Facial Recognition, RTB And Google -- Where Will GDPR Finally Bite?

A year on, and as far as processing data goes, GDPR has not hit the headlines. Sure, there have been fines for BA and Marriott, but these were for cybersecurity incidents.

As far as the processing data part of the Regulation, which directly address marketers' and advertisers' use of data, the news has been a lot quieter. However, there are three ones to watch here, in my opinion. The latest was signalled yesterday by a statement from Information Commissioner, Elizabeth Denham regarding the use of facial recognition at King's Cross station.

One can imagine why the authorities want to keep a tab on such an important transport hub in the capital. It turns out, however, that several museums and shopping centres across the UK have been using facial-recognition technology and police forces have run limited trials. These first uses of the tech had already worried the ICO enough to launch a formal enquiry at the end of last year, the results of which are still awaited. 

This week, the ante was upped when it emerged that Kings Cross was using the technology, getting London commuters and privacy campaigners rather hot under the collar. Elizabeth Denham's statements shows she believes the public has every right to be worried over having their facial feature caught by CCTV and sent off for processing. 

To be devil's advocate for a moment, I would also suggest the same public would be up in arms if a terrorist incident occurred and it was later found that a known suspect had been checking out the station but went undetected.

The crucial part here is that as far as GDPR goes, we have biometric data as a special form of personally identifiable data for which any processing activity requires explicit consent. 

However, I reckon that in the current climate, GDPR will not cause anyone to face a massive fine here.

I suspect the equipment providers will say that only a biometric scan of a face, which results in a digital code, is sent for processing. It, in itself, does not constitute personal information because it cannot be used to identify that person -- merely to check a digital signature for their features against a watch list. Those people on a watch list will have no recourse to the law as GDPR allows for "public task" processing. 

This brings us to the two other potentially massive investigations underway at the ICO. The watchdog has already taken a look at digital advertising and appears to have scratched its head and gone back to the industry to tell it to show it is GDPR-compliant, particularly around RTB. The deadline is by the end of the year.

It is now up to digital advertising to show that it doesn't process personal information without consent when it tells exchanges what the person looking at a website is likely to be interested in, so they can decide how much to bid to be seen.

it's really hard to know what the result will be. If we're just talking about tracking cookies on a computer, I'd suspect the industry does not have a case to answer. However, if Google is recognising people through them being logged in and is then associating data with that personal profile as they surf the net, then I'd suggest the industry is in for a shock.

It's not enough to hide what you're doing in a long legal bunch of gobbledygook. Clear consent is needed for use of data like this, and while many people have probably hit an "ok" button at some time, Google will find it hard to prove that any consent it claims to have is either informed or granular and noted by a specific action by the end user.

This brings us neatly on to the highly related ICO investigation into Google that has gone quiet after it was announced six months ago.

Whether it's through a specific investigation or through the wider digital advertising probe, I suspect that the ICO will be minded to follow in the footsteps of its French counterpart, CNIL, which fined Google 50m Euros. It was found guilty of a lack of transparency over how it personalises ads and how, or even if, it gains permission to do so. 

In a week, then, that the UK public has gotten hot under the collar about facial recognition, I'd suggest this is a side story.

If you want to know where GDPR is going to bite, look no further than Google -- which can expect a pronouncement from the ICO before the year is out, I suspect. 

Next story loading loading..