Supermarkets don't have facial recognition, but nuclear power plants do. The Dutch data watchdog has published a guide explaining when facial recognition can be used.
In this document, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (DPA) lists the most common legal questions related to facial recognition technology and the processing of biometric data.
The agency reiterated that introducing facial recognition technology into supermarkets violates Dutch privacy law. The issue was raised in 2020 when an anonymous Dutch grocery store tried to introduce biometric surveillance to catch thieves and potential threats, but was blocked by regulators.
According to the legal framework, supermarkets must ask all customers for explicit permission to use facial recognition. However, according to the DPA, this is virtually impossible in practice.
“The introduction of facial recognition is a substantial violation of the privacy of all visitors, which outweighs the supermarket's overriding private interests,” the agency said.
Although the use of facial recognition is banned in most cases, this country leaves an exception. One such use is for authentication and security purposes, such as ensuring the safety of nuclear power plants and securing hazardous materials. However, to achieve this, a data protection impact assessment will need to demonstrate that the use of facial recognition is in the public interest.
In the document, the agency defines the conditions under which facial recognition applications are considered “personal” or “household”, in which case the General Data Protection Regulation (GDPR) does not apply. One example is unlocking your phone with facial recognition. This technology is allowed, but biometric data is stored on the phone and users must decide what happens to that data. The agency said other options for unlocking phones besides biometrics should also be provided.
The DPA also confirmed that the prohibition on the processing of special personal data, including biometric and genetic data, will remain in place when facial recognition is used to verify identity.
Article topics
Biometric Data | Biometric Identification | Data Protection | Dutch Data Protection Authority | Facial Recognition | Netherlands | Retail Biometrics