UK ICO Approves Unconsented Facial Recognition At Security Conferences

By: Charles Rollet, Published on Feb 05, 2020

The UK's data protection agency has declined IPVM's GDPR complaint against Dahua for using face recognition without consent at IFSEC last year, explaining that Dahua's processing was "acceptable" given the "setting it was used in" and "for demonstration purposes" only.

The denial effectively greenlights conference face rec demos, as long as they are not used to identify individuals, the data is quickly deleted, and specific signage is included. In this note, we examine the decision and its broader meaning, including:

  • Complaint Summary
  • ICO Response
  • Main Takeaways
  • Remaining Questions/Loophole issue
  • Conclusion

Complaint Summary

IPVM's GDPR complaint was based on the following factors:

  • Facial recognition requires a GDPR Article 9 justification. At IFSEC, "explicit consent" was the only conceivable justification, yet Dahua obtained consent from no one.
  • Dahua was clearly identifying natural persons (a condition for the GDPR to apply) as its demo labeled some people "stranger", indicating they were comparing everyone's face to an existing database of booth staff, as often takes place at security shows.

ICO Response: Dahua Face Rec OK "Due to the Setting it Was Used In"

After 6 months of deliberation, the UK Information Commissioner's Office (ICO) denied our complaint, stating they considered Dahua's demo unproblematic as it was "for demonstrational purposes and not for the purpose of identifying a particular person".

Importantly, the ICO also said Dahua's processing was "acceptable" "due to the setting it was used in", effectively greenlighting facial recognition at show demos. Below is the ICO response in full:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

It is understood that Dahua were processing biometric data during their exhibition, however it was for demonstrational purposes and not for the purpose of identifying a particular person. All of the data captured during the exhibition was deleted. Dahua had erected signs to state that facial recognition demonstrations were being displayed and that facial images may be captured. IFSEC International also displayed signs to remind delegates that they were entering an area where facial recognition and biometric technology could be in active use. We consider Dahua’s processing of biometric data acceptable on this occasion due to the setting it was used in. It was used only for demonstration purposes in an arena where a facial recognition demonstration would reasonably be expected to take place and personal data from the demonstrations was not retained. We will, however, take this opportunity to remind Dahua of their data protection obligations when processing special category data and to ensure signage relating to the use of facial recognition technology is adequately displayed.

Main Takeaway: Context Matters

The chief takeaway from the ICO's response is that the context of sensitive processing matters. The ICO clearly determined that it would not apply strict GDPR principles given the setting of a security conference where processing was only "for demonstrational purposes" without ID'ing specific passerby.

Deleting Data

The second main takeaway is the importance of deleting data, with the ICO emphasizing that "all of the data captured during the exhibition was deleted".

Using Appropriate Signage

The final takeaway is the importance of signage. This was the only point the ICO rebuked Dahua for, stating that it should have used signage which specifically discloses facial recognition was being used. The Dahua privacy notice did not disclose facial recognition, see below:

However, this was clearly considered a minor oversight by ICO, since it did not formally penalize Dahua in any way, only giving them a reminder.

Remaining Questions Unanswered

After ICO's denial, two questions remained from IPVM's perspective:

  • there is no exception in the GDPR or the UK Data Protection Act allowing non-consensual biometrics processing if it is done for demonstrational purposes only. It is not clear to us what specific legal justification ICO is using.
  • the ICO determined Dahua's face rec did not require consent as it was "not for the purpose of identifying a particular person". But it was clear that booth employees were being recognized. The European Data Protection Board has specifically stated that a hotel identifying VIPs with facial recognition has to get consent from everyone, not just the VIPs:

IPVM followed up with ICO on these two points, but they declined to elaborate, simply telling us:

After making enquiries with Dahua, we do not have concerns over their facial recognition demonstration at IFSEC International.

Loophole Risk

One potential loophole this ICO decision creates is that exhibitors deploying face rec demos could keep people's face images and falsely claim to have deleted them; it would be very difficult for the ICO to know this was happening, as there is no way the ICO is going to audit every face rec demo at a security show.

Conclusion

The ICO is the UK government agency with the right to interpret the GDPR and national privacy regulations as it sees fit. From this case, it is clear the ICO gives significant weight to the context and purpose of the processing, rather than penalizing violations on a strictly technical basis.

The ICO's decision conforms with a trend IPVM has previously identified: despite fears that the GDPR would unleash an avalanche of eye-watering fines for minor mistakes/technical GDPR violations, this has not taken place.

Comments (4) : Members only. Login. or Join.

Related Reports

France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
First Video Surveillance GDPR Fine In France on Jul 08, 2019
The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing...
GDPR / ICO Complaint Filed Against Dahua on Jun 27, 2019
IPVM has filed a GDPR complaint against Dahua UK's facial recognition conducted at their booth during this year's IFSEC show. In this post, we...
Nortek and SDS Fight Over Failed Settlement on Jun 05, 2019
Distributor SDS said they reached a deal with Nortek but Nortek says no settlement was reached and the suit is still on. In this post, based on...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
ADT's Top Dealer "The Defenders" Sued 20+ Times on May 07, 2019
ADT's largest authorized dealer, The Defenders, has been sued more than 20 times since 2012, IPVM has verified through analyzing legal...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...

Most Recent Industry Reports

Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...
Seek Scan Thermal Temperature Screening System ReTested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to Seek, the first blackbody system we tested and retested it with our...
Directory of 106 "Fever" Camera Suppliers on May 28, 2020
This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers use. The US FDA clearly categorizes them as medical devices and...
Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020
Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...
Directory of 300+ Fever Camera News Reports Globally on May 27, 2020
This global directory tracks 300+ articles about thermal cameras used to detect fevers in response to the coronavirus pandemic. Articles are...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business is lessening and many are anticipating even better news in weeks...
Netposa Stock Surges 46% After US Human Rights Abuse Sanctions on May 27, 2020
Last Friday, the US government announced it would sanction PRC video management provider NetPosa for being "complicit in human rights violations...
LILIN Presents NDAA-Compliant P2 Cameras on May 26, 2020
Merit LILIN presented its NDAA-compliant P2 camera series at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...