Data Bytes - AI, Facial Recognition and New Data Legislation

Are you working with AI and Facial Recognition? It can reap massive rewards, but the fines for non-compliance can be as big. In this article, Our GDPR and Data Expert, Maria McCoy considers the new legislation around privacy and what you need to do to comply.
September 1 2022

Data Protection Fine Summary – are you getting the basics right?

The first half of 2022 has seen ICO fines amounting to over eight and a half million pounds – almost 5 times the amount for the same period in 2021.  The bulk of this total comes from the £7.5 million fine for Clearview AI, for collecting and processing images for the purpose of facial recognition, on millions of UK citizens.

The biggest fines issued from Europe so far this year were:

  • €10 Million in May, from the Spanish Data Protection Authority to Google, for transfer of data to third parties without consent, depriving data subjects of control over control their data.
  • €17 Million in March, from the Data Protection Authority of Ireland, to Meta Platforms Ireland Ltd for failing to have the necessary technical and organisational measure in place to protect data, including cross-border processing.
  • €20 Million in February, from the Italian Data Protection Authority to Clearview AI for failing to inform data subjects of the data processing, for processing the data for purposes beyond what was stated online, and for failing to specify data retention rules.

These fines show that even large organisations are still not applying the core principles of data protection compliance as defined in the GDPR:

  • Lawfulness, fairness and transparency – companies must determine that they have a lawful basis for processing data, must consider the effects of processing on the individuals and must be open and honest with data subjects about how their data is being processed
  • Purpose limitation – companies must be clear about the purposes for processing and only use the personal data for a new purpose if it is compatible with the original purpose, unless further measures are taken
  • Data minimisation – companies must ensure that personal data processing is adequate for the stated purpose, relevant and limited to what is necessary to fulfil that purpose
  • Accuracy – companies must take reasonable steps to ensure the personal data they hold is kept up to date, is not incorrect or misleading and rectify or erase incorrect data
  • Storage limitation – companies must not keep data for any longer than to fulfil its stated purpose, setting appropriate retention rules and implementing processes to enforce those rules
  • Integrity and confidentiality (security) – companies must have appropriate security measures in place to protect the personal data they hold and process

In addition, companies must take accountability for what they do with personal data and keep records as an appropriate audit trail to be able to demonstrate compliance with these principles.

Get in touch if you have any concerns and want advice on pragmatic ways to comply with GDPR.

Facial Recognition and AI – The Risks and Rewards

Facial recognition is a set of algorithms that work together to identify people in a video or static image. This technology has existed for decades, but it has become much more prevalent and innovative in recent years with the integration of artificial intelligence (AI) within facial recognition systems.

How is AI able to recognize faces?

Each person’s face is broken up into a set of data points, for example the distance between the eyes, the height of the cheekbones, and so on. AI facial recognition searches on those data points and tries to account for variations such as distance and angle of the face. You start with initial manual correlations between a person’s face and their identity and after a while, it becomes easier for the algorithms to identify and match unknown faces from other data sources.

Well trained AI-based software can deliver highly accurate results – typically, systems deliver 99.5% accuracy rates on public standard data sets.

Benefits and drawbacks of AI Facial recognition

Face recognition AI is applied to many industries and can be used for laudable use cases such as supporting pain management procedures and patient medication consumption, improving security and fraud detection, improving airport efficiency with the use of ‘smart gates’ and crime prevention, for example identifying and locating victims of human trafficking.

However, there are plenty of questionable ethics involved with the development of AI facial recognition as well.

The primary issue is the collection of people’s image data without consent, as the majority of facial image databases are collected from the internet or from live camera feeds, without the permission or knowledge of the data subjects. For instance, Facebook paid a $650 million settlement after a long running legal dispute with a group of 1.6 million users, regarding facial tagging without permission. And the company Clearview AI has recently been fined £7.5 million from the ICO and €20 Million from the Italian Data Protection Authority for processing the images of UK and EU citizens without a legal basis or transparency about the processing.

There are other, potentially impactful uses for AI facial recognition – there have been claims that a person’s face could allow us to predict whether they will become a criminal… what if law enforcement agencies could start taking action based on that predictive intelligence?

AI facial recognition is powerful, but it comes with a large set of ethical implications. Tell us what you think will be the future of AI facial recognition and whether it is possible to regulate the way in which the data is harvested.

Data Legislation is changing - are you ready?

2022 has seen the implementation of many new data protection laws.

In April 2022, the Japanese APPI (Act for the Protection of Personal Information) amendments from 2020 came into force, which brings APPI closer to GDPR by expanding the scope of data subject rights, making data breaches mandatory and limited the range of personal data that can be shared with third parties.

The European Data Governance Act was implemented in June 2022 and will come into force after an 18-month grace period.  It looks to boost the development of trustworthy data sharing practices, to unlock the innovative potential for data sharing, in order to benefit European citizens and businesses.

Further examples are:

  • The United Arab Emirates (UAE) passed its first federal data protection law which came into force in January 2022
  • Saudi Arabia adopted its first standalone personal data protection law in March 2022
  • Utah Consumer Privacy Act (UCPA) was enacted in March 2022
  • Qatar’s Data Protection Regulations and Data Protection Rules 2021 took effect in May 2022
  • Connecticut Privacy Act was enacted in May 2022
  • Thailand’s Personal Data Protection Act (PDPA) finally came into effect on 1 June 2022 after a 2-year delay due to Covid

There are more legislative changes on the horizon such as the ePrivacy Regulation, and the Network and Information Security (NIS) 2 Directive in Europe, and not all planned legislations changes have gone ahead on schedule:

  • Switzerland’s revised Federal Data Protection Act was expected to enter into force in the second half of 2022 but has now been delayed util 1st September 2023
  • The proposed 2019 Data Protection Bill in India was withdrawn in early August 2022, in order to reshape it as part of a more comprehensive legal framework.

What does all of this this mean for you? 

If you are a UK business with operations, data centres or customers overseas, stay informed and be proactive. Complete a full impact assessment to understand the impact of each global data protection legislation change and take action accordingly. Many of them come with a grace period to enforcement, giving reasonable time to plan and implement changes as required.

The good news is that many of these legislation changes are coming into line with GDPR as the defacto global standard, so if you are already complying with the UK GDPR, the impact of other global legislation changes should be reduced accordingly.  Additionally, as data protection laws improve, there is a greater chance of adequacy decisions for those third countries, which will simplify cross border transfers.

If you would like to see a deep dive on any specific legislation change, let us know and we can cover that in a future publication.