The True Risks of Using Facial Recognition for Events

Skift Take

Why taking a privacy-first approach to using facial recognition for event check-in can keep event organizers safe from hefty GDPR fines.

Events have made use of facial recognition technology for more than five years. Despite offering several advantages, it has not become standard practice. Cost is partially to blame, but concerns about data privacy may be the biggest resistance to this technology, and there may be a good reason for that.

The EU general data protection regulation (GDPR) entered into application five years ago and forever changed how event organizers manage data. Now the EU is working on AI regulation which may also change how the latest technologies can be used. The new proposed regulation puts real-time and remote biometric identification systems, such as facial recognition, in a category of unacceptable risk to citizens that will be banned.

First Major GDPR Event Fine

In May came the first significant event-related GDPR fine. A breach of GDPR at MWC Barcelona 2021 cost show organizers $219,000 (€200,000). The Spanish data protection authority (DPA) fined the leading show in the mobile industry, managed by UK-based GSMA, in what constitutes the first major fine to impact a business event.

The CMS.Law GDPR Enforcement Tracker website lists the case as Non-compliance with general data processing principle. According to the website, almost 2,000 GDPR fines have been awarded. The total amount fined now exceeds $4 billion, with Irish data regulators issuing the largest fine to Meta for over $1.3 billion (€1.2 billion) in May. 

Most fines are linked to online tracking and have gone to tech giants Amazon, Meta and Google. Five of the six largest fines were imposed by Ireland, where many tech giants have their Europan headquarters there. Meanwhile, Spain takes credit for the most fines, having awarded 676 to date. Italy is second with less than half (273).

Behind the Breach

In a somewhat cruel twist of fate, the GDPR breach resulting in the fine resulted from a formal complaint lodged by a speaker who specialized in data privacy and digital wellbeing. Dr Anastasia Dedyukhina, founder of Consciously Digital and author of ‘Homo Distractus: Fight for your Choices and Identity in the Digital Age’, detailed what led her to make the complaint in a LinkedIn post.

Invited as a speaker, she asked to verify her identity by uploading her passport online. She refused because she could not see a good reason for doing so. According to Dedyukhina, the organizers did not accept any other method of identity verification, although the website stated that identity verification could be done manually on-site. As organizers insisted on receiving the biometric (passport) information online, the speaker had no choice but to participate virtually instead. 

Potential Implications 

The 2021 edition of MWC Barcelona took place under heavy Covid-related restrictions. It now appears that access to the event and identity verification was not carried out in a GDPR-compliant way. Forcing a speaker, and presumably almost 20,000 other participants, to upload sensitive private information (passport scans) was unlawful. 

The main issue with this situation is the concept of forced consent, one of the main reasons behind the fine. There were also concerns about where the data was transmitted and how it was used. For the facial recognition system, GSMA partners with a company called ScanVis. ScanVis is a subsidiary of Comba, a Chinese telecom company specializing in installing mobile networks at venues and for events. It is headquartered in Guangzhou and listed on the Hong Kong stock exchange. 

Despite the fine, ScanVis continues promoting this use of facial recognition as a case study on its website. GSMA has only issued a short statement clarifying that the Spanish DPA’s resolution is not regarding a data breach. It clarifies that the focus is on the data protection impact assessment for using facial recognition technology at MWC 2021. “The GSMA takes data protection extremely seriously and has a robust compliance programme in place to address its data protection obligations. The GSMA continuingly reviews and updates its approach to data protection, employing innovative technology to deliver a safe attendee experience,” it said.

“Maybe it’s the question of just one person very quietly and politely asking an ‘inappropriate’ question “why do you need my data?” – and then repeating it again and again, to start shifting things,” said Dedyukhina.

Impact on Event Suppliers

Badging specialist Fielddrive, recently acquired by Hubilo, has promoted facial recognition event check-in systems for the past six years. The company’s CEO, Danny Stevens, admitted that this case is making it much harder to implement these systems. “Showing the value for the marketing team and the organizing team is easy. The true fight happens with compliance and legal,” he said. “The whole case is overshadowing facial recognition as a whole.”

The way MWC Barcelona 2021 used facial recognition baffles Stevens. He can see no need to combine sensitive personal data, such as passport scans, to enable facial recognition for event check-in and access. “[The Fielddrive system] is not an identity verification. We do not store any biometrics data together with identity data or even customer data, that falls into a totally different category in terms of privacy,” said Stevens.

The system verifies that the person walking up to the camera at check-in is the same person in a photo uploaded onto the system at registration. To do this, the system creates a biometric profile based on a photo uploaded at registration. The system only stores a biometric profile linked to a customer ID, as the photo is instantly deleted. “There’s no link between the personal data and the biometric profile, and that’s key in order to be compliant with GDPR,” said Stevens.

Fielddrive is now working on an ISO certification intended to help clear the path and simplify compliance checks for any company interested in implementing facial recognition. The company uses technology created by Zenus, installed locally on its own servers. Stevens advises organizers to “be clear about where the data is stored, how the process is working, [ensure] that there is no storage of biometrics data together with the identity data and that the consent is not forced.”

Privacy Must Come First

“Facial recognition is neither good nor bad; it comes down to using it with the right safeguards in place,” said Zenus CEO Panos Moutafis. Despite powering the fielddrive system, AI pioneer Zenus has shifted its approach from facial recognition and to facial analysis. 

Moutafis has been vocal about organizers taking a privacy-first approach to any technology. “Event organizers could mitigate similar situations using technology partners with a privacy-first mindset. Deeper education and better processes on data privacy would also go a long way,” he said.

GDPR only applies to EU citizens, regardless of where they are in the world. However, stronger privacy laws are coming into play in the U.S.  Indiana is now the seventh state in the US to enact a comprehensive data privacy law. ”It is more important than ever to work with privacy-first technologies, and this extends beyond biometrics,” said Moutafis.

Photo credit: AI generated image / Midjourney