UK ICO Approves Unconsented Facial Recognition At Security Conferences

By: Charles Rollet, Published on Feb 05, 2020

The UK's data protection agency has declined IPVM's GDPR complaint against Dahua for using face recognition without consent at IFSEC last year, explaining that Dahua's processing was "acceptable" given the "setting it was used in" and "for demonstration purposes" only.

The denial effectively greenlights conference face rec demos, as long as they are not used to identify individuals, the data is quickly deleted, and specific signage is included. In this note, we examine the decision and its broader meaning, including:

  • Complaint Summary
  • ICO Response
  • Main Takeaways
  • Remaining Questions/Loophole issue
  • Conclusion

Complaint Summary

IPVM's GDPR complaint was based on the following factors:

  • Facial recognition requires a GDPR Article 9 justification. At IFSEC, "explicit consent" was the only conceivable justification, yet Dahua obtained consent from no one.
  • Dahua was clearly identifying natural persons (a condition for the GDPR to apply) as its demo labeled some people "stranger", indicating they were comparing everyone's face to an existing database of booth staff, as often takes place at security shows.

ICO Response: Dahua Face Rec OK "Due to the Setting it Was Used In"

After 6 months of deliberation, the UK Information Commissioner's Office (ICO) denied our complaint, stating they considered Dahua's demo unproblematic as it was "for demonstrational purposes and not for the purpose of identifying a particular person".

Importantly, the ICO also said Dahua's processing was "acceptable" "due to the setting it was used in", effectively greenlighting facial recognition at show demos. Below is the ICO response in full:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

It is understood that Dahua were processing biometric data during their exhibition, however it was for demonstrational purposes and not for the purpose of identifying a particular person. All of the data captured during the exhibition was deleted. Dahua had erected signs to state that facial recognition demonstrations were being displayed and that facial images may be captured. IFSEC International also displayed signs to remind delegates that they were entering an area where facial recognition and biometric technology could be in active use. We consider Dahua’s processing of biometric data acceptable on this occasion due to the setting it was used in. It was used only for demonstration purposes in an arena where a facial recognition demonstration would reasonably be expected to take place and personal data from the demonstrations was not retained. We will, however, take this opportunity to remind Dahua of their data protection obligations when processing special category data and to ensure signage relating to the use of facial recognition technology is adequately displayed.

Main Takeaway: Context Matters

The chief takeaway from the ICO's response is that the context of sensitive processing matters. The ICO clearly determined that it would not apply strict GDPR principles given the setting of a security conference where processing was only "for demonstrational purposes" without ID'ing specific passerby.

Deleting Data

The second main takeaway is the importance of deleting data, with the ICO emphasizing that "all of the data captured during the exhibition was deleted".

Using Appropriate Signage

The final takeaway is the importance of signage. This was the only point the ICO rebuked Dahua for, stating that it should have used signage which specifically discloses facial recognition was being used. The Dahua privacy notice did not disclose facial recognition, see below:

However, this was clearly considered a minor oversight by ICO, since it did not formally penalize Dahua in any way, only giving them a reminder.

Remaining Questions Unanswered

After ICO's denial, two questions remained from IPVM's perspective:

  • there is no exception in the GDPR or the UK Data Protection Act allowing non-consensual biometrics processing if it is done for demonstrational purposes only. It is not clear to us what specific legal justification ICO is using.
  • the ICO determined Dahua's face rec did not require consent as it was "not for the purpose of identifying a particular person". But it was clear that booth employees were being recognized. The European Data Protection Board has specifically stated that a hotel identifying VIPs with facial recognition has to get consent from everyone, not just the VIPs:

IPVM followed up with ICO on these two points, but they declined to elaborate, simply telling us:

After making enquiries with Dahua, we do not have concerns over their facial recognition demonstration at IFSEC International.

Loophole Risk

One potential loophole this ICO decision creates is that exhibitors deploying face rec demos could keep people's face images and falsely claim to have deleted them; it would be very difficult for the ICO to know this was happening, as there is no way the ICO is going to audit every face rec demo at a security show.

Conclusion

The ICO is the UK government agency with the right to interpret the GDPR and national privacy regulations as it sees fit. From this case, it is clear the ICO gives significant weight to the context and purpose of the processing, rather than penalizing violations on a strictly technical basis.

The ICO's decision conforms with a trend IPVM has previously identified: despite fears that the GDPR would unleash an avalanche of eye-watering fines for minor mistakes/technical GDPR violations, this has not taken place.

Comments (4) : Members only. Login. or Join.

Related Reports

"ONVIF Has Chosen Not To Enforce Their Copyright." on Mar 11, 2020
ONVIF has taken a bold and highly unconventional approach, telling IPVM,...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series,...
Industry Study: 83% of US Temperature Screening Sellers Falsely Say Not Medical Devices on Jun 29, 2020
83% of US companies selling temperature screening devices, aka 'fever'...
IPVM Rejects Feevr's Improper Threats And Demands on May 04, 2020
IPVM categorically rejects Feevr's improper threats and demands submitted...
Hikvision Admits Minority Recognition, Now Claims Canceled on Jul 23, 2020
For the first time, Hikvision has directly addressed its minority recognition...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Beware Of Feevr on Apr 14, 2020
Beware of "Feevr". The company is marketing a 'Feevr' solution that...
Australia Dahua Faked Advertisement, Government Warns of 'Criminal Offense' for Not Registering As Medical Device on Jun 25, 2020
A full-page advertisement in a national Australia newspaper for Dahua's...
ZKTeco SpeedFace+ Are Medical Devices, Per FDA Definition, Contrary Claims Are False on Jun 12, 2020
ZKTeco SpeedFace+ series products are medical devices as defined by the US...
Hikvision CEO And Vice-Chair Receive Warning, Government Investigation Concluded on Mar 16, 2020
The China Securities Regulatory Commission (CSRC) has concluded their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...