Facial recognition, artificial intelligence and ethics: the debate is gaining momentum

Legal Watch – October 2019.

Paying with your face instead of a credit card, using Amazon cameras to fight crime, as the Orlando police in the United States did, managing the movements of athletes and journalists at the Tokyo Olympic Games using facial recognition, or closer to home, testing facial recognition on public roads, as in Nice, are all projects that leave you dreaming... or insomniacs.

Whether in Europe or more broadly in the world, the perspectives revealed by developments in artificial intelligence combined in particular with facial recognition, the processing of voice prints or the recognition of emotions, are provoking more and more reactions.

Ethical issues, in particular, are now at the top of the priorities of the new President of the European Commission, Ursula Von der Leyen.

She announced that she intends to present a legislative proposal within the first 100 days of her mandate with a view to a coordinated European approach to the human and ethical implications of artificial intelligence.

It will also examine ways to foster innovation using big data.

A group of experts set up by the European Commission has, with a view to respecting human rights, laid the foundations for "trustworthy" artificial intelligence.

In its publication of guidelines in April 2019, it identified three characteristics: AI must be

1. Lawful, ensuring compliance with applicable laws and regulations;
2. Ethics, by ensuring adherence to ethical principles and values; and
3. Robust, “both technically and socially because, even with good intentions, AI systems can cause unintended harm.”

Ethics, in relation to artificial intelligence, was already the theme of the last international conference of Data Protection Commissioners and gave rise to a public declaration.

This mentions the advantages but also the risks linked to these new technologies, and in particular the prejudices and discrimination which can result from them.

It recalls several essential principles aimed at guaranteeing individual trust while promoting innovation, including the principle of loyalty and the transparency of artificial intelligence systems.

Finally, it advocates for common principles of governance at the international level.

It is also worth noting that on 11 September, the Council of Europe created an ad hoc committee responsible for analysing the conditions for a legal framework for the development, design and application of artificial intelligence.

Finally, the European Union Agency for Fundamental Rights addressed the issue of facial recognition during a seminar on 19 and 20 September, with the aim of publishing a document on the subject in November 2019.

And today?

While clarification of the ethical aspects is of course desirable, from a strictly legal point of view the GDPR fully applies to facial or voice recognition systems, which constitute processing of biometric data.

These data are therefore protected more strictly and in principle require the consent of the data subjects. Given the sensitivity of the processing, an impact assessment must also be carried out. Particular attention should be paid, in this context, to the aspects mentioned above and in particular to the risks of discrimination, the reasonable expectations of the data subjects and the transparency of the processing.

And also:

• In France :

October is Cybersecurity Month.

Around thirty partners, including ANSSI and CNIL, are committed to raising awareness among professionals and individuals about security and digital issues.

Since September 26, two certification bodies have been approved by the CNIL.

• In Europe:

Right to be forgotten and validity of online consent: Three important rulings from the Court of Justice of the European Union clarify the legal framework.

In the “Planet49” judgment of October 1, 2019, the Court specifies that, to legally collect information based on cookies, a pre-ticked box is not enough: the placement of cookies requires the active and specific consent of Internet users.

The Internet user must also be informed of the duration of the cookies' operation and whether or not third parties can access them.

This judgment supports recent communications from supervisory authorities on the conditions of use of cookies, including that of the CNIL.

In the “Google” ruling of September 24, the Court clarifies that the right to be forgotten does not apply systematically to search engines outside the European Union.

In the EU, it applies, for example, to google.fr and other European extensions. However, it is also up to the search engine to implement measures to discourage Internet users from accessing the links in question on non-EU versions of that search engine from one of the Member States.

The end of the judgment is important because the Court enshrines the discretionary power of supervisory authorities: while it is not obligatory to dereference a link outside the EU, the authority retains the power to order the search engine to dereference it overall, after balancing the rights of the person concerned and freedom of information.

It is this same balancing act which is at the heart of the second judgment of the September 24 : the Court confirms in the judgment GC ea v/ CNIL that the principle prohibition on processing sensitive data also applies to search engines, but an analysis must be carried out on a case-by-case basis between the fundamental rights of the person requesting de-referencing and those of Internet users potentially interested in this information.

If the search engine does not remove the referencing, the Court imposes at least for judicial data an obligation to present the results in an order highlighting the current information.