to be authenticated or identified; if this probability exceeds a certain threshold in the system, defined by the user or the developer of the system, the system will assume that there is a match. 12.
While both functions – authentication and identification – are distinct, they both relate to the processing of biometric data related to an identified or identifiable natural person and therefore constitute a processing of personal data, and more specifically a processing of special categories of personal data.
13.
Facial recognition is part of a wider spectrum of video image processing techniques. Some video cameras can film people within a defined area, in particular their faces, but they cannot be used as such to automatically recognise individuals. The same applies to simple photography: a camera is not a facial recognition system because photographs of people need to be processed in a specific way in order to extract biometric data.
14.
The mere detection of faces by so-called "smart" cameras does not necessarily constitute a facial recognition system either. While they also raise important questions in terms of ethics and effectiveness, digital techniques for detecting abnormal behaviours or violent events, or for recognising facial emotions or even silhouettes, they may not be considered as biometric systems processing special categories of personal data, provided that they do not aim at uniquely identifying a person and that the personal data processing involved does not include other special categories of personal data. These examples are however not completely unrelated to facial recognition and are still subject to personal data protection rules. Furthermore, this type of detection system may be used in conjunction with other systems aiming at identifying a person and thereby being considered as a facial recognition technology.
15.
Unlike video capture and processing systems, for example, which require the installation of physical devices, facial recognition is a software functionality which can be implemented within existing systems (cameras, image databases, etc.). Such functionality can therefore be connected or interfaced with a multitude of systems, and combined with other functionalities. Such integration into an already existing infrastructure requires specific attention because it comes with inherent risks due to the fact that the facial recognition technology could be frictionless and easily hidden.
2.2 A wide variety of purposes and applications 16.
Beyond the scope of these guidelines and outside the scope of LED, facial recognition may be used for a wide variety of objectives, both for commercial use and to address public safety or law enforcement concerns. It may be applied in many different contexts: in the personal relationship between a user and a service (access to an application), for access to a specific place (physical filtering), or without any particular limitation in the public space (live facial recognition). It can be applied to any kind of data subject: a customer of a service, an employee, a simple onlooker, a wanted person or someone implicated in legal or administrative proceedings, etc. Some uses are already commonplace and widespread; others are, at this point, at the experimental or speculative stage. While these guidelines will not be addressing all such uses and applications, the EDPB recalls that they may only be implemented if compliant with the applicable legal framework, and in particular the GDPR and relevant national laws4. Even in the context of the LED, further to the functions of authentication or
4
See also EDPB guidelines 3/2019 on processing of personal data through video devices adopted on 29 January 2020, for further guidance.
8 Adopted - version for public consultation
