UK ICO Approves Unconsented Facial Recognition At Security Conferences

By: Charles Rollet, Published on Feb 05, 2020

The UK's data protection agency has declined IPVM's GDPR complaint against Dahua for using face recognition without consent at IFSEC last year, explaining that Dahua's processing was "acceptable" given the "setting it was used in" and "for demonstration purposes" only.

The denial effectively greenlights conference face rec demos, as long as they are not used to identify individuals, the data is quickly deleted, and specific signage is included. In this note, we examine the decision and its broader meaning, including:

  • Complaint Summary
  • ICO Response
  • Main Takeaways
  • Remaining Questions/Loophole issue
  • Conclusion

Complaint Summary

IPVM's GDPR complaint was based on the following factors:

  • Facial recognition requires a GDPR Article 9 justification. At IFSEC, "explicit consent" was the only conceivable justification, yet Dahua obtained consent from no one.
  • Dahua was clearly identifying natural persons (a condition for the GDPR to apply) as its demo labeled some people "stranger", indicating they were comparing everyone's face to an existing database of booth staff, as often takes place at security shows.

ICO Response: Dahua Face Rec OK "Due to the Setting it Was Used In"

After 6 months of deliberation, the UK Information Commissioner's Office (ICO) denied our complaint, stating they considered Dahua's demo unproblematic as it was "for demonstrational purposes and not for the purpose of identifying a particular person".

Importantly, the ICO also said Dahua's processing was "acceptable" "due to the setting it was used in", effectively greenlighting facial recognition at show demos. Below is the ICO response in full:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

It is understood that Dahua were processing biometric data during their exhibition, however it was for demonstrational purposes and not for the purpose of identifying a particular person. All of the data captured during the exhibition was deleted. Dahua had erected signs to state that facial recognition demonstrations were being displayed and that facial images may be captured. IFSEC International also displayed signs to remind delegates that they were entering an area where facial recognition and biometric technology could be in active use. We consider Dahua’s processing of biometric data acceptable on this occasion due to the setting it was used in. It was used only for demonstration purposes in an arena where a facial recognition demonstration would reasonably be expected to take place and personal data from the demonstrations was not retained. We will, however, take this opportunity to remind Dahua of their data protection obligations when processing special category data and to ensure signage relating to the use of facial recognition technology is adequately displayed.

Main Takeaway: Context Matters

The chief takeaway from the ICO's response is that the context of sensitive processing matters. The ICO clearly determined that it would not apply strict GDPR principles given the setting of a security conference where processing was only "for demonstrational purposes" without ID'ing specific passerby.

Deleting Data

The second main takeaway is the importance of deleting data, with the ICO emphasizing that "all of the data captured during the exhibition was deleted".

Using Appropriate Signage

The final takeaway is the importance of signage. This was the only point the ICO rebuked Dahua for, stating that it should have used signage which specifically discloses facial recognition was being used. The Dahua privacy notice did not disclose facial recognition, see below:

However, this was clearly considered a minor oversight by ICO, since it did not formally penalize Dahua in any way, only giving them a reminder.

Remaining Questions Unanswered

After ICO's denial, two questions remained from IPVM's perspective:

  • there is no exception in the GDPR or the UK Data Protection Act allowing non-consensual biometrics processing if it is done for demonstrational purposes only. It is not clear to us what specific legal justification ICO is using.
  • the ICO determined Dahua's face rec did not require consent as it was "not for the purpose of identifying a particular person". But it was clear that booth employees were being recognized. The European Data Protection Board has specifically stated that a hotel identifying VIPs with facial recognition has to get consent from everyone, not just the VIPs:

IPVM followed up with ICO on these two points, but they declined to elaborate, simply telling us:

After making enquiries with Dahua, we do not have concerns over their facial recognition demonstration at IFSEC International.

Loophole Risk

One potential loophole this ICO decision creates is that exhibitors deploying face rec demos could keep people's face images and falsely claim to have deleted them; it would be very difficult for the ICO to know this was happening, as there is no way the ICO is going to audit every face rec demo at a security show.

Conclusion

The ICO is the UK government agency with the right to interpret the GDPR and national privacy regulations as it sees fit. From this case, it is clear the ICO gives significant weight to the context and purpose of the processing, rather than penalizing violations on a strictly technical basis.

The ICO's decision conforms with a trend IPVM has previously identified: despite fears that the GDPR would unleash an avalanche of eye-watering fines for minor mistakes/technical GDPR violations, this has not taken place.

Comments (4) : Members only. Login. or Join.

Most Recent Industry Reports

Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
AI/Smart Camera Tutorial on Feb 20, 2020
Cameras with video analytics, sometimes called 'Smart' camera or 'AI' cameras, etc. are one of the most promising growth areas of video...
China Manufacturer Suffers Coronavirus Scare on Feb 20, 2020
Uniview suffered a significant health scare last week after one of its employees reported a fever and initially tested positive for coronavirus....
Cheap Camera Problems at Night on Feb 19, 2020
Cheap cameras generally have problems at night, despite the common perception that integrated IR makes cameras mostly the same, according to new...
Milestone Launches Multiple Cloud Solutions on Feb 18, 2020
Milestone is going to the cloud, becoming one of the last prominent VMSes to do so. Milestone is clearly late but how competitive do these new...
Video Surveillance Architecture 101 on Feb 18, 2020
Video surveillance can be designed and deployed in a number of ways. This 101 examines the most common options and architectures used in...
UK Stands Behind Hikvision But Controversy Continues on Feb 18, 2020
Hikvision is exhibiting at a UK government conference for law enforcement, provoking controversy from the press, politicians, and activists due to...