Regulatory Implications of Facial Recognition Technology

17. November 2021

Since the day of its birth, controversy related to facial recognition technology has never stopped. Though few can deny its capability to enhance security, productivity, and convenience, many are concerned about the misconduct of the technology, such as non-consensual surveillance[1]. Though GDPR strictly regulates the use of facial recognition technology, we still hear cases of inappropriate use of the technology every now and then. What’s likely to happen if facial recognition technology is not appropriately utilized; when is it GDPR-compliant to use facial recognition technology, and when is it not? 

What is facial recognition technology?

Facial recognition technology uses cameras to capture videos and images and compares them to existing data in the database. If a newly captured image of an individual matches an existing image in the database, then the individual is identified.

The images facial recognition technology collects are classified as biometric data. According to the GDPR Art. 4(14) in GDPR, biometric data is “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data”. Due to its nature of being impossible to erase or change and strongly identifying, the use of biometric data is strictly regulated by the GDPR. Generally, the processing of biometric data is prohibited unless the personal data processing has the data subject’s explicit consent, or the processing is for a necessity of public interest or other conditions described in GDPR Art.9(2).

Most Common Oversights

One of the most common violations of facial recognition technology regulations in GDPR is non-consensual surveillance. A warning sign informing the customers of facial recognition technology by the entrance of a retail store is not GDPR compliant. Similarly, when a customer walks into an area where facial recognition technology is implemented, it does not mean he/she gave his/her consent to personal data processing.

A well-known example of violating facial recognition technology-related GDPR guidelines happened in Sweden, 2019. The Swedish Data Protection Authority (DPA) imposed a $20,700 fine to the Skelleftea municipality, because a school ran a pilot program using facial recognition to track the attendance of 22 students. The rule for violation is based on several factors[2]:

  1. Lacking impact assessment, including requesting for prior consultation with the Swedish DPA. Though the school conducted risk analysis, they did not obtain data protection impact assessment (GDPR Art.35) or request prior consultation (GDPR Art. 36) before starting the trial. 
  2. The invalidity of consent. Though the school asked for and received parents’ consent, the DPA ruled the consent invalid because of “the clear imbalance between the data subject and the controller”. 
  3. Disproportionate use of facial recognition technology. The school intended to use the technology to improve attendance efficiency, which is not significant or sufficient enough to process sensitive biometric data, according to GDPR.

GDPR-Compliant Conduct of Facial Recognition Technology

The Danish football team, Brøndby IF, uses facial recognition to prevent football hooliganism. After a three-year negotiation with the local DPA, Brøndby IF obtained regulatory approval to implement facial recognition technology in Brøndby stadium. Since then, those on the “ban list” are no longer allowed to enter the stadium.

Brøndby IF got the green light to implement facial recognition technology because the usage is for “reasons of substantial public interest”[3], in this case, ensuring audience security during sports events. Compared to how the club used to identify football hooligans in the past (solely according to their descriptions), facial recognition technology appears to be more efficient and accurate. However, doubtful voices appear when the public learnt that four football hooligans were identified in ten months, while 14,000 people’s biometric data is scanned every time the match occurs[4].  Many ask the question: is it really worth it to compromise public privacy for such a result?  

How can we use facial recognition technology in compliance with privacy regulations? 

Facial recognition technology is still relatively new. Some believe it will bring the public convenience, efficiency, and security. Others have privacy concerns and are suspicious of its accuracy. Like any new and fast-advancing technology, lawmakers are dealing with facial recognition with extra caution, especially under GDPR.

Suppose you are thinking about implementing facial recognition technology in your organization. If so, we’d strongly suggest you read the following paragraph thoroughly, and only start implementing if you can satisfy all of the requirements. 

  • Follow the procedure stated in the GDPR prior to implementing facial recognition technology. As we can learn from the pilot program conducted by the Swedish school, regardless of the scale and scope of the project, a data protection impact assessment (GDPR Art.35) and prior consultation (GDPR Art. 36) have to be conducted. 
  • Make sure your project is allowed to conduct facial recognition technology: the processing of biometric data is generally prohibited by the GDPR, unless your project a) has explicit consent from the subjects; or b) is of significant public interest. However, when imbalanced power dynamics are in the picture, explicit consent is not enough to start the project, since maybe the data subject cannot freely give their consent[5]. The principles of proportionality are another point to confirm. For example, the Swedish school used facial recognition to improve the efficiency of attendance tracking. This purpose is considered disproportionate, while the Danish football team’s purpose of ensuring audiences’ security is justifiable.
  • Adhere to both the GDPR and national laws. Different countries may have different interpretations of the GDPR guidelines based on national law. Therefore, it is not suggested to assume a facial recognition application would be approved in country A because it is approved in country B under similar circumstances. 

Facial recognition technology is still on its way to maturing. While we are still in the process, it is unlikely that controversy will cease existing. If you are convinced that facial recognition is capable of bringing benefits to your organization and the public, it is highly recommended to keep yourself updated on the related laws and regulations and adhere to them with caution.

If you want to learn more about visual data privacy and the potential solutions ensuring regulatory compliance, please contact us here.


[1] Zhang, Feng, Sadeh; “Facial Recognition: Understanding Privacy Concerns and Attitudes Across Increasingly Diverse Deployment Scenarios”; 2021

[2] European Data Protection Board; “Facial Recognition in School Renders Sweden’s First GDPR Fine’; 2019-08-22

[3] Art. 9 GDPR; “Processing of Special Categories of Personal Data”

[4] Andrey Koptelov; The European Business Review; “Facial Recognition and GDPR: How to Stay Compliant”; 2021-07-30

[5] Lexology; Suvi Julin; “Key Update On GDPR Compliance With Facial Recognition Technology”; 2021-06-14


Xinzhuo Xiao
Marketing & Communication