2. TABLE OF
CONTENTS
02
BIOMETRY
FACE RECOGNITION
ADVANTAGES OF BIOMETRIC DATA
ETHICAL AND LEGAL ISSUES
TECHNOLOGICAL WEAKNESSES
APPLICATIONS
EUROPE AND BIOMETRIC DATA
US AND BIOMETRIC DATA
CHINA AND BIOMETRIC DATA
POINTS FOR CONSIDERATION
3. 03
BIOMETRY
The word ‘biometrics’ comes from the Greek words ‘βίος’ (meaning life) and ‘μετρον’
(meaning measure). Biometrics refers to the identification or verification of a person,
based on some physiological and / or behavioral characteristics.
4. 04
FACE
RECOGNITION
Face recognition is a method that is used daily and is
essential for effective communication and interaction
between people. Face recognition covers a wide range of
scientific fields and presents a variety of applications
such as, entry controls, surveillance, security,
surveillance systems and a number of many other
applications.
5. 05
ADVANTAGES
OF
BIOMETRIC
DATA
Methods that use biometric identification are particularly
effective because they use biometric data that is unique to each
person. Biometric data are permanent and non-modifiable.
Unlike traditional methods of identification such as licence or
identity, biometric data is not transferred to another person nor
is stolen. Finally, using biometric data in identification systems
achieves a higher speed of verification compared to
conventional identification methods.
6. 06
ETHICAL AND LEGAL ISSUES
There is no Consent to
Receive the Data
Biases There is an
Automated
Surveillance
Operates without
a Clear Legal
Framework
It violates the Principles
of Necessity
Violation of the
Right to Privacy
It affects Political
Culture
Data Theft
7. 07
TECHNOLOGICAL
WEAKNESSES
2003
The first report on the accuracy of facial
recognition algorithms from the
National Institute of Standards and
Technology (NIST).
Researchers from Microsoft and MIT
have investigated the accuracy of the
distinctions made by facial recognition
algorithms.
2018 2019
Another study on the reliability of facial
recognition algorithms from the
National Institute of Standards and
Technology (NIST).
Access and leak biometric data from
India's largest national database,
Aadhaar.
20182014
Marriott data breach. British Airways
data breach.
2020
8. 08
FACE RECOGNITION
APLICCATIONS
FACIAL RECOGNITION
INPUT CONTROL
SECURITY
RESEARCH IN DATABASES
GENERAL DETERMINATION OF DATA
MONITORING
0 20 40 60 80 100 120 140
Shanghai
Suzhou
Harbin
Xiamen
Qingdao
Kunming
Hangzhou
Beijing
Changsha
London
Wuxi
Taiyuan
CAMERAS
CITIES
CCTV: The Most Surveilled Cities in the World
Cities with the most surveillence cameras per 1,000 inhabitants in 2020
Based on an analysis of the 150 most populated cities in the world.
Source: Comparitech
9. 09
WHAT IS GDPR
The General Regulation on Personal Data Protection, which entered into force on May 25, 2018, replaced the Data Protection
Directive of 1995 and is the strongest law on privacy and security in the world. The increasing use of computers and the data that
results from them has led to the need to establish new rules and laws for their management and protection. The GDPR refers to
companies with independent headquarters as long as they target or collect data from people located in the European Union. The
regulation protects privacy and security by imposing strong sanctions on those who violate them. Finally, the GDPR requires the full
compliance of EU Member States.
Personal data is included in the biometric data according to the GDPR and is classified as sensitive data, as any processing of these
could pose risks to fundamental rights and freedoms.
10. 10
PROCESSING
OF PERSONAL
DATA
According to Article 9 of the GDPR there are cases
where the processing of personal data is allowed.
When explicit consent has been given to the processing of the data, unless prohibited by European
Union or Member State law.
When this data is used in the fields of employment, social security and social protection.
When it is necessary to protect the vital interests of the subject but the data subject is physically or
legally incapable of giving consent.
When the processing is carried out in the framework of the legal activities of an organization and
without them being disseminated outside it without the consent of the subject.
When data is made public by the data subject.
When they are used for recommendation, action or defense of legal claims.
When necessary for reasons of public interest under the law of the Union.
When necessary for the purposes of preventive or occupational medicine.
When processing is permitted for reasons of public interest in the field of public health.
Finally, when the processing is necessary for purposes of public interest, scientific, historical or
statistical purposes.
11. 11
RIGHTS
The Right to be Forgotten
According to Article 17 of the GDPR, those who have the data in a
database are given the opportunity to request that the data be deleted
without any delay and on the other hand the administrator is obliged
to delete them.
Conditions of Consent
According to recital 32, for the processing of the data of the subject
there must be full and clear consent that establishes a clear, up-to-
date and free indication of the agreement.
The Right of Access
Article 15 of the GDPR clearly describes the ability of the data subject
to access data related to him, the type of processing that takes place in
them and in which cases it takes place.
Obligation to Inform
According to Recital 60, the data subject should be aware of the
processing of his data and its purposes. On the other hand, the data
manager should inform the subject about the processing and the
context in which it takes place.
Data Transfer Right
In Recital 68, it is described that in order to further enhance the data
the data subject must be able to transfer his data from one
administrator to another.
Data breach must be reported within 72 hours
The GDPR also includes measures aimed at enhancing business
security. For example, if a company discovers a data breach, then the
processors must notify the authorities within 72 hours of their
discovery.
12. According to the DPA, the data subject can access his data and be
aware of the processing it undergoes. Their rights are as follows:
Be informed about the use of the data.
Ability to access them.
Ability to update them.
Ability to delete them.
Right to restrict, pause or even oppose the processing of data.
Ability to download and reuse data in other services.
12
The Data Protection Act 2018 UK
The Data Protection Act is the implementation of the GDPR in the United Kingdom.
Any public or private authority managing biometric data should apply
the following:
He must use them correctly, fairly and transparently.
He must use them for specific purposes.
Use should be limited to what is necessary.
Data must be kept accurate and up to date.
They should not be stored for a long time and not longer than
they need to be.
Maintaining and ensuring their protection.
13. 13
FACE RECOGNITION IN THE USA
In the United States of America, unlike the European Union, there is no single regulation for the protection and security of personal data and
specifically for biometric data, but individual states have different laws and regulations for this data. To date, the states of Illinois, Texas and
Washington have been the first to enact biometric data protection laws. In addition, companies and organizations have established guidelines based
on which they develop and use new technologies and data.
Microsoft in 2019, through its president Brad Smith, spoke about the responsible attitude that technology companies should have. Microsoft also
refused to provide facial recognition technology and install it on police cars in California. This move by Microsoft was followed by Amazon and IBM.
Finally, Facebook has agreed with the Federal Trade Commission that it must have explicit consent before proceeding with any privacy policy.
14. 14
Source: https://www.banfacialrecognition.com
BAN FACIAL RECOGNITION
An interactive map showing where face recognition technology is being used, where it will be used in the
future, and where an attempt is being made to control the technology.
15. 15
Illinois (2008)
The first law on the
protection of the privacy of
biometric information
(Biometric information
Privacy Act) was adopted.
Texas (2009)
Texas was the second state
to enact biometric data
protection law.
Washington (2017)
Legislation passed in
Washington does not
include biometric data from
photos or videos.
Massachusetts (2019)
In June (2019), the city
councils of Somerville and
three other cities,
Northampton, Cambridge
and Brookline, voted
unanimously to ban face
recognition technology in
both public services and
police departments.
California (2020)
The California Consumer
Privacy Act is the most
important piece of
legislation on biometric data
protection.
New York (2020)
In March 2020, the bill came
into force: Stop Hacks and
improve Electronic Data
Security Act (SHIELD Act).
LEGISLATIONS AND
BIOMETRIC DATA
16. 16
Biometric information Privacy Act
According to BIPA, biometric data is any data, regardless of how it is collected, stored, transferred, that is used to identify an individual.
BIPA provides the following capabilities to consumers:
• Deleting their data.
• It is forbidden to collect, purchase or obtain biometric data in any way.
• It is also forbidden to speculate on their customers' data. This data should not be distributed or disclosed.
• Maintaining the security and integrity of data.
California Consumer Privacy Act
According to the CCPA, biometric data is part of a wide range of data that includes physiological, biological and behavioral data, which are
used to identify an individual.
In particular, the law stipulates that companies are obliged to inform their customers about the data they collect.
On the other hand, customers have the opportunity to know if a company collects data and for what reason it does so, as well as if the
company sells this data and to whom, but also the ability to demand non-sale of personal data and the right delete them.
BIPA
&
CCPA
17. 17
CHINA
Law on Personal Data Protection
In October (2020), the Chinese government introduced the Personal
Information Protection Law. This law has many influences from the
GDPR and is essentially the first comprehensive data protection law in
China.
According to the draft law, face recognition data are included in
biometric data. Biometric data is considered sensitive data and any
leak or misuse of it may damage the reputation, property, physical or
mental health of the data subject.
Before collecting any biometric data, the data subject should be informed of anything to
do with the collection and use of such information and also obtain the express consent of
the data subject.
With regard to the storage of biometric data, the law stipulates that authentic biometric
data should not be stored.
Biometric data are prohibited from being transferred.
Any disclosure of personal biometric data is prohibited.
Data transfer and storage must be clearly stated and protection measures must be taken
to ensure data integrity.
18. 18
176
626
0
100
200
300
400
500
600
700
2017 2020
NUMBEROFSURVEILLANCECAMERASINMILLIONUNITS
Number of surveillance cameras installed in public and private areas of China
in 2017 with a projection for 2020
Source: https://www.statista.com/statistics/879198/china-number-of-installed-surveillance-cameras/
THE SURVEILLANCE
SYSTEM OF CHINA IN
NUMBERS
In the name of public safety, the Chinese government has in
recent years developed a huge network of cameras that
support face recognition technology, collecting biometric data
for the entire population.
19. 19
APPLICATIONS
OF SURVEILLANCE SYSTEM
IN CHINA
Face recognition systems in the transport network.
To provide any service to mobile phone companies.
In universities, for security reasons and to control student participation.
For payment in popular applications. As early as 2017 and in physical
stores of the well-known chain KFC, customers can now pay by scanning
their face.
For the identification of offenders in road rules.
For the purchase of specific drugs. For security reasons at the entrance of
hospitals.
To locate criminals and fugitives.
Check to avoid stealing toilet paper.
The control of the Uighurs, a Muslim minority in the west of the country,
using technology for racist social control.
20. 20
THINGS TO
IMPROVE
In addition to the remarkable development of technology, several more
steps need to be taken to refine the identification systems and to avoid
erroneous predictions with consequences for the person and the security
systems in order to avoid data leakage or theft.
States also need to take several steps to enact stronger laws and regulations
to ensure the integrity of this data and the protection of their inhabitants.
Finally, the relationship of the state with the citizen and the way in which the
state manages and processes the data must be clarified, so that the freedom
and privacy of the citizens are not violated.