Introduction to Facial Recognition Technology
The Chair announces the publication of an article by its research fellow, Dr. Theodoros Karathanasis, entitled “Biometric Data and Facial Recognition Technology in the EU: The Interplay Between Data Protection and Cybersecurity.” Dr. Karathanasis’s publication follows his participation in the “Next Democratic Frontiers for Facial Recognition Technology” conference held in Florence on 29th September 2023.
Background of the Conference
The event was co-organized by the STG’s Chair on Artificial Intelligence and Democracy with the Dipartimento di Scienze Giuridiche of the University of Florence and The Centre for Cyber Law & Policy (CCLP).
Abstract of the Article
Abstract: In the European Union (EU), where privacy, data protection and human rights are at the very heart of the European integration project, there is an important debate going on about the “red lines” that should be set by regulators to prevent people’s freedoms being endangered. One emblematic example lies in the regulation of the use of facial recognition technology (FRT). Drawing on the requirements imposed by the GDPR on the controller and the processor to carry out appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved, the present article highlights the links between facial image data protection and the cybersecure deployment of FRTs.
Resume of the Article
Resume: The EU debate on facial recognition technology (FRT) shows the need to define “red lines” to safeguard individual freedoms, as privacy, data protection and human rights are central to European integration. FRT encompasses systems ranging from simple face detection to more complex verification, identification, and categorisation of individuals. Its use is becoming more common in important areas like banking (e.g., e-banking authentication), transport (e.g., ticketing), health (e.g., patient screening), and even elections (e.g., e-voting).
Concerns and Challenges
While it is true that FRT has significant technological capabilities, there are also some concerns regarding the balance between personal data protection, mass surveillance, commercial interests and national security. It is understandable that there are concerns about the storage of facial recognition data, often in databases, due to its vulnerability to security breaches. Such breaches have the potential to lead to identity theft, stalking and harassment, as hackers could access facial scans linked to other sensitive information like phone or banking details, which could exacerbate the impact of the breach.
EU Efforts to Enhance Security
In an effort to enhance the security of its digital infrastructure, the EU has recently introduced a series of updates to its cybersecurity legal framework. The large-scale processing of biometric data in law enforcement has the potential to pose certain risks to democratic values, including civil liberties, privacy, and human rights, due to the possibility of abuse and widespread surveillance.
Challenges in Interplay Between GDPR and NIS 2
A continuing challenge in the interplay between GDPR and NIS 2 is the lack of a clearly defined numerical threshold for “large-scale processing” of special categories of data. While the NIS 2 Directive shifted its criteria for covered entities from the number of users to factors like the number of employees and annual turnover, the GDPR’s definition of “large-scale” remains qualitative, based on factors such as the number of data subjects, volume of data, duration, and geographical extent of processing.
Conclusion
In conclusion, the article highlights the need for a double-layered risk approach to the security of processed, stored and transmitted facial image biometric data in the EU, by means of the privacy and cybersecurity legal frameworks. It also emphasizes the importance of implementing appropriate measures to ensure a risk-appropriate level of security, particularly in the context of large-scale processing of biometric data.
FAQs
- Q: What is facial recognition technology (FRT)?
- A: FRT encompasses systems ranging from simple face detection to more complex verification, identification, and categorisation of individuals.
- Q: What are the concerns regarding FRT?
- A: Concerns include the balance between personal data protection, mass surveillance, commercial interests, and national security, as well as the vulnerability of facial recognition data to security breaches.
- Q: How is the EU addressing these concerns?
- A: The EU has introduced updates to its cybersecurity legal framework and is working to regulate the use of FRT to safeguard individual freedoms and prevent abuse.
- Q: What is the interplay between GDPR and NIS 2?
- A: The interplay between GDPR and NIS 2 is crucial in addressing the challenges of large-scale processing of biometric data, with a need for clearer definitions and thresholds to ensure compliance and security.
- Q: Where can I find the article by Dr. Theodoros Karathanasis?
- A: The article, “Biometric Data and Facial Recognition Technology in the EU: The Interplay Between Data Protection and Cybersecurity,” can be found in the book “Next Democratic Frontiers for Facial Recognition Technology (FRT)” published by Springer.
