Face-to-data—another developing privacy threat?

TLDR: Traditional data protection regulation provides limited comfort for those concerned about the impact of F2D, and facial recognition as such is a broader phenomenon than F1D.

Abstract: The constant development of technology gives rise to an equally constant stream of privacy issues. One of the most interesting recent developments is what we can call face-to-data (F2D). F2D refers to at least partially automated processes for accessing personal information about a person based on an image of that person’s face. Ground-breaking research by a team of researchers from Carnegie Mellon University has highlighted that advances in face recognition technology, combined with the widespread posting of images linked to names on, for example, social media sites, and the processing power provided by advances in cloud computing, create a new set of privacy issues, similar to, but also distinct from, traditional privacy issues associated with facial recognition. The Carnegie Mellon University team ran a series of experiments. For example, using a search tool, they built up a database of images and names collected from publicly available Facebook profiles. They then captured images of consenting students and ran those images through off-the-shelf face-recognition software, linking in the data gained from the Facebook profiles. In the test, about a third of the students were identified. The Carnegie Mellon work is striking because it uses commonly available devices (ie an iPhone) to perform highly effective facial recognition using candid photographs, and then links those to a series of databases to generate an immediate response. So, for example, a person may use a phone on a street, take a picture, and within seconds have back the Social Security Number and street addresses of the people photographed. Information that can then be used to, manually or through automated processes, extract further personal data about those people. In light of this, the facial recognition aspect is only one part of the overall process of concern here, and facial recognition as such is a broader phenomenon than F2D. Thus, to properly understand the phenomenon we are dealing with, it is undesirable to discuss F2D merely as a facial recognition issue. F2D can of course serve a variety of goals ranging from government surveillance, to business use and to satisfy personal curiosity, and it is interesting to consider how current data privacy laws address F2D. And with privacy laws being developed or changed in so many parts of the world, it is even more interesting to consider how the next generation of data privacy laws will address F2D. As is well known, the privacy regulation of today is largely focused on data use that falls outside the private sphere; that is, in those countries that do have some form of privacy regulation in place, there is typically some form of exemption for data use in the context of the ‘private affairs’ of individuals. This means that in most countries, while F2D for business purposes may be regulated, personal use would typically be unregulated. Furthermore, even in those countries, such as within the European Union, where commercial use may fall under applicable data protection schemes, it may be possible to circumvent the regulatory impact by placing a simple notice onsite informing potential customers of the use of F2D at that location, and then assuming that their failure to object to the processing should legitimize it. The conclusion is that traditional data protection regulation provides limited comfort for those concerned about the impact of F2D. While there have been some improvements to the rules governing consent in the EU General Data Protection Regulation proposed by the European Commission in January 2012, it seems unlikely that even the world’s most modern and protective legislative initiative will satisfy fully those fearing the privacy impact of F2D.