At the international level, the regulation of face recognition technology is mainly carried out through data protection laws and regulations.
U.S.A
Taking the United States as an example, the United States does not have a unified law to regulate the collection and use of face recognition data at the federal level, but is managed through independent legislation of each state. At present, six states or cities have enacted bills related to biometric data, namely Illinois, Washington, Texas, Oregon, New Hampshire and San Francisco, California.
Among them, the biological information privacy act (BIPA) promulgated by Illinois is of great reference significance. The act, promulgated in 2008, is the first law in the United States to regulate the collection, use, protection, processing, storage, retention and destruction of biological identifiers and information.
According to the definition of BIPA, “biological identifier” includes scanning of “facial structure”, but explicitly excludes photos. The term related to “biological identifier” is “biological information”, which refers to “information obtained through a biological identifier used to identify a specific natural person”. The scope of BIPA regulation does not lie in whether biometric data can be used, but in the way of using biometric data, which is embodied in the following three aspects:
When collecting the biological identifier or biometric information of a natural person for the first time, the natural person shall be informed of the collection of biological data, the purpose of collection, the retention time of data, and obtain the written authorization of the natural person. Facebook’s “facial imprinting” function was sued because Facebook collected facial structure data without the user’s consent, thereby violating BIPA.
The enterprise must formulate a written policy to set the retention schedule of biometric data, and when the purpose of collecting data has been achieved or three years have elapsed since the last contact between the information subject and the enterprise (whichever occurs first), the data shall be destroyed.
Biometric data shall not be sold and shall not be disclosed to others except with the consent of the relevant natural person or with specific exceptions provided by law.
European union
The The EU’s core law for protecting face recognition data is the most stringent general data protection regulation (gdpr) in history, which has previously frightened countless enterprises.
According to the definition of Article 4 (14) of gdpr, biometric data explicitly includes facial images. However, photos are another matter. Article 51 of the gdpr narrative states that “the processing of photos is not necessarily regarded as the processing of personal sensitive data. Photos are considered biometric data only when they are processed by specific technical methods to enable them to identify or authenticate specific natural people “. In addition, the gdpr does not mention video images, such as those collected by surveillance cameras, but the same principles should be applied by analogy. That is, if a “specific technical means” is used to identify or authenticate a specific natural person, any image collected through photos or videos constitutes biometric data.
Article 9 of gdpr stipulates that biometric data belongs to the “special category” of personal data, and such data shall not be processed except under certain special circumstances. The only exception applicable to the commercial application of face recognition technology is that “the data subject has clearly expressed its consent”, and the consent must be “freely given, clear, specific and unambiguous”. Any form of passive consent of the data subject does not comply with the provisions of gdpr.
In addition, Article 9 (4) of the gdpr allows EU Member States to stipulate that the restrictions on the processing of biometric data in the gdpr do not apply in specific circumstances. For example, the Netherlands provides for the processing of biometric data when required for certification or security. The restrictions on biometric data in Croatia’s new data protection law exclude the application of the monitoring security system.
It can be seen that the international standards for the use of face recognition data are quite strict, and even many cities began to publicly resist the use of face recognition in government departments.
The monitoring regulations passed in Seattle, Auckland and Cambridge, Massachusetts require each municipality to hold a public meeting and obtain the approval of the City Council before obtaining any monitoring technology. In May this year, San Francisco passed a comprehensive ban on the use of facial recognition technology by the municipal government. At the same time, it also stipulates that the purchase of any similar new monitoring equipment, such as an automatic license plate recognition system and UAV with a camera, requires the permission of the municipal government.
After the ban was proposed in San Francisco, other states in the United States have introduced similar laws one after another. Subsequently, the United States began to promote relevant work to standardize the use of biometric technology, including face recognition and other human based biometric methods, such as fingerprint recognition.
Nowadays, face recognition technology is considered to be part of the global “smart city” wave and is widely popular on the market. On the other hand, people’s concern about it is getting deeper and deeper with the abuse of face recognition technology. None of us want to be Luddites who hate technology, but hope to put science and technology into the cage of morality and law and make it play a role within our control.
How to control technology, in addition to the relevant policies and regulations to be standardized, the technology giants who master the core technology are also duty bound.
Post time: Jul-25-2021