2020 Biometric Data Protection Issues in the European Union and the United Kingdom

The year 2020 is expected to be a highly turbulent one for biometrics, and particularly facial recognition, in Europe and the United Kingdom. This includes new biometric surveillance systems currently entering (or leaving) pilot phases, border control and transportation applications increasing with each passing quarter, large-scale citizen-facing facial recognition systems similar to those approved by governments in Asia-Pacific (APAC) being placed under further scrutiny in the European Union, and Artificial Intelligence (AI)-enhanced biometric systems finding their way into new applications from social media to smart home with little to no concern for consumer privacy and data protection.

Most importantly, according to an E.U. draft document regarding the dangers of AI obtained by Euractiv, Europe is currently considering putting up some additional security protocols and procedures regarding the use of facial recognition and even considering a temporary ban in certain applications. This will put a strain on future biometric and surveillance applications, but it is also a step in the right direction for an industry in desperate need of more regulatory, privacy, and data protection measures. A few of the most recent key highlights are required to paint the picture of this rather volatile market.

GDPR, Germany, and Internal Dissonance: The European Union leads the effort for increased accountability of biometric data and Personal Identifiable Information (PII) for all companies and governmental agencies. However, the General Data Protection Regulation (GDPR) is probably the most important regulatory measure for biometrics in recent years aiming toward increased transparency and citizen protection. However, new issues continue to appear regarding what conformity to GDPR should entail. For example, Germany’s new push for increased facial recognition surveillance in public places, train stations, underground, and other transportation hubs (e.g., facial recognition testing in Berlin's Südkreuz) is met with opposition.

France’s Biometric Digital ID, Belgium Carrefour PII Protection: GDPR conformity may also affect biometric service providers in non-surveillance applications. A recent example includes a new inquiry originating in Belgium from the Data Protection Authority regarding Carrefour and the usage, management, and processing of its customers’ fingerprint data. The retail giant offers loyalty rewards for its customers in exchange for biometric registration. On the other hand, France has been pushing for more biometric testing and will become the first European country to offer facial recognition to provide a biometric digital identity for its citizens. Contrary to APAC nations like China and India, France pledged to not use citizen data to create a biometric database. Instead, all collected data will be deleted when the authentication process is completed. Privacy groups are opposing this new measure, claiming that it should be considered unlawful, while a white-hat hacker managed to break the system within a single hour.

Smart Home and Social Media: Additionally, facial recognition is enjoying an increased penetration rate across smart home environments (e.g., Nest Cam IQ Indoor/Outdoor cameras, TP Link’s Kasa, and even new Apple Home FaceID applications) globally. However, in the European Union it is expected to force vendors to rethink how GDPR and PII protection should be implemented in these consumer and smart home applications. In late 2019, the U.S. Supreme Court decided against Facebook in the Patel v. Facebook case, claiming that the social media company creating face templates using facial-recognition technology of their users without their consent is a serious invasion of their privacy and has declined Facebook’s proposal for a further hearing. Although social media privacy concerns are not expected to be as serious in the European Union as in other countries worldwide, the European Union may well begin tackling some forms of biometric identification in the years that follow, which will come in conflict with E.U. governments.

The United Kingdom and Biometric Surveillance: In the United Kingdom, law enforcement agencies have long made use of facial recognition in public places and transportation hubs (the most recent implementation being the large-scale deployment of facial recognition infrastructure in King’s Crossing), and in recent years the technology was also used at large music festivals and public gatherings as well (a decision that seems to have been revisited recently). However, conflicting arguments still appear at the United Kingdom’s Office of the Biometrics Commissioner and the parliament’s Science and Technology Committee, which could force additional hurdles for some mid-sized biometric vendors attempting to secure governmental projects but not all. For example, NEC is expected to be behind new facial recognition projects with law enforcement and the Metropolitan Police and (if NEC’s recent project acquisition in Japan airports is taken into consideration) new border control applications might also be on the horizon.

Entry/Exit Border Control: Note that a key E.U. biometric implementation for border control concerns the Regulation 2017/2226 for the Entry/Exit System (EES), a piece of legislation that is currently taking effect and pushing for infrastructure biometric upgrades across all E.U. states. This regulation is forcing all member states to make mandatory biometric and ABC investments, a centralized database of biometric data, face, and four-finger registration for third-country nationals, and coordination with Europol anti-terrorism operations, among other measures. This is a great opportunity, albeit a challenging one, for E.U.-focused biometric software and hardware vendors. For more information about biometrics in border control, refer to ABI Research’s Biometrics in Border Patrol (AN-5243) Application Analysis Report.

The biometrics ecosystem is expanding in more ways than previously thought possible, but what will the outcomes of this evolution be? The answer can be summarized in three parts: 1) profits for governmental and law enforcement vendors, 2) rapid expansion for consumer-facing technologies with higher risk levels for end users with no visibility of their PII, and 3) increased difficulty for legal and standardization bodies to present well-rounded solutions.

In truth, the actual answer is a lot more complex and, contrary to other technologies, highly dependent upon a multi-faceted spectrum of variables. These variables include rising urbanization and public safety demands, citizen mobility, national security risk and anti-terrorism operations, human ethical concerns, mergers with AI technologies, legal implications, streamlining and securing end user/citizen identification processes (e.g., welfare, banking, border control, etc.), dependency on infrastructure and, of course, increasing Return on Investment (ROI) for certain applications while finding the right balance between customer experience and digital security.