It seems conceivable in the (near) future that security trade shows are going to have some click-wrap disclaimer when you register that says "I give my consent to be filmed and biometrically analyzed".
At least, in the UK, the ICO ruled that it was the responsibility of each individual exhibitor, rather than the show itself.
Understood, though I would think that a "service" the shows could offer exhibitors is in notifying the collective audience and gathering their consent.
It would be somewhat difficult, if not impossible, for any exhibitor to handle this on their own if they plan to demonstrate facial analytics openly in their booth. You can't approach the booth and acknowledge consent without likely be captured and analyzed by the cameras in that booth.
Further, how do attendees even know there are potential compliance issues they could run into, if the show organizer does not provide a "top-level" notification?
ICO ruling aside, I think the show needs to either find a way to collect global consent, or ban (and patrol/enforce) exhibitors from displaying anything that violates GDPR.
I disagree with you on that. I think it is very interesting to see surveillance-related GDPR cases tested and analyzed this way. We have already seen some degree of unwillingness of the ICO to pursue "frivolous" claims, even when backed up by evidence.
I think the initial kick-back of IPVM's first complaint was very informative and telling.There was some early speculation that the governing bodies might rain down obscene fees on anyone violating GDPR. We have now seen, at least in one instance, evidence to the contrary.
Further, Dahua, and others, have to know by this point that GDPR is a "thing", and they might potentially be violating GDPR with in-booth demos. It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.
It is not like IPVM baited them into running a face-rec test on attendees, or filed this on speculative guesses.
Indeed, the opposite, IFSEC and exhibitors knew we were investigating this and that we had filed last year. And even IFSEC posted a sign this year notifying / warning that exhibitors might be asking for consent to do facial recognition:
And, despite, all of that, Dahua still did facial recognition and still made no attempt to get consent.
I’d agree with you in part on the proviso that the systems in use were in a commercially deployed environment. If this test case was in a shopping mall I’d be with you, but at a security trade show nit a chance!
If it declares that security trade shows are not subject to biometrics processing rules, that would be fascinating to see. Let's see what the ICO says. That is the point of filing so that the ICO can give some guidance about how these rules are applied in practice.
IPVM does many things - we doing testing, we do reporting, we develop software (e.g., the Calculator), etc. We charge one price for all of it. It's like a buffet, our goal is not to ensure everyone finds everything valuable, it is to ensure we provide enough overall value to justify the cost of membership and what those things are will vary by the member.
#2, if there are specific things we are not doing that would provide value to you, please let us know here.
While signs do not cover biometric processing such as facial recognition, a Dahua UK partner has pointed out on LinkedIn that Dahua did have a small sign buried inside their stand, as the images below show:
And the zoom in to the small sign:
Interesting, it does not even mention the facial recognition they did, only 'facial images'.
Good work. These criminal companies need to be held accountable by someone. Too many laws are being broken by these multinational Chinese companies with virtually no consequences. If a US company went to China and disregarded Chinese law they would certainly be held accountable there.
Plenty of other stands were processing biometric data, including facial recognition.
Would the reason that Dahua has been singled out be that IPVM staff were (rumoured to have been) asked to leave the stand or that (rumoured) Hikvision took out an injunction to prevent IPVM staff from going on their stand or talking to staff?
The show was tiny this year and very poorly attended...
Of course, you can. I expect that of my summer job high school assistant, certainly, an industry veteran like yourself can.
The false 'rumor' was: Hikvision had an injunction against IPVM for IFSEC 2019. What can you do to check? Search IPVM for our IFSEC 2019 coverage, pretty obvious, no? It says it right in the middle of the exact report relevant to your 'rumor' that we did speak with them.
So did Dahua ask your staff/journalists to leave the stand?
He did so before realizing we were from IPVM. Once we had identified ourselves, he beat a hasty retreat and shouted that he couldn't speak to us.
No, we were not asked to leave the stand and Dahua made clear that they were running live facial recognition including people in the aisle and that they were not requesting consent for performing such facial recognition.
I am happy to answer all questions though if you want to be respected as an industry veteran, you should be able to spend a minute trying to fact check it in the obvious place.
Hi - I for one will be interested to see where this goes, I'm agnostic about the manufacturer in question, but the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.
Its part of my role to keep abreast of technologies including their application and implications. It allows our BDM's to inform clients of the situation when the question of facial recognition arises. We will provide it if the client requests it, but we are always in a position to inform them where it stands under legislation so they are making an informed choice.
the legality or otherwise of facial recognition needs to be tested in the UK in line with GDPR.
I completely agree... we have no legal precedents upon which to base design, implementation or advice.
Tony Porter has been looking at it in depth... and he has also acted upon law enforcement using it in a poorly performing, badly implemented way.
In my opinion, the GDPR and DPA2018 are significantly lacking in the respect of FR systems in particular.
As a country, we need to test this in a number of real life scenarios, to create some sensible, implementable, guidelines. I believe this should happen outside of a legal challenge or we face the probability of a very narrow precedent, which would be less useful to all.
We’ve also lost the legal precedent of implied consent for regular CCTV systems, which could mean that all footage obtained without consent is in admissible! This needs to be addressed because carrying on as before is probably not in the best interests of installers or end users.
Update: The ICO asked us to email Dahua, which we did on July 25, 2019. Dahua finally responded, nearly 4 months later, claiming the usage of notices as justification, copied below:
Our reply to the ICO was:
We do not accept Dahua's response on the basis that:
1. Under the GDPR's Article 9, notices are not a legal basis for processing of special categories of personal data like biometrics, so Dahua's displayed exhibition notices do not apply. 2. Dahua says the data was "captured randomly, not for the purpose of identifying a particular natural person". However, as we mentioned in the original complaint: "importantly, I know my face was compared to a database of persons as theDahuascreen labeled me a 'stranger' but did not do so for others who were stored in the system". The European Data Protection Board has explicitly stated that filming people's faces and comparing them to a database via facial recognition counts as biometrics processing under Article 9 as the "purpose is to uniquely identify natural persons". Notably, the EDPB said this counts as biometrics processing regardless of whether the person filmed was actually in the database or not. Please refer to the EDPB video surveillance guidelines, section 83, page 17.
We will update this report when we have material feedback from the ICO.