UK ICO Denies IPVM GDPR Complaint Against IFSEC, Decides Each Exhibitor Responsible
The UK Information Commissioner's Office (ICO) has denied IPVM's complaint against IFSEC for misuse of facial recognition.
Each Exhibitor Responsible
Importantly, the ICO has determined that, contrary to UBM's claim, each exhibitor is responsible for conforming. In a December 5, 2018 message to IPVM, the ICO explained:
Each Exhibitor could be regarded as an independent and separate data controller of their propriety equipment who would be responsible for ensuring it fulfils its fair processing obligations.
The ICO contrasted this to UBM / IFSEC, saying:
UBM does not actually process or retain any personal data captured by facial recognition technology during the IFSEC convention.
IFSEC Registration Consent Not Applicable
To the contrary, UBM told IPVM at IFSEC 2018 that the data notice on the back of attendees’ badges provided consent for their exhibitor's facial recognition. Read it here and see it below:
Given the decision of the ICO, IFSEC's consent will not cover their exhibitors for data processing such as facial recognition.
Challenge For Exhibitors
This creates a challenge for exhibitors as, according to the GDPR, which went into effect in May 2018 and to which the UK is party to, biometrics processing like facial recognition is considered a "special category of personal data" and is generally prohibited with important exceptions.
One of those exceptions is informed consent with specified purposes. Article 9, section 2(a) of the GDPR states that biometrics are allowed if:
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes [emphasis addded]
Article 7 also states consent notices must be written:
in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language [emphasis added]
No Consent At 2018 IFSEC Show
No consent was requested by any IFSEC 2018 exhibitor using facial recognition that we visited.
The ICO decision here will help clarify the responsibilities that exhibitors and vendors have when they use facial recognition but raises questions of how exhibitors will actually conform with GDPR when using facial recognition.