DATA PROTECTION
International: Privacy regulators adopt resolutions on facial recognition technology and cybersecurity.
The Office of the Privacy Commissioner of Canada ('OPC') announced, on 28 October 2022, that, during the 44th Global Privacy Assembly ('GPA'), 120 data protection authorities adopted resolutions on facial recognition technology ('the FRT resolution') and cybersecurity regulation ('the cybersecurity resolution'). In particular, the OPC detailed that the FRT resolution outlines six principles and expectations for organisations seeking to use FRT, namely:
Lawful basis: Organisations using FRT should have a clear lawful basis for the collection and use of biometrics.
Reasonableness, necessity, and proportionality: Organisations should establish, and be able to demonstrate, the reasonableness, necessity, and proportionality of their use of FRT.
Protection of human rights: Organisations should in particular assess and protect against unlawful or arbitrary interference with privacy and other human rights.
Transparency: The use of FRT should be transparent to affected individuals and groups.
Accountability: The use of FRT should include clear and effective accountability mechanisms.
Data protection principles: The use of FRT should respect all data protection principles, including those referenced above.
Further to the above, the OPC explained that the relevant authorities have committed to working together to promote the principles to external stakeholder groups, to assess the real-world application of the principles by developers, as well as users, and to report back on their progress.
In regard to cybersecurity, the OPC highlighted that GPA members, based on the cybersecurity resolution, committed to improve cybersecurity regulation and their collective understanding of the harms that may result from a cyber incident. On this point, the OPC noted that authorities resolved to explore possibilities for international cooperation, knowledge, and information sharing, including technical expertise and best practices, amongst members to avoid duplication in investigations or other regulatory activities regarding cybersecurity issues and regulatory approaches as they relate to data protection and privacy.
Click here for the two resolutions adopted by the data protection authorities.
Lawful basis: Organisations using FRT should have a clear lawful basis for the collection and use of biometrics.
Reasonableness, necessity, and proportionality: Organisations should establish, and be able to demonstrate, the reasonableness, necessity, and proportionality of their use of FRT.
Protection of human rights: Organisations should in particular assess and protect against unlawful or arbitrary interference with privacy and other human rights.
Transparency: The use of FRT should be transparent to affected individuals and groups.
Accountability: The use of FRT should include clear and effective accountability mechanisms.
Data protection principles: The use of FRT should respect all data protection principles, including those referenced above.
Further to the above, the OPC explained that the relevant authorities have committed to working together to promote the principles to external stakeholder groups, to assess the real-world application of the principles by developers, as well as users, and to report back on their progress.
In regard to cybersecurity, the OPC highlighted that GPA members, based on the cybersecurity resolution, committed to improve cybersecurity regulation and their collective understanding of the harms that may result from a cyber incident. On this point, the OPC noted that authorities resolved to explore possibilities for international cooperation, knowledge, and information sharing, including technical expertise and best practices, amongst members to avoid duplication in investigations or other regulatory activities regarding cybersecurity issues and regulatory approaches as they relate to data protection and privacy.
Click here for the two resolutions adopted by the data protection authorities.
