Privacy regulators weigh in as retailers turn to FRT to fight shoplifting

The UK is seeing mixed messages when it comes to retailers’ use of facial recognition to prevent crime. The country is just one among many trying to solve the dilemma between keeping retail stores secure and safeguarding the privacy of shoppers.

On Tuesday, the UK Information Commissioner’s Office (ICO) told media that retailers have a legitimate interest in deploying facial recognition to prevent crimes such as shoplifting. The local data protection law “both recognizes and allows businesses to benefit from this technology.”

“All organizations should carefully consider the use of facial-recognition technology on their premises, satisfying themselves that they have a legitimate interest to deploy the technology and all necessary safety checks are in place before use,” a spokesperson for the privacy watchdog told Mlex.

The statement came after supermarket brand Asda joined the list of retailers embracing the technology last week.

The ICO, however, has previously sent different messages. The agency’s Director of Technology and Innovation Stephen Almond warned businesses last month they should be aware of proportionality, accuracy and bias issues related to new facial recognition products.

“I really recommend for those of you who are looking at uses of biometric technologies, which are often presented as this great time-saving mechanism at work, to actually pause and just think,” says Almond.

Retailers vs regulators: AU, NZ, CA

Retailers are witnessing similar balancing acts in other parts of the world, including Australia, New Zealand and Canada.

In Australia, a case connected to retail chain Bunnings may have significant implications for future regulation.

The Office of the Australian Information Commissioner (OAIC) has found that Bunnings contravened the Privacy Act by collecting individuals’ sensitive information through its facial recognition system. The retailer, however, has announced that it will fight the agency’s determination before the Administrative Review Tribunal. The case will be heard in October.

Meanwhile, the OAIC is shifting to a more “harm-focused” approach. Last year in December, it published guidelines on assessing the privacy risks of facial recognition in commercial settings.

New Zealand, on the other hand, has reportedly been reviewing its privacy laws to identify legal barriers to retailers’ use of facial recognition. Critics such as rights group Privacy Foundation have suggested the government could be using the review to stall the introduction of the Privacy Code of Practice for Biometrics which will also regulate facial recognition applications.

The code has become central to debates between the Privacy Commissioner’s Office and privacy groups on one side and retailers and business groups on the other. Privacy advocates, for instance, have been casting doubts on the results of facial recognition trials conducted by supermarket chain Foodstuff.

Another discussion on privacy is happening in the Canadian province of Québec, where the Commission d’accès à l’information du Québec (CAI) banned major Canadian grocery and pharmacy retailer Metro from deploying its facial recognition pilot in February.

The agency argues that Metro’s pilot would go against the Québec IT Act, which requires express consent before biometric data is used for identification. Metro’s proposed biometric database would constitute a significant “invasion of privacy,” CIA argues according to an analysis by law firm Osler.

The Biometrics Institute offers a Good Practice Framework which serves as a risk management tool for the public and private sector organizations. The group advocates for open and honest communication on facial recognition deployments, ethical principles, addressing the potential for bias and discrimination as well as robust data protection, oversight and accountability.

Article Topics

Commission d’accès à l’information du Québec (CAI)  |  facial recognition  |  Information Commissioner’s Office (ICO)  |  New Zealand Privacy Commissioner  |  Office of the Information Commissioner (OAIC)  |  retail biometrics