FEATURE
FACIAL RECOGNITION TECHNOLOGY AND THE LAW: ARE EXISTING PRIVACY AND SURVEILLANCE LAWS FIT FOR PURPOSE? CAITLIN SURMAN, SENIOR ASSOCIATE, HWL EBSWORTH
O
ver the past few years, the development and use of Facial Recognition Technology (FRT) throughout Australia has grown exponentially but has been accompanied by widespread concerns about the capacity of existing legislative frameworks to regulate it appropriately, as well as a lack of specific legislation regulating its use. While lawmakers grapple with what that new legislative framework might look like, this article considers how Australia’s existing privacy and surveillance laws deal with FRT, including whether those laws adequately safeguard the use of FRT, and options for future reforms to these frameworks.
WHAT IS FRT AND HOW IS IT USED? FRT involves the automated extraction, digitisation and comparison of spatial and geometric distribution of facial features. Using an algorithm, FRT compares an image of a face with an image stored in a database, in order to identify a match.1 FRT is deployed in two main ways, being: 1. ‘one-to-one’ FRT, which is used to verify the identity of an individual by checking one image against a single, respective image to determine if they are the same person.2 It is often utilised in a controlled environment where the lighting is sufficient and the subject is in an optimal position to facilitate a successful comparison,3 and its most common application is unlocking a smartphone; 2. ‘one-to-many’, which is used to identify an unknown individual by comparing a select image against a large database;4
12 THE BULLETIN April 2022
This article focuses on ‘one-to-many’ FRT, which seeks to match a single facial image with a different facial image of the same individual that has been stored in a large database. It therefore relies on a much larger dataset to conduct a comparison, whilst the facial image being compared against the dataset is often taken from ‘the wild’ (eg CCTV surveillance) and is of lower quality.5 As a result, identifying a person using ‘one-to-many’ FRT is more difficult and prone to false matches and misidentification.6 In Australia, FRT is often used by banks and telecommunications companies for identity verification purposes, 7 and is used extensively by immigration authorities to verify the identity of passport holders at international borders/airports, as well as by law enforcement agencies throughout Australia for crime prevention and suspect identification purposes. Locally, SAPOL fully implemented its own FRT system (called ‘NEC NeoFace system’) in the Adelaide CBD in 2019, which integrates FRT with CCTV, ATM, and some social media footage.8 In November 2021, the Adelaide City Council announced plans to roll out an updated City Safe CCTV Network that will involve the introduction of facial and number plate recognition.9
EXISTING SURVEILLANCE LAWS Application to FRT There is no Commonwealth legislation that regulates the use of surveillance devices.10 Instead, this is currently governed by state and territory legislation. The relevant piece of legislation in South Australia is the Surveillance Devices Act 2016 (SA) (SDA).
The SDA prohibits: 1. the knowing installation, use or maintenance of an ‘optical surveillance device’11 by a person on a ‘premises’12 that visually records or observes a ‘private activity’ without the express or implied consent of all the key parties;13 and 2. the knowing use, communication or publication of information or material derived from the use of an optical surveillance device.14 The regulation of an optical surveillance device under the SDA is linked to the concept of a ‘private activity’, meaning an activity carried on in circumstances that may reasonably be taken to indicate that one or all of the parties do not want the activity to be observed by others.15 Accordingly, the SDA might prohibit FRT in circumstances where it is used for covert optical surveillance (unless an exception applies). The definition of ‘private activity’ excludes activities carried on in a public place.16 Accordingly, public authorities can use devices with FRT to monitor the activities of the general public in public spaces, or semi-public spaces, without breaching the SDA. Even if a person or government authority is prohibited from using a device to monitor FRT by the SDA, section 5(4) of the SDA sets out several exceptions to the general rule. These exceptions include where the use of the optical surveillance device is reasonably necessary for the protection of the ‘lawful interests’ of that person, or if the use of the device is in connection with the execution of a ‘surveillance device warrant’ or ‘surveillance device (emergency) authority’.
