IP/IT Law: Facial Recognition Technology Under POPIA

The human brain can identify certain facial features and associate that information with a particular person. Similarly, Facial Recognition Technology (“FRT”) is a biometric tool that maps out facial features captured in an image (video or photograph). The facial features collected from an image is converted into an algorithm which is compared to a database of facial patterns. We can capture, store, and analyse this data at a fast scale and identify certain behaviours or patterns of others.

This technology can transform the way we interact with consumers, we can track customers/shoppers’ behavioural patterns and develop a more efficient design for products and services based on their preferences. This tool will enable companies to derive enormous commercial benefit, however, this technology brings about serious privacy implications.

The use of FRT and software in terms of Protection of Personal Information Act No.4 of 2013 (“POPIA”)

The use of FRT is subject to the provisions of POPIA which provides certainty by specifying mandatory mechanisms to comply with the processing of Personal Information in a manner that will uphold the right to privacy.

If your company or organization is considering using FRT, as a Responsible Party under POPIA, you would need to consider the following:

  • Personal Information’ is defined as information relating to an identifiable, living natural person and includes biometric information of a data subject.
  • The Act further categorizes biometric information as specially protected information which the collection and processing thereof are expressly prohibited.
  • POPIA provides exceptions to the processing of specially protected information, through general authorization, some of which enables processing to be carried out with the consent of a data subject; if it is necessary for the establishment, exercise or defence of a right or obligation in law; if it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.

On the face of it, POPIA will present practical difficulties to the Responsible Party, for example, should you wish to place FRT at the entrance of your retail stores to capture information for further advertising and the FRT actually processes Personal Information, then POPIA requires as one of eight conditions that there must be a level of awareness among data subjects regarding the collection of their personal information in order to meet the condition of Openness. This means that the Responsible Party must take reasonable practical steps to ensure that the data subject is aware of at least 9 different information items.

How can we use FRT while adhering to POPIA?

As the Responsible Party you will need to consider the following:

1. Are you processing Personal Information?

It is imperative to understand the definition of Personal Information to identify whether you are processing Personal Information. The processing of information on its own does not automatically amount to the processing of Personal Information. For example, a cell phone number, on its own will not meet the first part of the definition, “an identifiable, living person”. The cell phone number is not linked to an identifiable person and will therefore not be regarded as personal information.

Similarly, a photograph of a natural person, on its own will not be regarded as Personal Information nor Special Personal Information as it is not linked to an identifiable living person.

2. One needs to understand the technology and determine how and exactly what will be processed

FRT can be used in the following ways: to detect, to characterise, as a unique persistent identifier, verification, and identification.

Should you use FRT for targeted advertising, such as identifying the age and gender of an individual, it will not be used for identity verification nor will identification take place. The facial features captured are not matched against a record that may contain other Personal Information of an identifiable natural person.

FRT for purposes of detection

This category of FRT has the purpose of detecting a face and capturing the image accordingly. This can be used to determine how many shoppers have entered the store in total per day. The data subject will remain unidentifiable, and therefore the data captured does not amount to the processing of Personal Information. There are no privacy concerns, and it is not a requirement for notice to be given or consent to be obtained from a data subject.

FRT for purposes of characterization

This category will enable you not only to capture and count the number of images (faces) captured but to make assumptions about the images of the faces captured and identify characteristics such as gender or age. The data subject will remain unidentifiable and there are no privacy concerns. No consent will be needed for the processing of the images via this FRT. We would recommend placing a notice that states the following words “Facial Recognition Technology used” to notify data subjects of their information being captured.

FRT can therefore be used for purposes of detection and characterization as this will not be seen as processing of Personal Information.

However, the use of biometric information for cross-matching or identification can be linked to other data that may identify a specific data subject and will therefore be regarded as the processing of Personal Information under POPIA. An example would be to use FRT to determine how many repeat shoppers there are per day or week, this may potentially amount to cross-matching or identification or matching images against any watchlist or record of any other kind that may contain other personal information of an identifiable natural person will most definitely result in identification. This will place an obligation on the retailer as a Responsible Party to comply with all eight conditions of the POPIA.

In addition, the Responsible party would need to consider whether automated decision-making takes place when utilising the FRT. If yes, then the Responsible Party need to understand whether it acts within the exceptions of the POPIA when using automated decision-making, otherwise the following will apply: “a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.

Further, any discrimination of customers based on characteristics such as race or gender may further be prohibited by certain laws, such as the Consumer Protection Act 68 of 2008, which provides that all consumers shall be dealt with in the same manner.

Other risks associated with the use of FRT for targeted advertising (non-identification)

As shown above, this technology can be used to derive enormous commercial benefit if used outside the scope of the category of Personal Information. However, there are other risks associated with the use of FRT for non-identification purposes that also need to be considered:

The retention of images

  • the images should not be stored for a period longer than what is required to execute the detection or characterization;
  • ensure that there are proper measures in place to prevent the system from being breached which may give external parties access to these images and data;
  • no images may be duplicated or stored; and
  • limit the access and control in respect of authorized personnel that has access to the technology and the recorded FRT output data.

The purpose of the FRT

  • it is prohibited to use the FRT in a manner that may result in discrimination based on race, gender, or any other characteristics. There needs to be a proper evaluation of the technology and the algorithm utilised to ensure that no biases are created; and
  • the FRT may not be used to match the characteristics of particular customers, as this will result in the identification of the data subject based on their characteristics and will most definitely trigger further obligations under POPIA on the Responsible Party.

If used correctly within the scope of detection and characterization, FRT has the capability of transforming your interactions with consumers in an effective way while adhering to POPIA.

Please feel free to email our Gerrie van Gaalen at gvgaalen@dkvg.co.za or to phone him on 021 914 4020 if you need more information or assistance.

Written by Aalia Mahomed

dataprotection@dkvg.co.za

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.

Share
Share