Big Brother Watch complaint against private sector facial recognition
The use of live automated facial recognition technology (LFR) has come under significant scrutiny in recent years. The technology allows the automated reidentification of an individual using a biometric representation of their face. When deployed in public spaces, it can be used to scan an unlimited number of faces to find one that the system has seen before, potentially putting a huge amount of power in the hands of the operator. The individuals being scanned – and searched for – might not even know this is taking place.
It is perhaps unsurprising therefore that there have been moves to restrict the use of LFR – even ban it outright – both in the US and the EU. Even under our current privacy and data protection laws – including the UK GDPR – the use of biometric processing is restricted to certain purposes and circumstances, and subject to safeguards.
Much of the debate has focused on the use of LFR by organs of the state. The most important case dealing with LFR in England and Wales to date – R(Bridges) v South Wales Police - was about the use of LFR by police looking for people on a watchlist they had assembled.
But the technology can also be used – and is being used– by private sector companies. Big Brother Watch (‘BBW’ have been tracking the growing use of an LFR system offered by Facewatch Ltd in the UK. It allows retail stores – including branches of the Co-op – to biometrically scans every store visitor. Store staff can later add visitors to a watchlist - without their knowledge - if they suspect them of crime or vaguely-defined ‘disorder’. Being on the watchlist means an individual can be identified when they visit a store belonging to any other Facewatch client in a certain radius. The result is that the individual could be denied entry, have their bag searched, or be subject to some other unpredictable ‘intervention’.
BBW instructed AWO to investigate the use of this system and whether that use complies with the GDPR. We did, and our analysis suggests the way Facewatch and Southern Co-op are using LFR is unlawful. For example:
- They rely on there being a ‘substantial public interest’ in their processing, but seem to have little evidence to support this.
- The amount of information they provide to store visitors and watchlist ‘subjects of interest’ seems to fall short of transparency standards, and could breach the fairness principle in the GDPR.
- We also found real causes for concern about accuracy and safeguards in creating the watchlists and making interventions, which could lead to unfair bias and serious detrimental outcomes for individuals.
We’ve brought these issues to the attention of the UK’s data protection authority, the Information Commissioner, through an official complaint on behalf of Silkie Carlo, the Director of BBW.
Facewatch and Southern Co-op are pushing and may be exceeding the boundaries of what the law allows for this novel and powerful technology. Without action, there is a risk of a creeping rebalancing of power away from individuals and towards companies in our public spaces. This is what our data rights are for: they can give us a say in whether and how companies can use technology to exercise power over us. But that only works if those rights are enforced. That’s why BBW have asked the Information Commissioner to urgently investigate the concerns raised in the complaint.
We welcome your thoughts on the complaint, and would love to hear from you if you think you may have been affected by the use of LFR by private companies in publicly accessible spaces. Reach out to firstname.lastname@example.org