UK ICO Denies IPVM GDPR Complaint Against IFSEC, Decides Each Exhibitor Responsible

By John Honovich, Published Dec 06, 2018, 07:44am EST

The UK Information Commissioner's Office (ICO) has denied IPVM's complaint against IFSEC for misuse of facial recognition.

Each Exhibitor Responsible

Importantly, the ICO has determined that, contrary to UBM's claim, each exhibitor is responsible for conforming. In a December 5, 2018 message to IPVM, the ICO explained:

Each Exhibitor could be regarded as an independent and separate data controller of their propriety equipment who would be responsible for ensuring it fulfils its fair processing obligations.

The ICO contrasted this to UBM / IFSEC, saying:

UBM does not actually process or retain any personal data captured by facial recognition technology during the IFSEC convention.

IFSEC Registration Consent Not Applicable

To the contrary, UBM told IPVM at IFSEC 2018 that the data notice on the back of attendees’ badges provided consent for their exhibitor's facial recognition. Read it here and see it below:

Given the decision of the ICO, IFSEC's consent will not cover their exhibitors for data processing such as facial recognition.

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

Challenge For Exhibitors

This creates a challenge for exhibitors as, according to the GDPR, which went into effect in May 2018 and to which the UK is party to, biometrics processing like facial recognition is considered a "special category of personal data" and is generally prohibited with important exceptions.

One of those exceptions is informed consent with specified purposes. Article 9, section 2(a) of the GDPR states that biometrics are allowed if:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes [emphasis addded]

Article 7 also states consent notices must be written:

in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language [emphasis added]

No Consent At 2018 IFSEC Show

No consent was requested by any IFSEC 2018 exhibitor using facial recognition that we visited.

Going Forward

The ICO decision here will help clarify the responsibilities that exhibitors and vendors have when they use facial recognition but raises questions of how exhibitors will actually conform with GDPR when using facial recognition.

2 reports cite this report:

GDPR / ICO Complaint Filed Against Dahua on Jun 27, 2019
IPVM has filed a GDPR complaint against Dahua UK's facial recognition...
GDPR / ICO Complaint Filed Against IFSEC Show Facial Recognition on Jun 20, 2018
IPVM has filed a complaint against IFSEC’s parent company UBM based on our...
Comments (3) : Subscribers only. Login. or Join.
Loading Related Reports