Facial recognition is often controversially discussed in public. The bidt contributes to this discussion from the perspective of legal sciences, computer science and ethics. The central question is: Are new legal regulations or even a ban necessary?
The most important points in brief
The possible applications of biometric facial recognition are constantly developing. They range from unlocking smartphones and using them for passport control (authentication) to comparing video recordings with databases in police investigations (identification) to improved diagnosis of diseases (classification). At the same time, the use of facial recognition technologies is controversially discussed in public and by political decision-makers: Calls for strict regulation or a ban are becoming louder.
The researchers – Nikolaus Bauer, Dr Jan Gogoll and Niina Zuber – provide a contribution to the discussion with perspectives from law, computer science and ethics on the regulation of the technology. In doing so, they provide an overview of different use cases ranging from authentication to identification and classification. They provide an impetus for the current discussion at EU and national level and explore the question of whether new legal regulations or even a ban are necessary.
The authors agree: with the exception of facial recognition for the purpose of authentication, they see a need for action for the use of systems in the areas of classification and identification. With regard to classification, they advocate a joint position of the European data protection supervisory authorities in order to effectively protect data subjects. They advocate a moratorium on the use of biometric facial recognition in public spaces in Germany.
Impulses for regulating facial recognition
- The technical reliability of facial recognition systems is increasing. However, even if the technology were 100 per cent technically reliable, this would not mean that it is also legally permissible.
In addition to the technical reliability of the systems, other constitutional and data protection requirements must be met.
- The use of facial recognition systems for the purpose of authentication can be designed in accordance with data protection law. There is no need for regulation.
- Classifications by means of facial recognition systems are prohibited at EU level unless the persons concerned consent (prohibition under data protection law with reservation of permission). The use of the systems is only permitted in narrow cases of application on the basis of voluntary consent, in particular in the areas of health, science and road safety. The European data protection supervisory authorities should define the narrow use cases in a joint opinion.
Consent must be voluntary, i.e. data subjects must not feel pressured or have to suffer negative consequences if they do not consent. With their voluntary consent, data subjects can address risks of discrimination from facial recognition systems in advance. The prohibition of automated individual decisions also reduces the risks of discrimination by facial recognition systems, as the persons concerned must have the possibility that a human being will make the decision again.
In its regulatory proposals on artificial intelligence, the European Commission should consider classifications by biometric systems in the health sector to be high-risk and subject them to strict mandatory requirements, as misdiagnoses can threaten considerable disadvantages for the persons concerned.
- The use of facial recognition systems for the purpose of identifying EU citizens by private companies such as Clearview and PimEyes is prohibited, as the data subjects have regularly not given their consent to the processing of their biometric data. However, there seems to be a law enforcement problem.
To protect biometric data, legislators should work with data protection regulators to find solutions. International treaties between the EU and third countries may be needed.
- The use of facial recognition systems for the purpose of identification in public spaces is currently prohibited for lack of a legal basis (prohibition under data protection law with reservation of permission).
The state has a duty to protect its population, but at the same time it must respect the fundamental rights of its citizens.
The European Commission therefore wants to provide a narrow framework within which biometric facial recognition in public spaces should be permissible by way of exception. It also wants to classify it as high risk and implement strict mandatory requirements and procedures.
Within this narrow framework, national legislators could create a legal basis for biometric facial recognition in public spaces.
A legal basis for biometric facial recognition in public spaces must respect the principle of proportionality. In doing so, a double proportionality test must be carried out, which takes into account both the individual measure and the totality of all state surveillance instruments (“surveillance total account”).
With regard to the surveillance total account, scientific expertise should be obtained; the field is currently being researched.
Biometric facial recognition in public spaces represents a very serious encroachment on citizens’ fundamental rights. It would probably only be permissible under even narrower constitutional conditions than the already narrow framework that the European Commission wants to set out in its regulatory proposals on artificial intelligence.
The very narrow constitutional requirements include in particular:
a) There must be a concrete danger to a high-ranking legal interest, such as the life, limb or freedom of citizens or the existence of the federal government or a state, or the measure must be necessary to solve particularly serious criminal offences.
b) The measure must be applied in a limited time and place. It may only be carried out at very narrowly defined locations, such as transport hubs (e.g. railway stations, airports), where it is to be expected that the persons sought will be found, and may only last as long as the danger situation exists or it is necessary for the investigation of the criminal offences.
c) It must be flanked by very tight technical and organisational safeguards. A judge’s reservation is required for ordering the measure and the Federal Commissioner for Data Protection and Freedom of Information must be involved. The personal data may only be used for the purposes stated in the legal basis and must be deleted when the purpose has been achieved. In addition, a high level of data security is required.
d) The reason, the purpose and the limits of the measure must be specified in the enabling basis in a field-specific, precise and normatively clear manner.
The legislator should only allow biometric facial recognition in public spaces if it is socially accepted. The question of social acceptance does not seem to have been clarified yet. Therefore, a broad public democratic debate is needed. Until this debate is concluded, the legislator should refrain from creating a national legal basis for biometric facial recognition in public spaces (“moratorium”).
- The legislature must decide on such essentials as the use of facial recognition technology for law enforcement in the aftermath of mass events, such as the G20 summit. Current general clauses are not likely to comply with the case law of the Federal Constitutional Court with regard to clarity of norms and certainty in order to allow the use of the systems. The legislature could therefore be called upon to create a special legal basis for the use of the technology in mass events in the Code of Criminal Procedure, or the executive should refrain from using it.
- There are no fundamental objections to the use of facial recognition systems to compare suspects recorded on video with police databases.