The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.
The supermarket claims that it used facial recognition technology to protect its customers and staff and to prevent shoplifting. The technology was connected to cameras at the store’s entrance.
The technology scanned the face of everyone who entered the store and compared it to a database of people who had been banned from entering stores. The faces of people who had not been banned were deleted after several seconds.
Following reports in the media, on 6 December 2019 the DPA requested information from the owner of the supermarket. On 8 December 2019, the supermarket disabled the facial recognition technology. The owner indicated in documents provided to the DPA, however, that he wished to turn it back on.
Ban on facial recognition technology
‘It’s unacceptable for this supermarket – or any other store in the Netherlands – to just start using facial recognition technology,’ says Monique Verdier, deputy chairperson of the DPA. ‘Use of such technology outside of the home is banned in nearly all cases. And that’s for good reason.’
Walking bar codes
‘Facial recognition makes us all walking bar codes,’ explains Verdier. ‘Your face is scanned every time you enter a store, a stadium or an arena that uses this technology. And it’s done without your consent. By putting your face through a search engine, there is a possibility that your face could be linked to your name and other personal data. This could be done by cross-checking your face with your social media profile, for example.’
‘The technology can then decide what to do with the information: Are you suspected of something? Are you of interest as a customer? Is there value in monitoring your purchasing behaviour and creating a profile for you? If we have cameras with facial recognition technology everywhere, everything and all of us can be continuously monitored.’
Two exceptions
Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.
The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.
‘The presumption that silence equals approval does not work here,’ says Verdier. ‘Simply entering the supermarket doesn’t count as giving consent.’
The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.
‘The only example that the law gives is for the security of a nuclear power plant,’ explains Verdier. ‘The bar is therefore very high. Preventing shoplifting is of a completely different magnitude than preventing a nuclear disaster.’
For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl