Face tracking and recognition under GDPR: Staying compliant when using visage|SDK

• 27 Aug, 2024
• by Marko Đuričić

As society increasingly relies on face tracking and recognition technology for various applications, including access control and personalized services, we face the need to strike a harmonious balance between technological innovation and ensuring the protection of the right to privacy and personal data.

This is especially important regarding computer vision, where the software products function by processing facial images, biometric data, and other personal data. As software like visage|SDK can involve the processing of personal data, their use must align with the GDPR’s robust privacy standards.

In this article, we will explain the most important GDPR-related implications of using visage|SDK and give directions on how to use our face tracking, analysis, and recognition software in accordance with the privacy regulations.

Face tracking vs. face recognition

Before we explain the legal and GDPR implications of the visage|SDK, we must first explain the technical context to which the law is applied.

First of all, generally speaking, visage|SDK is computer vision software. That is, it’s a software that enables computers to interpret visual information from the outside world.

Furthermore, visage|SDK consist of three specialized packages, i.e. modules. These include FaceTrack, FaceAnalysis, and FaceRecognition, and allow you to track, analyze, and recognize human faces in real time, respectively. Now let’s see in a bit more detail what these modules entail.

• Face tracking software detects certain facial features and infers certain outputs related to the tracked face. These include the 3D model of the face, 2D and 3D head pose, gaze direction, facial features coordinates, action units describing the current facial expressions, and more.

• Face analysis estimates the age, gender, and emotions of the detected face(s).

• Face recognition software processes personal data such as face images to create a “biometric template”. A biometric template is a numerical representation of unique facial characteristics from personal data. Then, the template is either compared to another template to verify that a person is who they claim to be (1-1 verification), or is compared with many templates of other persons with the purpose of selecting the best possible match(es) (1-many identification).

All modules of visage|SDK involve the processing of personal data. However, in certain cases, visage|SDK application may include the processing of biometric data, which has a special legal regime.

Face recognition ethics: What is GDPR?

To start from the beginning, GDPR stands for “General Data Protection Regulation”. It is a set of rules that the European Union (EU) introduced in 2018. The main goal of GDPR is to give people more control over their personal data.

So, if you offer products and services that require processing of personal data, you need to at least:

• make sure you have a valid legal ground for processing of personal data,
• make sure you process biometric data based on explicit consent for such processing, unless you fulfill some other legal ground from GDPR’s Article 9 (processing of special categories of personal data),
• provide users with transparent and GDPR-required information on how the data is processed,
• process personal data only for specific and specified purposes, 
• be able to exercise the data subject’s rights to access their personal data, their rectification, to be forgotten, to restrict processing, to data portability, and to object to certain aspects of data processing.
• keep the data safe.

These rules apply to any company that processes data from EU citizens, even if the company isn’t in the EU.

Personal vs. non-personal data

Understanding the difference between personal and non-personal data is important for the simplest of reasons: 

• if the data is personal – GDPR is applicable, 
• if the data is non-personal a.k.a. “anonymous” – GDPR is not applicable.

The line between personal and anonymous is often thin and we must interpret it with caution. In a nutshell:

• Personal data. If we can link certain data (read: any data including biometric templates) to a particular person e.g. in combination with other data – it is personal.
• Anonymous data. If there’s no reasonable way to link certain data to an individual person – it is anonymous.

What is “biometric data”?

To understand the biometric data, let’s start with a basic example – facial image/photo.

Whether a photo (or any other data that has the potential to be biometric) constitutes biometric data or not depends on whether it is processed as biometric data (or not). Sounds strange? We will explain this in two simple examples.

• Example one. Photos are stored on a local server and used to provide certain services to clients (e.g. a photographer). However, the identity of the people in those photos is unknown, as are the photos used for the identification of those people.
• Example two. Photos are used to create a dataset that will be used for the identification of the persons in the photos. The software processes facial images of persons and transforms the image into a digital representation of the face that is unique to that face (biometric template). It then compares this template to other templates in the dataset to identify the person.

See the difference? Now let’s see what the law says. 

GDPR defines biometric data as “personal data resulting from specific technical processing (…) which allow or confirm the unique identification of that natural person”. If you’ve read the definition carefully, you’ve noticed two basic elements. These are (i) data that results from specific technical processing, and (ii) that allows or confirms the unique identification:

• In Example one, those two elements are not met because the photos are not subject to specific processing other than storage (and likely some editing) and are not used for identification. This is still personal data processing (because persons can be identified) but is not biometric data processing.
• In Example two, the photos are subject to a specific type of photo processing (collection-transformation-comparison) used to identify or verify a person. This is clearly a biometric data processing.

In conclusion, it’s how you use visage|SDK and whether you aim to determine a person’s identity that makes the difference.

GDPR’s regime of “biometric data”

GDPR places biometric data in its Article 9 – special categories of personal data (“SCD”). 

So, first and foremost, the processing of SCD is prohibited.

However, one can process SCD, subject to a more strict safety and security regime, only if the data subject gave explicit consent or if one meets other legal grounds from Article 9. For example, for a substantial public interest, when processing is necessary to carry out the obligations and exercise specific rights, when the data subject makes personal data manifestly public, etc.).

To ensure your purpose of processing biometric data is compliant with Article 9, we suggest advising with your legal/GDPR counsel.

GDPR compliance & visage|SDK through the eyes of our clients

To give you a clearer view of how visage|SDK is GDPR compliant, and how your product can be GDPR compliant when you use visage|SDK, we’ll present the answers to the most common questions in the following section.

➥ Face recognition ethics: FAQ

✧ How is FaceTrack GDPR compliant?

When you install the FaceTrack module of the visage|SDK, we don’t have access to the data you process. We simply provide the software library that processes images. Whether images are stored depends on how the users of the visage|SDK (software developers) implement the library in their application.

FaceTrack itself doesn’t store any images or data. It does not perform any analytics, collect data anonymously, or transmit data to any third parties. Therefore, FaceTrack is inherently GDPR-compliant. Compliance or non-compliance is determined by how the software is used after installation.

On the other hand, if our cooperation involves any data processing from our side, the scope of this cooperation would be strictly regulated by a Data Processing Agreement in accordance with GDPR requirements.

✧ Does FaceTrack use biometrics?

No.

FaceTrack processes images with human faces without storing them or sending them to the server. It does not extract, compute, or analyze any descriptors that could be used for identification purposes. So, the answer is that FaceTrack does not use biometrics. However, it works with images that contain human faces and processes them to locate and track relevant facial landmarks.

✧ If it does not use biometrics, how does the technology locate the user’s eyes?

The algorithm for locating the user’s eyes is based on the face alignment algorithm that detects 2D landmark locations that outline prominent facial features such as eyes, nose, mouth, etc. It uses the output of the face detection algorithm in the form of 2D face position and size. We use machine learning to create a model that can produce the 2D landmark locations from the image crop containing a face.

The process for estimating iris diameter uses the result from the face alignment algorithm to create a cropped image of the eye area. This image is then fed into a Convolutional Neural Network (CNN) model that’s been trained to estimate the iris diameter. The CNN model is trained on a large set of images that have been manually labeled.

✧ Is the users’ facial tracking information stored on any servers during or after the session?

No, visage|SDK neither stores nor sends facial tracking information to any server.

✧ What’s the relationship between FaceRecognition and GDPR? Can we consider face identifiers to be personal data?

When you install the FaceRecognition module of visage|SDK, we don’t have any access to the data you process. FaceRecognition doesn’t store any kind of images or data, nor does it perform any analytics or other behind-the-scenes processing.

Therefore, FaceRecognition is inherently GDPR-compliant. Compliance or non-compliance depends on how you use it after installation.

Regarding the biometric templates that FaceRecognition makes, note that one can use such biometric templates to identify a natural person either for 1-1 verification or for 1-N identification. Such data, therefore, constitutes biometric personal data. 

When you use FaceRecognition, you must ensure that your use is in accordance with the GDPR. We suggest you start with Article 9 to determine whether you have a legal ground for such use. Then advise your legal/GDPR counsel on how to proceed with implementing safety and technical measures and other compliance requests.

If our cooperation regarding FaceRecognition would involve some input from our side that includes data processing of any kind, such scope of cooperation would be regulated in detail by a Data Processing Agreement in line with the GDPR.