Face/Off: UK and EU diverge on facial recognition

Who invented punk? Little Richard? Quite possibly. MC5? Also in contention. The Sex Pistols? Absolutely not — and see me after class. For our purposes the answer is Richard Hell, who wrote/sang in 1974 that “it’s such a gamble when you get a face”.

It's fair to assume Mr Hell understood that facial recognition would come to be one of the most divisive issues of our time. Quite how divisive became clear last week, when data protection regulators in the EU and the UK issued their respective reports on the use of facial recognition technology in public places. Would these regulators, who enforce what are essentially the same laws (the EU GDPR and the UK GDPR), find common ground in what is possible under those laws? Reader, they would not.

The EDPB (comprising the privacy regulators of each EU Member State) and the EDPS (which regulates the EU institutions' use of personal data) called for a total ban on facial recognition systems that monitor people in all publicly available spaces. No ifs or buts: a "general ban" on the use of any forms of AI in this context, including gait analysis, fingerprints, DNA, voice or keystrokes. That position may come as news to the European Commission, whose recently tabled AI Regulation permits the use of facial recognition in public spaces in order to combat serious crimes. That sounds like a high bar (and it is), but privacy interest groups worry that this will become the thin edge of the wedge for an all-encompassing surveillance society. One man's serious is another man's trivial, and so on.

For its part, the UK ICO's new guidance on the same topic allows for the use of live facial recognition by companies and public bodies. The ICO makes clear that a high threshold must be met before the technology is rolled out, but provided that the requirements of data protection law are met, it does not appear to have placed the same emphasis on citizens' fundamental rights and freedoms as the EDPB and EDPS. An outright ban it is not.

These reports come at an interesting time for neighbourly relations. All eyes have been on the UK adequacy decision, which last week was reportedly greenlit by the Article 93 GDPR committee (with the leaked drafted including a controversial carve-out for the immigration exemption that the UK Court of Appeal recently found to be unlawful).

In the meantime, UK Prime Minister Boris Johnson has been publicly endorsing a report by the Taskforce on Innovation, Growth and Regulatory reform which (1) mischaracterises the GDPR in certain key areas, but (2) also suggests replacing the GDPR with a framework that includes the removal of human oversight from automated decision-making, moving towards a single patient data ownership and scrapping cookie banners (actually, that last one isn't the worst idea). It's certainly a bold move — and if global diplomacy was done via memes, we could well see the EU dusting off its "nice adequacy decision you have there; be a shame if someone took that away" gif in the near future. 

This all makes more compelling (if not concerning) viewing. But there's something classically British about thumbing one's nose at authority, and our approach to data protection appears to be no different. And what could be more punk than that?