No facial recognition in supermarkets, says Dutch data watchdog

No facial recognition for supermarkets but yes for nuclear power plants: The Netherlands’ data watchdog has published a guide explaining in which cases facial recognition can be used.

In the document, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or DPA, lays out the most common legal questions related to facial recognition technology and processing biometric data.

The agency reiterated that introducing facial recognition tech into supermarkets would be a breach of Dutch privacy laws. The issue was raised in 2020 when an unnamed Dutch grocer attempted to introduce biometric surveillance to catch thieves and other people who could pose a threat, only to be prevented by regulators.

According to the legal framework, the supermarket would have to ask all customers for explicit permission to use facial recognition. In practice, however, that is virtually impossible, according to the DPA.

“The deployment of facial recognition is a substantial invasion of the privacy of all visitors and this outweighs the supermarket’s overriding private interests,” the agency notes.

Although the use of facial recognition is prohibited in most cases, the country does leave exceptions. One of them is the use of the technology for authentication or security purposes, such as ensuring the safety of a nuclear power plant or securing hazardous substances. To achieve this, however, a data protection impact assessment would have to prove that using facial recognition is in the public interest.

In the document, the agency defines conditions under which applying facial recognition can be considered “personal” or for “household use,” in which case the General Data Protection Regulation (GDPR) does not apply. One example is unlocking a phone with facial recognition. While the technology is allowed, the biometric data needs to be stored on the phone with the user deciding what happens to the data. Other options for unlocking the phone aside from biometrics must be provided, the agency says.

The DPA also confirmed that a ban on processing special personal data, which includes biometric and genetic data, is still valid in the case that facial recognition is used for confirming someone’s identity.

Article Topics

biometric data  |  biometrics  |  data protection  |  Dutch Data Protection Authority  |  facial recognition  |  Netherlands  |  retail biometrics