Communication of the CNIL on its website, dated 18 February 2021
Facial recognition technologies are improving at a rapid pace and more and more everyday life applications are currently emerging. From the point of view of the protection of personal data, projects involving facial recognition face a clear legal issue: this technology relies on the processing of biometric data, which is prohibited by default unless a specific exception applies. The warning recently issued by the CNIL to a sports club illustrates this friction between facial recognition and the data protection rules. It came only a few days after the Council of Europe published its guidelines on facial recognition, in which the Council called for strict rules regarding this technology to avoid significant risks to privacy and data protection[1].
A French sports club had decided to put in place a facial recognition system aimed at identifying persons subject to a stadium commercial ban, detecting lost items, as well as fighting against terrorism. This system was still in its experimentation phase when the CNIL became aware of it and launched an investigation. The conclusion of the CNIL’s investigation is quite straightforward: the sports club must stop using this system because it is illegal.
To justify its decision, the CNIL noted that the system was based on the processing of biometric data. Under the GDPR and the French Data Protection Act, biometric data are part of the special categories of data whose collection and use are, with some exceptions, prohibited. None of the exceptions listed by article 9(2) of the GDPR seemed applicable in this case. Hence, the only other possibility would have been to rely on a legislative or regulatory provision under French law, specifically authorizing the processing implemented by the sports club. Indeed, under article 9(3) of the GDPR, Member States may “maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.”
Regarding the use of facial recognition to fight against terrorism, the CNIL simply noted that no such legislative or regulatory provisions existed and that consequently the underlying processing of biometric data could not be implemented.
Regarding the identification of persons subject to commercial stadium ban, the situation was slightly different. Indeed, specific legislative and regulatory provisions authorize sports clubs to process personal data for this purpose (articles L332-1 and R332-14 et seq of the French Sports Code). However, these provisions do not allow the processing of biometric data. They only allow the collection and use of the photograph of the persons subject to stadium commercial ban, for manual identification. Therefore, the CNIL concluded that facial recognition could neither be implemented for this purpose.
The CNIL did not comment on the use of the system to identify lost items, but it seems obvious that the processing of biometric data for this trivial purpose is not authorized.
The CNIL has published several positions on facial recognition in the past months, including in relation to real-life experimentations in various contexts. This warning will likely not be the last one issued by the CNIL on this subject.
[1] Guidelines on Facial Recognition, Convention 108 Consultative Committee, 28 January 2021.