The EU’s Article 29 Data Protection Working Party has released two opinions concerning 1) the European Union’s proposal for a comprehensive reform of the EU’s 1995 Data Protection Directive and 2) the use of facial recognition biometric technology in online and mobile services. In January, the EU announced the data protection reform proposal and earlier this month, the European Data Protection Supervisor released an opinion (pdf) on the data protection reform package.
In a news release (pdf), the Article 29 group says that it “generally welcomes the proposals presented by the European Commission that seek to reinforce the position of data subjects, to enhance the responsibility of controllers and to strengthen the position of supervisory authorities, both nationally and internationally. Subject to further improvement the rules proposed can significantly reduce the existing fragmentation and strengthen data protection across Europe.”
However, the Article 29 group says that there are problems with the data protection reform proposal:
With regard to the Directive regarding data protection rules for police and judicial cooperation in criminal matters specifically, the Working Party regrets the Commission’s level of ambition and underlines the need for stronger provisions. The Working Party is especially concerned that the Directive fails to include important data protection principles such as limiting retention periods, transparency and accuracy of personal data.
The Working Party furthermore addresses the scope of application of the proposed Directive and its consistency with the Regulation, amongst others in relation to data subjects’ rights and data controllers’ obligations. In addition, the Working Party addresses the system of international transfers and the introduction of very broad possibilities to derogate from that system.
The Article 29 Data Protection Working Party also released an opinion concerning facial recognition technology in online and mobile computing services. Here’s an excerpt from the introduction:
There has been a rapid increase in the availability and accuracy of facial recognition technology in recent years. Furthermore this technology has been integrated into online and mobile services for the identification, authentication/verification or categorisation of individuals. The technology, once the subject of science fiction, is now available for use by both public and private organisations. Examples of use in online and mobile services include social networks and smartphone manufacturers. […]
Online services, many owned and operated by private organisations, have built up vast collections of images uploaded by the data subjects themselves. In some cases these images may also be unlawfully obtained by scraping other public sites such as search engine caches. Small mobile devices with high resolution cameras enable users to capture images and link in real-time to online services through always-on data connections. […]
The purpose of this opinion is to consider the legal framework and provide appropriate recommendations applicable to facial recognition technology when used in the context of online and mobile services. This opinion addresses European and national legislative authorities, data controllers and users of such technologies.