In a world where facial recognition technology (FRT) is rapidly expanding, its use has been increasingly applied in daily situations such as accessing a bank account through a mobile, registering attendance at the office, or authenticating our identity in airports. Along with this widespread implementation, it also raises significant concerns about the safeguards of the biometric facial data that we provide (or not) to access different services or for other applications. So, if our biometric facial data is increasingly being used, how is it being protected?
Similar to other biometric data like fingerprints, eye retina or iris, finger veins, or even ear canal recognition, facial recognition is a mechanism that can be used to identify a person, and together with fingerprint recognition, it is currently one of the most commonly used mechanisms of identification. Facial recognition has experienced rapid growth in its applications and according to Deloitte, the market value of this technology is expected to increase from US$ 3.8 billion in 2020 to 8.5 billion in 2025.
How is biometric facial data captured?
As part of the process that uses facial recognition to authenticate whether we are who we say we are, there is an onboarding process that includes an enrollment phase. For example, setting up facial identification in your phone. During the initial setup process, it registers your biometrics, capturing in this case your facial data. This data is subsequently used for future authentications, providing access not only to the phone but also to apps that might use this feature.
However, facial recognition is not only based on voluntarily provided data for identification. Years ago, significant controversy arose around a company that collected billions of photos of people based on posts shared on social media to create a database later sold for identification purposes. According to the New York Times, “Dozens of databases of people’s faces are being compiled without their knowledge”, and this data seems to be collected not only from social media and other websites but also from cameras placed in different places, such as restaurants, for example.
Nevertheless, this same technology has become very important in areas like citizen security, being an increasingly used tool not only by police departments but also in the justice sector by public defenders.
How is biometric facial data stored, and who has access to it?
As mentioned before, facial recognition has become widely popular for accessing and unlocking mobile devices. For instance, the iOS face identification system ensures that “Face ID data — including mathematical representations of your face — is encrypted and protected by the Secure Enclave.” The Secure Enclave is a subsystem integrated into Apple System on chips (SoCs) and is isolated from the main processor to provide an extra layer of security for sensitive data. iOS explicitly states that “Face ID data doesn’t leave your device and is never backed up to iCloud or anywhere else.” Essentially, only the user owner of the phone is supposed to have access and can manage their biometric data use and permits.
However, in other cases where biometric facial data is collected (sometimes without prior knowledge), users may not be able to access information on how their biometrics are being stored and its potential uses.
In 2020, during one of the controversies regarding the sale of facial datasets and its impact on people’s privacy rights, Senator Edward J. Markey from the United States mentioned:
If your password gets breached, you can change your password. If your credit card number gets breached, you can cancel your card. But you can’t change biometric information like your facial characteristics…
Therefore, to protect the personal biometric data of citizens, including their “faceprint” from other images or videos captured with or without their consent, is not only important but absolutely necessary to ensure correct treatment of data and set limits to its use. Protocols must be established to guarantee the appropriate handling of this very sensitive information, which, in the wrong hands, could lead to significant harm.
Is there legislation around biometric facial data protection?
While there is still a lack of legislation in many countries specifically addressing the protection of biometric data, some initiatives do exist aimed at defining rules for the treatment of this kind of data. One of the most important laws in this space is the European Union’s General Data Protection Regulation (GDPR), which establishes a set of rules in this field.
The GDPR classifies biometric information (including facial data) as a “special category” of personal data. Therefore, compliance with Article 9 is required, which, among other things, emphasizes the need for explicit consent from the data subject to process biometric data. In 2023, the European Data Protection Board published the Guidelines on the Use of Facial Recognition Technology in The Area of Law Enforcement as an effort to provide relevant information to lawmakers and Law Enforcement Authorities for the implementation and use of FRT.
On the other hand, given that the United States has no federal law on data protection, the State of Illinois enacted a biometric privacy law in 2008. The Illinois Biometric Information Privacy Act (BIPA) mentions that the subject should be informed in writing that a biometric identifier or biometric information is being collected or stored, and provide authorization. Similarly, other states like Texas and Washington State have developed biometric privacy statutes.
In 2020, the National Biometric Information Privacy Act was presented to the Senate, as a proposal to regulate this field at a national level in the USA. According to the US Congress website, this proposal mentions: “A private entity may not obtain an individual’s biometric data unless (1) the entity requires the data to provide a service or for a valid business purpose, and (2) the entity informs the individual in writing of the collection and its purpose and receives a written release.” In Latin America, various countries have enforced data protection laws, and cases around data protection have arisen. Some of these countries developed their laws based on the European model, including similar characteristics to those determined by the GDPR. For instance, the Data Protection Law from Ecuador, adopted in 2021, establishes biometric data as sensitive data. Therefore, among other rules, it determines that its use and processing are also forbidden without the explicit authorization of the data subject.
What might be done to safeguard people’s rights?
Biometric data, including facial data, will likely continue to expand its applications and use cases. Therefore, it is necessary for countries worldwide to continue working on specific norms to regulate the way this data is captured, processed, and used. Even though acts and specific protocols have already been developed in some countries, authorities need to work on strengthening their institutional capacities to guarantee adequate enforcement of these legal frameworks by promoting specialized guidelines, considering the rapid changes in technology, including artificial intelligence that uses facial biometric data as input.
Furthermore, it might be important for authorities to also consider working on FRT-based systems regulations. This is necessary to prevent bias, discrimination, or other negative effects on citizens as a result of the application of this technology, as seen in various cases around the world.
A robust regulatory framework, coupled with effective enforcement and awareness campaigns, will protect citizens’ biometric data and, eventually, their right to privacy. It will also establish an adequate environment to promote responsible innovation for the use and applications of FRT, as it can become a very powerful tool for the innovation and economic development when used appropriately.