Thus far, there has been a diversity of approaches to regulating facial recognition technologies (FRTs) worldwide. For example, in such jurisdictions as the US and the EU, the regulation of FRTs has been pursued primarily through legislative instruments. Meanwhile, in countries like the UK and China judicial intervention has been the principal means of regulating or, at least, attempting to regulate the deployment of FRTs. What follows is a snapshot of the varied regulatory approaches to FRT deployment:

The US

Across the USA, the deployment of FRTs has been banned in 16 cities. Between 2019 and 2020 various Bills were introduced, but never passed, including the Commercial Facial Recognition Privacy Act; the Ethical Use of Facial Recognition Act; and the Facial Recognition, and the Biometric Technology Act. Since October 2021, there has been mounting pressure on Congress to implement legislation. To date, Congress has taken no action.

In the absence of such a “patchwork” of legislation has been leveraged to regulate the deployment of FRTs. The Biometric Information Privacy Act (BIPA) is one such example. It requires that private entities notify seeking to use consumers’ biometric information first inform them that their data has been collected. Additionally, it prohibits the disclosure of collected biometric data in the absence of consent. Companies are also prohibited from selling or otherwise profiting from the sale of consumers’ biometric data, and consumers have a right of action against non-compliant companies.

Another example is the “biometric identifier information” law that was passed in New York. That law effectively requires businesses to disclose their FRT use to customers with “clear and conspicuous” signage, “prohibits the sale of biometric identifier information”, and grants consumers a private right of action in respect of its disclosure requirement.

The final example is the California Consumer Privacy Act (CCPA). Under the CCPA, personal information includes biometric data and, quite significantly in the context of the present discussion, it guarantees consumers a bundle of rights concerning the processing of biometric data. In particular, it empowers consumers to request access to their data, opt out of the sale of their data, and also request that their data be deleted. The CCPA applies specifically to businesses with annual revenues of over $25 million, receive the personal information of 50,000 or more consumers annually, or collect more than 137 people’s personal information daily. Accordingly, such businesses must inform consumers if they are collecting biometric information and provide them with that information where they request access. In addition, businesses selling biometric data must provide a mechanism for consumers to opt out of the sale of their personal information.

The EU

Except for Belgium and Luxembourg, where the deployment of FRTs is banned, remote biometric identification systems, including facial recognition, in publicly accessible spaces are prevalent. In those EU member states where FRTs are utilised, legislative instruments are the primary means of regulating them. The General Data Protection Regulation (GDPR) offers opportunities, albeit limited, for the regulation of FRTs through Article 9(1), which imposes a general prohibition against the processing of personal data that “reveals biometric data for the purpose of uniquely identifying a natural person”. However, an exception to the operation of that provision is outlined in Article 9(2), which excludes the operation of Article 9(1), where “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law”. It is therefore conceivable that this exception would be invoked as a justificatory basis for processing biometric data using FRTs.

While it is yet to be passed, the Artificial Intelligence Act (AIA) proposes to regulate the utilisation of FRTs. Article 5(1)(d) effectively prohibits the use of “real-time” biometric identification systems in publicly accessible spaces for law enforcement purposes. However, the AIA has been criticised on several grounds. One such ground is that it provides too many exceptions that can be used as loopholes, thereby undermining its efficacy.

More recently, the European Data Protection Supervisor (EDPS) issued a statement calling for “a moratorium on the use of remote biometric identification systems in publicly accessible spaces”. He stated further that the EDPS “will continue to advocate for stricter approach to automated recognition in public spaces of human features, such as of faces but also of gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, whether these are used in a commercial or administrative context, or for law enforcement purposes”.

The UK

Here, regulation of FRTs has mainly been pursued through judicial intervention. Over two years ago the Court of Appeal of England and Wales considered the legality of FRT deployment in Edward Bridges v The Chief Constable of South Wales Police and others [2020] EWHC Civ 1058. The court determined that the use of automated face recognition by law enforcement breached “data protection laws, privacy laws, and equality laws”, including the European Convention on Human Rights (ECHR). The court noted, inter alia, that the existence of “fundamental deficiencies” in the legal framework supporting the police’s use of FRTs caused breaches of certain fundamental rights. It also noted, too much “discretion is currently left to individual police officers…” In consequence of this decision, law enforcement in England and Wales is restrained from using automated face recognition until a superior court overturns it.

China

Much like the UK, the regulation of FRTs in China has primarily been pursued through judicial intervention. China’s Supreme People’s Court published the ‘Provisions on relevant issues on the application of laws in hearing civil cases related to the application of facial recognition technology in processing personal information’ on July 27, 2021. Those regulations empower consumers to reject the use of FRTs to verify their identity to gain access to a building or service and mandate the provision of reasonable alternatives. The regulations also require businesses to seek and receive “explicit and independent” consent from customers to collect their biometric data for processing by FRTs. Once they consent, a “purpose limitation” requirement will apply, and entities utilising FRTs must implement effective data protection measures.

Regulating FRTs in the J’can context

In May, The Gleaner reported that the regulations required to operationalise the Data Protection Act (DPA) would be finalised by September. Once finalised, they could be leveraged to regulate the FRTs reportedly being deployed locally. Guidance as to the most suitable means to achieve this ambitious but necessary objective can be gleaned from cross-jurisdictional approaches to regulating FRTs. However, at a minimum, any mechanism established to regulate FRTs should impose certain transparency and accountability requirements. To this end, the following minimum requirements should guide the operations of those actors reportedly deploying FRTs (including surveillance cameras equipped with facial recognition software) locally:

1) notice requirements and, equally, whether consent to the collection of biometric data is a prerequisite for entry into the establishment;

2) clear and informed consent should be sought and obtained before biometric data is collected, stored and ultimately processed by FRTs — reliance on bundled consent should be prohibited, and an appropriate opt-out mechanism should be provided to data subjects;

3) data subjects should know the specific purpose(s) for which data will be used;

4) data protection safeguards should be implemented and continuously strengthened;

5) prohibit the sale of biometric data

While the general utility of FRTs is acknowledged, their deployment, particularly in the absence of robust regulatory oversight, must be balanced against the imperative of safeguarding fundamental rights, particularly those to data protection and privacy. In light of this, the reported deployment of FRTs by law enforcement and other private actors in Jamaica warrants careful consideration and targeted action by the relevant stakeholders to establish an appropriate regulatory regime.

Part 1 of this piece was published on August 7, 2022.

Amanda Quest is an attorney-at-law. Send comments to the Jamaica Observer or amandajdquest@gmail.com.