Facial recognition in Airports: EDPB prioritizes user control over biometric data
This decision comes amidst growing concerns around the world about the use of biometric data for passenger identification.
The European Data Protection Board (EDPB) this week released an opinion regarding the use of facial recognition technology by airports and airlines. This decision comes amidst growing concerns around the world about the use of biometric data for passenger identification.
The EDPB highlights several key points in its decision:
Privacy Risks: Facial recognition is considered "particularly sensitive" data, and its processing can lead to significant privacy risks for individuals. These risks include potential errors in identification, bias and discrimination, and misuse of biometric data for identity theft or impersonation.
Control Over Biometric Data: The EDPB emphasizes the importance of individuals having maximum control over their own biometric data. This includes the ability to opt-out of facial recognition programs whenever possible.
Data Minimization: The EDPB stresses the need for data minimization practices. This means that airport operators and airlines should only collect and store biometric data for as long as absolutely necessary.
Security of Processing: The EDPB requires strong security measures to protect biometric data from unauthorized access or breaches.
The opinion focuses on the General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The EDPB highlights specific GDPR articles including:
- Storage Limitation Principle (Article 5(1)(e) GDPR): Data should not be kept for longer than necessary.
- Integrity and Confidentiality Principle (Article 5(1)(f) GDPR): Data must be protected against unauthorized processing or disclosure.
- Data Protection by Design and Default (Article 25 GDPR): Data protection should be built into systems from the very beginning.
- Security of Processing (Article 32 GDPR): Appropriate technical and organizational measures must be implemented to protect personal data.
It's important to note that the EDPB's opinion has a limited scope. The decision does not address the use of facial recognition in general, and it specifically excludes its use for security purposes, border control, or by law enforcement agencies. Additionally, the EDPB did not examine the legal basis for using facial recognition at airports, such as whether passenger consent is truly valid.
The EDPB's decision casts doubt on the future of facial recognition programs at airports in the EU. The EDPB suggests that alternative methods for streamlining passenger flow should be explored whenever possible.
For any facial recognition program to be implemented, it would need to comply with the EDPB's strict requirements. This likely means that passengers would have the right to opt-out and would retain control over their biometric data. Additionally, airport operators and airlines would need to implement robust security measures to protect passenger data.
This decision by the EDPB is a significant development for data privacy in the European Union. It highlights the growing concern around the use of biometric data and emphasizes the importance of user control and data security. As the use of facial recognition technology continues to evolve, it will be interesting to see how airport operators, airlines, and data protection authorities around the world address these concerns.
Subscribe to our free weekly LinkedIn newsletter for a weekend roundup, or upgrade to our real-time updates for just $10/year. Get the latest marketing news and insights delivered straight to your inbox.