EDPB Adopts Guidelines on Facial Recognition in the Area of Law Enforcement

On
May
17,
2023,
the
European
Data
Protection
Board
(EDPB)

adopted
the
final
version
of
its
Guidelines
on
facial
recognition
technologies
in
the
area
of
law
enforcement
(the
“Guidelines”).
The
Guidelines
address
lawmakers
at
the
EU
and
EU
Member
State
level,
and
law
enforcement
authorities
and
their
officers
implementing
and
using
facial
recognition
technology. 

The
Guidelines
consist
of
the
main
body
of
guidance,
along
with
three
annexes
which
include:
(1)
a
template
for
assessing
the
severity
of
the
interference
with
fundamental
rights
caused
by
facial
recognition
technology;
(2)
practical
guidance
for
authorities
wishing
to
procure
and
run
facial
recognition
technology;
and
(3)
a
set
of
hypothetical
scenarios
and
relevant
considerations
based
on
certain
uses
of
facial
recognition
technology.
  

The
EDPB
considers
the
applicable
legal
framework,
focusing
on
the
EU
Charter
of
Fundamental
Rights
(the
“Charter”)
and
the
Law
Enforcement
Directive
2016/680
(the
“Directive”).
With
respect
to
the
Charter,
for
example,
the
EDPB
explores
the
interference
with
the
Charter
caused
by
processing
biometric
data
and
how
the
interference
can
be
justified
in
accordance
with
Article
52
of
the
Charter.
With
respect
to
the
Directive,
the
EDPB
examines
several
areas
including
the
lawfulness
of
processing
special
categories
of
data
for
law
enforcement
purposes
and
the
interplay
between
facial
recognition
technology
and
the
rules
regarding
automated
decision
making.

The
EDPB
notes
that
it
“understands
the
need
for
law
enforcement
authorities
to
benefit
from
the
best
possible
tools
to
quickly
identify
the
perpetrators
of
terrorist
acts
and
other
serious
crimes”
but
that
“such
tools
should
be
used
in
strict
compliance
with
the
applicable
legal
framework
and
only
in
cases
when
they
satisfy
the
requirements
of
necessity
and
proportionality.”
It
also
identifies
several
potential
uses
of
facial
recognition
technology
which
it
considers
to
pose
a
high
risk
to
individuals
and
their
private
lives,
or
to
be
“highly
undesirable,”
such
as
remote
biometric
identification
of
individuals
in
publicly
accessible
spaces
and
the
use
of
facial
recognition
to
infer
the
emotions
of
an
individual.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts