The use of facial recognition technology is exploding. Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). However, a large question to privacy specialists is whether people have a right to this information? Civil rights groups argue that we have a fundamental right to privacy and that wanting to be anonymous does not mean we have “something to hide”. We shouldn’t be able to be identified if we don’t want to be. It gets even more troubling when you think about the increasing amount of surveillance, webcams and other photos of individuals that are occurring without the knowledge or consent of individuals.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s private sector privacy law. It’s very difficult to know how our images are being used and whether our right to privacy is being respected. There is currently no Canadian statute that expressly regulates private-sector use of facial recognition technology. Nonetheless, PIPEDA, which has authority to prevent unfair and deceptive practices, has expressed interest in the privacy implications of facial recognition technology, has issued a set of best practices concerning its use, and has investigated organizations that it believes violated those recommendations. Canada and European countries are at least trying to keep some limits on facial recognition, including by restricting the use of automated “tagging” features.
Before considering the use of biometrics (such as automated facial recognition technology, retina scans, fingerprints, hand-scans) in their identity management systems, companies should consider whether they are necessary, effective, and proportional to the potential privacy risks, and whether there is a less privacy invasive way to identify or authenticate an individual. See Data at your Fingertips: Biometric and the Challenges to Privacy for an overview of privacy issues related to biometrics.
Some other steps we encourage companies to take is to:
- Consider various factors when developing facial template data management practices, including the types of non-facial recognition sensitive data being captured and stored, how that data will be stored and used and reasonable consumer expectations with respect to the use of data;
- Provide individuals the opportunity to control the sharing of their facial template data with unaffiliated third parties;
- Take reasonable steps to maintain the integrity of the facial template data they collect.
You can read more about Facial Recognition from the Office of the Privacy Commissioner of Canada here: https://www.priv.gc.ca/media/1765/fr_201303_e.pdf