CNIL Guide on the Use of Facial Recognition at Airports

Facial recognition at airports can automate and speed up moving of passengers by replacing the control of travel and identity documents. It can streamline the traveler's journey and improve their experience by reducing the waiting time for baggage drop-off or boarding. The facial recognition at airports would work in the way where a photograph of a passenger's face from their identity document is compared to their face captured during their movement through airport checkpoints.

Facial recognition is considered a special category of personal data as it can uniquely identify a natural person. Since it characterizes an individual forever, cannot be modified in case it is compromised, it is subject to a specific regime.

Devices enabling facial recognition technology are considered a “contactless” technology. They can create additional risks for data subjects since they allow data to be processed remotely and potentially without their knowledge.

Use of the facial recognition for these purposes carries a risk to the rights and freedoms of individuals on a larger scale.

The CNIL recommends adopting the following principles when implementing facial recognition.

Justify the necessity and proportionality of the use of facial recognition

Processing of personal data must be proportionate – in terms of impact for the rights and freedoms of individuals, pursued purpose and what personal data is considered necessary to fulfill the purpose of processing.

The criteria of necessity and proportionality must be in particularly assessed when biometric data are processed, as such processing is considered intrusive and sensitive. Thus, the deployment of facial recognition devices in airports will have to meet specific needs.

For example, and depending on the circumstances, the use of facial recognition devices to facilitate the boarding of passengers to avoid forming queues for security reasons might be proportionate, while using facial recognition for other purposes might not be considered proportionate.

Obtain the prior consent of passengers

The implementation of facial recognition in order to make the journey of passengers more fluid must be based on a prior collection of their consents. For the consent to be valid, it must be " free, specific and informed”:

    • Free consent: passengers must be able to freely choose to use the biometric device or an alternative non-biometric device, without any constraint, incentive or particular consideration (for example obtaining benefits as part of a loyalty programe). The passenger must also be able to withdraw their consent at any time.

    • Specific consent: the passenger must specifically consent to the processing of their biometric data and must therefore not be included in a general acceptance of the conditions of sale of the ticket, for example.

    • Informed consent: passengers must have received comprehensive information, in clear and accessible language, on the facial recognition device and its alternative.

Technical and organizational measures must also be implemented to ensure that the facial recognition device processes only the data of persons who have previously consented, for example:
activation of facial recognition cameras only after an action by the passenger who wishes to use the facial recognition, a technical configuration blurring the faces of passengers in the background,
display panels and markings on the ground distinguishing the control zones by facial recognition from the traditional control zones; etc.

Keep biometric data under the sole control of the passengers

This could mean:

    • either the biometric data is stored on an individual’s medium under its control (on a secure mobile application on his cell phone, on a badge, a card, etc.);

    • or the biometric data is stored in a database in an encrypted form making it unusable without an element stored on a user’s device which would enable decryption of the information.

This would make possible to subject the passenger to biometric authentication at each stage of the journey and not to biometric identification, which guarantees greater reliability of the device by reducing the risk of errors (false positives or false negatives).

This principle of keeping the data under the exclusive control of the data subject thus responds to the principles laid down by the GDPR, of data protection by default and from the design stage and the principle of data minimization.

Perform a data protection impact assessment (DPIA)

In the case of the implementation of a facial recognition device at an airport and given the sensitivity of the data processed, the number of passengers potentially concerned and the risks inherent in this type of technology, the CNIL recommends carrying out the DPIA before implementing the facial recognition, whether it is experimental or not.

The Guide is available here.