GDRP & CCPA – What are they?
In recent weeks, the four-year anniversary of the introduction of the General Data Protection Regulation in the EU (GDPR) passed. Additionally, the implementation of the California Consumer Privacy Act (CCPA) is six months away.
Initially, the key elements of GDRP included the right to access personal data, the right to be forgotten, and privacy by default which ensures businesses comply with data protection, and transfer rules. As a result, citizens became more aware of data protection according to the European Commission, and over 650 fines were dealt to companies within its first three years of existence. This has ensured businesses adhere to the rules, or they must forfeit a minimum of a 2 million euro fine.
CCPA will include some of the landmark policies within GDPR. Its key elements are: The right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights.
These frameworks protect consumers and businesses alike from data infringements and provide detailed instruction on how to successfully manage and secure data, they even claim to be ‘future-proof’ and flexible in its application to encourage the development of new technologies. However, this future-proofing has ignored a key development in technology – facial recognition.
GDPR, and the proposed CCPA have omitted to recognise that facial recognition requires its own nuanced framework, rather than assuming broader data protection rules will suffice. Regarding the case of GDPR, and its enforcement across the European Union, neglecting to introduce specific facial recognition laws has led to many businesses across Europe breaking GDPR rules when they implement facial recognition. Further consequences of this neglect include difficulty in holding these businesses to account.
The landscape of facial recognition regulation
Globally, the current state of facial recognition regulation is fractured. Countries, or regions, introduce their own regulations rather than pushing for global and widely accepted frameworks. Today, the countries leading the adoption of facial recognition are China and Russia, while trials of this technology are ongoing in many other countries of the world. The reason for this is the long-adopted and working regulation on biometric data collection, management, and storage.
The Future of Facial Recognition Regulation
Whilst future proofing and flexibility within regulation frameworks is a nice sentiment, it neglects the important nuances between technologies. The same data protection, storage and transfer rules cannot be applied to basic personal data such as names and dates of birth to facial biometric data.
Moving forward, the biometrics industry will be required to harmonize with The European Parliament, and the Californian Attorney General in order to develop data regulation frameworks at a national, and international level successfully and accurately. The co-creation of these facial recognition frameworks is essential, as without it there will continue to be a lack of facial recognition regulation that allows businesses to test the ‘flexibility’ of GDPR and CCPA.
As a result of a successful co-created framework, the facial recognition industry will feel encouraged to create new technologies knowing that their softwares will be developed alongside easy-to-follow data guidelines. Moreover, businesses will be able to clearly understand how to store, manage and transfer biometric data compared to other data. Consequently, this will encourage businesses to adopt facial recognition technologies as any discomfort with regard to biometric data storage will be removed.
Within this ‘lifecycle’ or chain of adoption, businesses can then provide consumers with a seamless consumer experience. Consumers are already seeking more facial recognition experiences, which will only increase with the knowledge that their biometric data is being properly secured by businesses, and enforced by governments or global insitutions.
Therefore, only when national and international frameworks are developed with industry experts to directly address facial recognition can businesses and consumers experience the benefits of a seamless customer experience and direct business outcomes.