The Dutch Data Protection Authority (DPA) has issued a formal warning to a supermarket for its use of facial recognition technology. Although the facial recognition technology has been disabled since December 2019, the supermarket wished to turn it back on.
The supermarket claims that it used facial recognition technology to protect its customers and staff and to prevent shoplifting. The technology was connected to cameras at the store’s entrance.
The technology scanned the face of everyone who entered the store and compared it to a database of people who had been banned from entering stores. The faces of people who had not been banned were deleted after several seconds.
Following reports in the media, on 6 December 2019 the DPA requested information from the owner of the supermarket. On 8 December 2019, the supermarket disabled the facial recognition technology. The owner indicated in documents provided to the DPA, however, that he wished to turn it back on.
Ban on facial recognition technology
‘It’s unacceptable for this supermarket – or any other store in the Netherlands – to just start using facial recognition technology,’ says Monique Verdier, deputy chairperson of the DPA. ‘Use of such technology outside of the home is banned in nearly all cases. And that’s for good reason.’
Walking bar codes
‘Facial recognition makes us all walking bar codes,’ explains Verdier. ‘Your face is scanned every time you enter a store, a stadium or an arena that uses this technology. And it’s done without your consent. By putting your face through a search engine, there is a possibility that your face could be linked to your name and other personal data. This could be done by cross-checking your face with your social media profile, for example.’
‘The technology can then decide what to do with the information: Are you suspected of something? Are you of interest as a customer? Is there value in monitoring your purchasing behaviour and creating a profile for you? If we have cameras with facial recognition technology everywhere, everything and all of us can be continuously monitored.’
Facial recognition technology uses biometric data to identify people. The use of facial recognition for security is prohibited in all but two situations.
The first is if the people have given explicit consent for their data to be processed. Here, although the owner of the supermarket claims customers had been warned that the store used facial recognition technology, the customers did not give explicit consent for this.
‘The presumption that silence equals approval does not work here,’ says Verdier. ‘Simply entering the supermarket doesn’t count as giving consent.’
The other exception is if facial recognition technology is necessary for authentication or security purposes, but only in so far as substantial public interest is concerned. The supermarket claims that this is the case. The DPA considers that it is not.
‘The only example that the law gives is for the security of a nuclear power plant,’ explains Verdier. ‘The bar is therefore very high. Preventing shoplifting is of a completely different magnitude than preventing a nuclear disaster.’
For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.