This Week in Data/Cyber/Tech: Facial Recognition in the Spotlight; and the Impossibly Hard Issue of Accessing the Social Media of Deceased Children.

Story #1: Facial recognition is back in the spotlight

After a few months out of the spotlight, facial recognition is again having a moment.

In February, the UK ICO ordered Serco to stop using facial recognition technology and fingerprint scanning to monitor workers’ attendance. I wrote about that here.

At the weekend, the UK press reported the story of a woman who was wrongly accused of stealing from a shop due to an error in its facial recognition system. 

And last week the European Data Protection Board issued an opinion about the use of facial recognition to streamline the flow of passengers through airports (for example, at security checkpoints, baggage drop-off, boarding and access to lounges). The opinion is here.

*****

The EDPB’s opinion is necessarily fact-specific — but this doesn’t mean that its conclusions aren’t relevant for organisations that do currently, or may in the future, employ biometric technology for a range of use cases. To take three examples, as with all data processing activities:

1. The use of biometric data must be necessary and proportionate. In other words: can the same objective be achieved as effectively by other, less intrusive, means? Importantly, the principles of necessity and proportionality apply even where individuals consent to the use of their personal data. 
2. Balancing the business benefits of processing against the impact on individuals’ rights and freedoms is often not straightforward. This will particularly be the case where the “benefit” isn’t a nice-to-have, but rather is closer to a necessity — for example, ensuring the security of a building. In each case, conducting a DPIA is crucial.
3. Giving data subjects control over their personal data (in the airport example, the biometric template or encryption key being held in the passengers’ hands) is more likely to tip the scales towards GDPR compliance than a solution involving the centralised storage of biometric data by the controller or in the cloud. Indeed, the EDPB states that the latter approach is unlikely to meet the GDPR requirements.

*****

Despite concerns around facial recognition technology (many of which are justifiable), its uses are increasingly becoming commonplace. Benign, even.

For example, how many times each day do we use facial ID to access our phones? Dozens? Hundreds? Similarly, I can’t remember the last time that I gave conscious thought to the use of facial recognition at airport security. And I suspect I'm not the only one.

Still, most organisations' use of facial recognition (and biometrics more generally) will be less ubiquitous and more issue-specific. Whether or not those uses are aviation-related, the analysis contained in the EDPB's opinion is well worth a read.

Story #2: The impossibly hard issue of accessing the social media of deceased children.

I read a very sad story about whether parents are allowed to access their child’s social media accounts after the child has committed suicide.

In the UK, the answer is currently “no” — at least not without a court order.

Now, a woman who lost her son to suicide is seeking to change the law to give parents the automatic right to receive the data from their deceased child's social media accounts. The thinking is that it will help to give the grieving parents some insight into what led to their child taking their life.

*****

It is commonly cited that the GDPR does not apply to the personal data of “deceased persons”. And that’s true — up to a point.

Recital 27 of the GDPR allows Member States to derogate from this general rule, and the GDPR implementing laws in Denmark, Hungary, Italy and Spain all contain varying provisions on deceased individuals. 

Although the UK Data Protection Act 2018 doesn’t contain similar derogations, there are two tangentially related examples that have come up for clients over the years and are sufficiently interesting (in my view) to share.

1. The Access to Health Records Act 1990 permits an individual to access a deceased person’s patient records if they (i) are that person’s executor or the administrator of their estate, or (ii) have a claim resulting from the person’s death. The DPA 2018 removed the requirement to pay a fee for access to records under s3(4) of the AHRA, but otherwise the access right under the AHRA is distinct from the UK GDPR and the holder of the patient records is not subject to the UK GDPR in respect of other aspects of the relevant processing. 
2. The DPA amends s199 of the Investigatory Powers Act 2016, which deals with bulk personal datasets. The definition of “personal data” in s199 now includes “data relating to a deceased individual where the data would fall within [the scope of the DPA] if it related to a living individual”.

*****

I have written recently (here) about the demise of the Data Protection and Digital Information Bill — the Conservative Party’s attempt to reform the UK’s data protection laws.

Many of the proposed changes to the GDPR-based regime involve tinkering around the edges: expanding the scope of legitimate interests, raising the threshold for conducting ROPAs, and so on. And it remains to be seen whether the DPDIB will form the basis of the new Government's approach to data protection regulation. 

But with my parent hat on, I do think there is much to be said for introducing the type of right discussed in this post. Whether that's through the DPDIB or its successor (or another law altogether) doesn't particularly matter to me.

Some things are more important than the guardrails we put around data protection — and this is one of them.

Subscribe to Ropes & Gray Viewpoints by topic here.