What’s going on?
This month Big Brother Watch and the data rights firm AWO filed a complaint to the Information Commissioners Office (ICO) regarding Southern Co-Op’s use of biometric scanning in several of their stores. This system has been implemented in 35 of Southern Co-Op’s 200+ stores, and is used (according to the Co-Op) to protect customers and colleagues in stores where there has been regular crime. Both Big Brother Watch and AWO have raised significant concerns regarding the application of the system, which is sold by the firm Facewatch.
The system appears to collect facial recognition data from visitors to Co-Op stores in which the system has been installed and will create an alert if certain shoppers enter their stores. The complaint asserts that this system therefore allows the Co-Op to effectively blacklist shoppers, as well as that the individual being informed that their details will be kept for up to two years.
Silkie Carlo, Director of Big Brother Watch has asserted that this amounts to ‘dangerously intrusive, privatised spying’ and described the system as ‘Orwellian in the extreme’.
Why the ICO will care
It is important to note that the processing of biometric data is different to processing of standard sets of personal data, such as name or email address.
Firstly, the GDPR classifies biometric data as ‘special category data’. This is a subset of standard personal data that is deemed to be of greater risk and sensitivity that standard personal data. This extra sensitivity requires further protections and actions on the part of the data controller. For example, alongside identifying a legal basis for processing, special category data requires a further basis identified in Article 9 of the GDPR.
Moreover, any biometric profiling is likely to be deemed a high risk data process under the GDPR. This would require the completion of a Data Protection Impact Assessment (DPIA) or an Appropriate Policy Document (APD) before any of this data is processed. This is done to identify and mitigate any risks that this processing may pose to the data subject. If this risk cannot be mitigated, then the ICO must be consulted and the processing may be banned. It is unclear if Southern Co-Op consulted with the ICO before the implementation of these systems.
Whilst the exact legal justifications for this processing have not been released by Southern Co-Op, their statement in response provide some indications. The Co-Op assert that ‘the safety of [their] colleagues and customers is paramount and this technology has made a significant difference to this’ and that ‘as long as it continues to prevent violent attacks, then [they] believe its use is justified.’
In this way it would appear that Southern Co-Op are using either ‘Health, Safety, and welfare of employees’ or ‘substantial public interest’ as their article 9 justification.
What might happen?
Should the complaint be successful, the Southern Co-Op will likely not be able to continue using these systems and will forced to remove the biometric scanners. They may also face fines for GDPR non-compliance, which can reach a maximum of £17.5 million or up to 4% annual revenue.
Should the ICO decide that no wrongdoing has taken place however, it is likely that we may see the wider introduction of these systems across other stores and businesses. If their use does proliferate, it is also therefore likely that further implementation of these systems may not be done up to standard. This would therefore result in ordinary shoppers unknowingly having their sensitive personal data collected illegally. This is, of course, a significant risk to the average shopper’s privacy.
Big Brother Watch and AWO have both advocated for a boycott of the Southern CO-OP until the systems are removed. Southern Co-Op have said that they would welcome ‘constructive feedback’ from the information commissioner.
Lessons to be learnt
Whatever the outcome of the complaint, the precedent it sets will have significant effects for the use of biometric collection systems. Indeed, the collection and use of biometric data is still an emerging field in data privacy. Facial recognition technology has been implemented in workplaces, schools and public spaces in the past few years, and the collection of this data is becoming increasingly commonplace.
The effects of biometric data are still being learnt and several legal cases regarding negative consequences of their use by private companies are ongoing. In one example, an Uber Eats employee has contested his release from the business, alleging that the biometric scanner used to recognise workers racially discriminates by regularly failing to recognize workers from certain ethnicities.
Any business that wishes to/is processing biometric data must be aware of the increased risk that this poses to both themselves and their data subjects. They must also be aware of the various legal obligations that they must fulfil to justify this processing and ensure that the appropriate documentation has been completed.