The decade gone by has seen a lot of discussions around data privacy and necessitated the
formulation of Global Data Protection Regulation (GDPR) around the world. The debate is set to
become more heated in the coming years. Disruptive technologies such as Machine Learning, Artificial
Intelligence, Big Data, and Cloud Computing are being leveraged to develop numerous use cases for
making life easier.
Facial recognition is one such area that is changing almost every industry. Scientists and engineers
have been working since 1960s to train a computer to recognize faces and make decisions just like
humans would. Now we have the associated technologies that has made facial recognition of practical
In this series, we focus on the positives of the face recognition technology, its use cases across
industries, and the stuff you need to careful about – data protection.
How Does Face Recognition Work?
If you use the face unlock feature of your smartphone, you’re already using facial recognition
technology. Companies like Google are already using facial recognition technology to group all your
Simple as it sounds, there are many complex activities going on in the background that make facial
recognition possible. We break it down into four steps for the sake of simplicity and understanding:
- Capture: Your picture is taken from a video or a photograph. Whether you feature alone in
it or are walking in a crowd, high definition CCTV cameras are smart enough to determine
different faces in a scene and capture them separately.
- Facial Analysis: This is where things get really technical. Different features of your face
– the distance between your eyes, shape of cheekbones, dimensions of forehead, distance
between forehead and chin, distinguishing facial landmarks, etc. are all analyzed and
stored. There are up to 80 nodal points in a human face, that can be combined to identify it
- Face Printing: All the analysis points are converted into mathematical formula by assigning
them numbers. The resultant data is unique to a particular face and is called facial
signature or a face print. This can be thought of as a digital signature or a biometric of
your face. This is stored in a database. American police have about 117 million such faces
already stored in their databases, which comes handy during investigations.
- Matching: Now that the faces have been codified and millions of face prints are stored in
inter-connected databases, it becomes easy to match a new face against these. The subject’s
face has to be digitized, its face print generated and matched against millions of records
sitting in the databases. The FBI has ready access to over 641 million digitized faces!
Given the advancements in mobile devices and high-speed wireless connectivity, this entire process
is often completed within seconds. As technology is becoming more reliable and affordable, facial
recognition is getting plenty of traction across industries – more on that later.
What’s the catch with Facial Recognition Technology?
The biggest concern with facial recognition is that your facial data is often being captured without
your permission. Our cities are full of Close-Circuit Television (CCTV) cameras – parks, shopping
malls, highway toll plazas, airports, residential societies, streets – they are everywhere! As we
now know, all it takes is a single image or a video footage to extract facial data, process it and
store it in the form of a unique faceprint. It can be used for malicious reasons such as gaining
unauthorized access to systems, wrongfully authorizing financial transactions and much more.
Sometimes, you yourself share your facial signature without realizing it. Think of the countless
selfies and other photographs you’ve uploaded on social media websites – are you really sure their
use is restricted to the intended purpose? Facebook has already been ordered by German and Irish
data regulators to delete all the facial recognition user data it had gathered for suggesting tags,
as users were not giving their consent.
How can Facial Recognition Technology (FRT) and GDPR go together?
GDPR defines biometric data as:
[Biometric data] means personal data resulting from specific technical processing relating to the
physical, physiological or behavioural characteristics of a natural person, which allow or confirm
the unique identification of that natural person, such as facial images or dactyloscopic data.
Facial data clearly falls under this.
Given the manifold benefits of FRT, it would be unwise to ignore it because of privacy concerns.
Instead, you can have the best of both worlds – use cutting edge Facial Recognition Technology while
being on the right side of the law. Despite its limitations, GDPR has provisioned clauses under
which FRT (and any other technology that uses biometrics) can be used after taking user consent.
These are the use cases where FRT can be applied fairly easily:
- Employment or social security related verification
- Protect an individual’s interests at a time when he/she is incapable of giving consent
- Covering legal issues
- Public health emergency
- Include FRT specific Data Protection Impact Assessment (DPIA) policy
- Anonymize/pseudonymize the data so it becomes impossible to associate with a person for
We will explore FRT’s legal and implementation aspects further in the next articles of this series.