Due to the number of frequently asked questions the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (“AP”), has received about the use of facial recognition, the AP has released guidance about the use of facial recognition (available here in Dutch).

 

Facial recognition is prohibited in most cases but there are exceptions. The exceptions include:

Security target: hazardous substances

One exception to facial recognition being prohibited is when it is necessary for authentication or security purposes. The Dutch General Data Protection Regulation Implementing Act (“UAVG”) contains the example that facial recognition may be used for the security of a nuclear power plant.

The guidance issued by the AP now contains the new example of the security of hazardous substances that could be used in the production of bombs. In 2023, the AP approved the code of conduct of port companies handling international shipping. The security of such hazardous substances can occur with facial recognition under strict conditions, such as a Data Protection Impact Assessment (“DPIA”) that was carried out before the use of facial recognition, and which shows that there is a need and significant public interest to do so.

Personal use

The conditions under which facial recognition may be regarded as ‘personal’ or ‘domestic use’ has also been defined by the AP. If it is for personal, domestic use of the household exemption applies, the General Data Protection Regulation (“GDPR”) is not applicable. The guidance contains the example of unlocking a mobile phone with facial recognition. This is allowed, but only if the biometric data is stored on the phone itself and user decides what happens to that data. The user must have the choice to use facial recognition or to unlock with mobile phone a PIN code.

The guidance further confirms that the prohibition of using facial recognition also applies to confirming identity. The uncertainty about whether the processing ban on special categories of personal data applies to facial recognition with the aim of confirming someone’s identity has been removed. The AP has concluded that the processing ban does indeed apply in this case. Therefore, the use of facial recognition to catch thieves and other people in supermarkets in the Netherlands is not permissible.

With the further development and use of AI, we believe that more Data Protection Authorities will follow the AP’s example and publish guidance about the use of AI and facial recognition. Does your organization have any questions about the use of facial recognition or the conducting of a DPIA? Contact us, the Experts in Data Privacy, at info@dpoconsultancy.nl for assistance.