ICO adopts a pragmatic approach to Facewatch investigation
After conducting an investigation into Facewatch, the ICO has concluded that Facewatch is able to rely on the 'legitimate interest' lawful basis to process individuals' personal data using facial recognition software for the purposes of crime prevention. The ICO highlighted a number of areas of concern and, after Facewatch made improvements in these areas, the ICO has confirmed that no further regulatory action is required against Facewatch.
What is Facewatch?
Facewatch advertises itself as the 'UK's leading facial recognition retail security company'. They provide a cloud-based facial recognition system with the intention of safeguarding against theft in retail stores. This is done by using facial recognition software to identify known offenders when they enter a retail store that uses Facewatch's technology. If a 'subject of interest' is detected, the store is then immediately alerted that an individual who has a criminal record of theft has entered their premises.
Whilst individuals are used to being captured on CCTV when shopping, Facewatch takes this a significant step further, by using live facial recognition software to identify those individuals on the CCTV.
Facial recognition software is already being used frequently in our daily lives, such as when we unlock our phone or to access banking software. In this example, it is up to the individual whether to enable their phone to unlock using facial recognition.
It is another step entirely to have a third-party security company using facial recognition when an individual visits a shop. This could be viewed as being a violation of people's freedom and privacy. There are potential risks here, including incorrectly profiling individuals, inadvertently discriminating against individuals and processing children's data and vulnerable individuals' data.
Facewatch was referred to the ICO by privacy campaigners who made a formal complaint against the use of Facewatch's technology in Co-Op branches across the south of England. The campaign group described the use of live facial recognition software as 'Orwellian in the extreme'. The software also calls into question the ethics of targeting individuals who have potentially already completed their punishment for the historic committal of a crime.
The ICO therefore investigated Facewatch to determine whether their product breached UK data protection laws.
The ICO has determined that no further regulatory action is required. The basis for this decision was as follows:
- Valid lawful basis. The ICO has concluded that Facewatch is able to rely on the 'legitimate interest' lawful basis to process individuals' personal data using facial recognition software for the purposes of crime prevention. This lawful basis requires Facewatch to balance this legitimate interest against the rights and freedoms of individuals
- Improvement actions taken by Facewatch. The ICO highlighted a number of areas of concern which Facewatch has now addressed, including:
- Appointing a Data Protection Officer
- Reducing the information collected, by limiting it to repeat offenders or those who commit significant offences
- Protecting individuals classified as vulnerable to ensure they were not flagged as a 'subject of interest'.
The ICO's pragmatic approach of working with Facewatch to ensure issues are addressed prior to taking regulatory action is consistent with the UK government's pro-innovation approach to regulating AI.
The Facewatch decision is not intended to allow a blanket use of facial recognition software in public places for the purposes of crime prevention. The ICO has been clear that each 'use case' will be considered on its own merits. Organisations using facial recognition software should therefore ensure that they have a detailed understanding of how their underlying technology works, the potential impact of the software on individuals and what safeguards should be implemented to prevent individuals from harm.
Following the government's recent white paper on AI regulation, we expect that the ICO will update and expand on its Guidance on AI and Data Protection so as to provide further guidance on facial recognition software.
From an EU perspective, under the new AI Act (once enacted) Facewatch's technology and other similar technologies will likely be classified as 'High Risk'. WBD maintain an AI Roadmap, which is designed to help you to navigate the divergent approach to the regulation of AI across the UK and EU.
If you would like to discuss the use of live facial recognition technology with us, WBD has a focused retail sector group and a dedicated team of specialist digital lawyers. We have the expertise to assist your business in making decisions regarding the latest advancements in technology.
For more information and insights, visit the re:connect hub.