDT

IPVM Image

IPVM has filed a GDPR complaint against Dahua UK's facial recognition conducted at their booth during this year's IFSEC show.

In this post, we explain the reasoning behind the complaint and the difference between this one and the one we made last year, including:

  • Complaint Cause
  • Conference vs Exhibitors
  • Most Egregious
  • Previous Dahua GDPR Claims
  • Reasoning

Overall, we hope our case adds clarity on how facial recognition can be used under GDPR.

**************

** ***** ****, *****'* booth (***** ** ******* on **** **) ******** live ****** *********** ***** filmed ****** *** ******** their *****, ********** *** results ** * ** screen:

IPVM Image

***** ********* ****** *********** on **** ******** ****, attempting ** ***** **** or ********* **** ** a '********' ** *** excerpt ***** *****:

IPVM Image

*******, ***** *** *** obtain *** ******* ** people ********, *** *** it **** *** ************* for *** ********** **** IPVM ********. ********, **** saw ** ***** **** Dahua ********** ********** ********** was ****** ***** ******.

****, ** *** *******, is * ***** ********* of *** ****, ************ * ************* ********** ****** *** a *** **********.********* *** **** ********* that * ***** ** a ******** ********** ***** conceivably ***. *** **** states ********** ********** ** permissible **:

*** **** ******* ***given ******** ******* to the processing of those personal data for one or more specified purposes

*********, ** **** ***** a ********* ******* ***** for ********* *** **** to *** **'* **** protection ****** -*** *********** ************'* ******(***) - *** ************* ********* ****.

IFSEC ********** ** **********

** ****,**** ***** * **** complaint******* *****'* ********** (***) after ** ******** ***** and ***** ******* ****** recognition ***** ******* ***** consent **** *********.

*** *********** *** *********** *** ***** **** IFSEC ********** **** *** responsible *** *** ******' demos. ******, ** *** the ********* ***** *** demos ********** **** **** liable. **** ** *** this ****, ** ***** the ********* ******* ***** UK, *** *****.

Dahua **** *********

**** ***** **** ***** facial *********** **** *** the **** ********* ** violation ** *** ****. Other ****** *********** ********* at ***** *** ** disclosures ** ******* *** people's *****. ********, ***** video ************ ************* **** Axis, *********, *** ****** (Hisilicon) *** *** ******* live ****** *********** ** all.

Dahua **** '*********'

***** *** **** ******* GDPR ****** ******, ************ when **** **** *************** *** ** ******* had **** "*********" ** GDPR ********* ** *** Rheinland, * ******* ****** company:

IPVM Image

** ** *********, ** ******** *** be **** ********* *** the **** ****** ****** that ************* ******* ** not ****** **************** ** any ***. ************, ***** firms **** ****** ******* GDPR ************** ** ****, including******************.

*********

******* ********** ********** ***** strictly ********* ** *** GDPR, *** ** *** no ***** ****** *********** law ** *********** - something *** **'* ************ camera ************,**** ******,*** ****** ***.********, ***** **** ** just **** * **** old, ***** *** ***, if ***, *********** ***** showing *** ****** *********** should ** **** ** practice.

*** *** ** **** complaint ** *** *** UK ********** ** ******* when *** ***** ****** recognition ** ***********, *** how ** ***** **** an ************ ***** ** without ******'* ******* ** a ***** ****** ******** case.

**********

** **** ****** **** post ** *** **** makes *** *** ******* the ******. **** ****, the ********* **** ****** to ***** * ********** so ** **** ****** as *** **** ********.

Comments (26)

It seems conceivable in the (near) future that security trade shows are going to have some click-wrap disclaimer when you register that says "I give my consent to be filmed and biometrically analyzed".

Agree: 5
Disagree
Informative
Unhelpful
Funny

At least, in the UK, the ICO ruled that it was the responsibility of each individual exhibitor, rather than the show itself. UK ICO Denies IPVM GDPR Complaint Against IFSEC, Decides Each Exhibitor Responsible That's sensible since the show (whether it's IFSEC or ISC West or whoever is not the 'data collector' of the facial recognition systems that exhibitors use, it is the exhibitors themselves).

Agree
Disagree
Informative: 6
Unhelpful
Funny

At least, in the UK, the ICO ruled that it was the responsibility of each individual exhibitor, rather than the show itself.

Understood, though I would think that a "service" the shows could offer exhibitors is in notifying the collective audience and gathering their consent.

It would be somewhat difficult, if not impossible, for any exhibitor to handle this on their own if they plan to demonstrate facial analytics openly in their booth. You can't approach the booth and acknowledge consent without likely be captured and analyzed by the cameras in that booth.

Further, how do attendees even know there are potential compliance issues they could run into, if the show organizer does not provide a "top-level" notification?

ICO ruling aside, I think the show needs to either find a way to collect global consent, or ban (and patrol/enforce) exhibitors from displaying anything that violates GDPR.

Agree: 1
Disagree
Informative
Unhelpful
Funny

John your some arsehole, no better things to be doing than acting like a tabloid newspaper, subscription cancelled

Agree: 1
Disagree: 10
Informative
Unhelpful: 1
Funny: 6

I disagree with you on that. I think it is very interesting to see surveillance-related GDPR cases tested and analyzed this way. We have already seen some degree of unwillingness of the ICO to pursue "frivolous" claims, even when backed up by evidence. 

I think the initial kick-back of IPVM's first complaint was very informative and telling.There was some early speculation that the governing bodies might rain down obscene fees on anyone violating GDPR. We have now seen, at least in one instance, evidence to the contrary.

Further, Dahua, and others, have to know by this point that GDPR is a "thing", and they might potentially be violating GDPR with in-booth demos. It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.

Agree: 7
Disagree: 1
Informative: 5
Unhelpful
Funny

It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.

Indeed, the opposite, IFSEC and exhibitors knew we were investigating this and that we had filed last year. And even IFSEC posted a sign this year notifying / warning that exhibitors might be asking for consent to do facial recognition:

And, despite, all of that, Dahua still did facial recognition and still made no attempt to get consent.

Agree
Disagree
Informative: 4
Unhelpful
Funny

I’d agree with you in part on the proviso that the systems in use were in a commercially deployed environment.  If this test case was in a shopping mall I’d be with you, but at a security trade show nit a chance!

Agree: 3
Disagree
Informative
Unhelpful
Funny: 1

at a security trade show nit a chance!

If it declares that security trade shows are not subject to biometrics processing rules, that would be fascinating to see. Let's see what the ICO says. That is the point of filing so that the ICO can give some guidance about how these rules are applied in practice.

Agree
Disagree
Informative: 1
Unhelpful
Funny

I am continuing to question the value of paying the subscription fees to IPVM. Actions like this are not valuable to me as a member.  

Agree: 2
Disagree: 3
Informative: 2
Unhelpful
Funny

IPVM does many things - we doing testing, we do reporting, we develop software (e.g., the Calculator), etc. We charge one price for all of it. It's like a buffet, our goal is not to ensure everyone finds everything valuable, it is to ensure we provide enough overall value to justify the cost of membership and what those things are will vary by the member.

#2, if there are specific things we are not doing that would provide value to you, please let us know here.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Philosophical question:

is it a violation even if your technology doesn’t work?

Agree: 1
Disagree
Informative
Unhelpful
Funny: 19

While signs do not cover biometric processing such as facial recognition, a Dahua UK partner has pointed out on LinkedIn that Dahua did have a small sign buried inside their stand, as the images below show:

And the zoom in to the small sign:

Interesting, it does not even mention the facial recognition they did, only 'facial images'.

Agree
Disagree
Informative
Unhelpful
Funny

Hitchhikers Guide to The Galaxy

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny: 6

Good work. These criminal companies need to be held accountable by someone. Too many laws are being broken by these multinational Chinese companies with virtually no consequences. If a US company went to China and disregarded Chinese law they would certainly be held accountable there.

Agree: 2
Disagree
Informative
Unhelpful
Funny: 3

If a US company went to China and disregarded Chinese law they would certainly be held accountable there.

it certainly warrants getting a caning.

Agree
Disagree
Informative
Unhelpful
Funny

Plenty of other stands were processing biometric data, including facial recognition.

Would the reason that Dahua has been singled out be that IPVM staff were (rumoured to have been) asked to leave the stand or that (rumoured) Hikvision took out an injunction to prevent IPVM staff from going on their stand or talking to staff?

The show was tiny this year and very poorly attended...

Agree
Disagree: 1
Informative
Unhelpful
Funny

that (rumoured) Hikvision took out an injunction to prevent IPVM staff from going on their stand or talking to staff

#5, what? Seriously, where do you get these 'rumors' from? First, it's completely false. Second, Hikvision talked to us in their booth. Third, we actually mentioned this in the IFSEC report:

Hikvision was the most knowledgeable of the various companies IPVM spoke with about how GDPR worked

Do a little due diligence before throwing out obviously false things, fair enough #5?

Agree: 1
Disagree
Informative
Unhelpful
Funny

I have no idea if the comments I made were true as they were 2nd hand rumours...  it’s a rumour, clearly marked as that - you can’t do due dil on rumours.  

Happy if this is not the case of course as we’d hate for HIK to try to restrain IPVM as there’d be little to read ;) 

So did Dahua ask your staff/journalists to leave the stand?

Agree
Disagree
Informative
Unhelpful: 1
Funny

you can’t do due dil on rumours.

Of course, you can. I expect that of my summer job high school assistant, certainly, an industry veteran like yourself can.

The false 'rumor' was: Hikvision had an injunction against IPVM for IFSEC 2019. What can you do to check? Search IPVM for our IFSEC 2019 coverage, pretty obvious, no? It says it right in the middle of the exact report relevant to your 'rumor' that we did speak with them.

So did Dahua ask your staff/journalists to leave the stand?

Again, it's in the IFSEC 2019 report, to quote:

He did so before realizing we were from IPVM. Once we had identified ourselves, he beat a hasty retreat and shouted that he couldn't speak to us.

No, we were not asked to leave the stand and Dahua made clear that they were running live facial recognition including people in the aisle and that they were not requesting consent for performing such facial recognition.

I am happy to answer all questions though if you want to be respected as an industry veteran, you should be able to spend a minute trying to fact check it in the obvious place.

Agree
Disagree
Informative
Unhelpful
Funny

you can’t do due dil on rumours.

“Of course, you can.”

but then they’re not rumors anymore ;)

Agree
Disagree
Informative
Unhelpful
Funny

Sure, it's more fun to throw out anything and then shield yourself by saying 'rumor' <sarcasm>

Agree
Disagree
Informative
Unhelpful
Funny: 2

Hi - I for one will be interested to see where this goes, I'm agnostic about the manufacturer in question, but the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.

Its part of my role to keep abreast of technologies including their application and implications. It allows our BDM's to inform clients of the situation when the question of facial recognition arises. We will provide it if the client requests it, but we are always in a position to inform them where it stands under legislation so they are making an informed choice.

Agree: 4
Disagree
Informative: 2
Unhelpful
Funny

the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.

I completely agree... we have no legal precedents upon which to base design, implementation or advice.

Tony Porter has been looking at it in depth... and he has also acted upon law enforcement using it in a poorly performing, badly implemented way.

In my opinion, the GDPR and DPA2018 are significantly lacking in the respect of FR systems in particular.

As a country, we need to test this in a number of real life scenarios, to create some sensible, implementable, guidelines. I believe this should happen outside of a legal challenge or we face the probability of a very narrow precedent, which would be less useful to all.

We’ve also lost the legal precedent of implied consent for regular CCTV systems, which could mean that all footage obtained without consent is in admissible! This needs to be addressed because carrying on as before is probably not in the best interests of installers or end users.

Agree
Disagree
Informative
Unhelpful
Funny

Why IPVM always target DAHUA and HIKVISION, what is the purpose?

Agree
Disagree
Informative
Unhelpful
Funny: 1

Why IPVM always target DAHUA and HIKVISION, what is the purpose?

regime change.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Update: The ICO asked us to email Dahua, which we did on July 25, 2019. Dahua finally responded, nearly 4 months later, claiming the usage of notices as justification, copied below:

Our reply to the ICO was:

We do not accept Dahua's response on the basis that:

1. Under the GDPR's Article 9, notices are not a legal basis for processing of special categories of personal data like biometrics, so Dahua's displayed exhibition notices do not apply.
2. Dahua says the data was "captured randomly, not for the purpose of identifying a particular natural person". However, as we mentioned in the original complaint: "importantly, I know my face was compared to a database of persons as theDahuascreen labeled me a 'stranger' but did not do so for others who were stored in the system". The European Data Protection Board has explicitly stated that filming people's faces and comparing them to a database via facial recognition counts as biometrics processing under Article 9 as the "purpose is to uniquely identify natural persons". Notably, the EDPB said this counts as biometrics processing regardless of whether the person filmed was actually in the database or not. Please refer to the EDPB video surveillance guidelines, section 83, page 17.

We will update this report when we have material feedback from the ICO.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,092 reports and 940 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports