VisageCloud and General Data Protection Regulation (GDPR) Compliance

While designing the technical intricacies of deep learning and scaling our operations to tens and hundreds of thousands of faces, we always keep in mind the business challenges that our customers face. While excellence in user experience and technical performance often spearhead business objectives, compliance is a crucial part of success. One such challenge that we identified in the area of compliance is the approaching date of enforcement for the General Data Protection Regulation, the 25th of May 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. While the regulations set forth are of direct interest for businesses operating within the boundaries of the European Union, the GDPR establishes best practices for properly, securely and responsibly handling user/customer data in general.

For this reason we designed the technical aspects of VisageCloud by keeping in mind the data protection, control and security leverages needed to achieve GDPR compliance.

What does GDPR actually require?

At a high level, GDPR requires that the data controller (or data processor, either a business, non-profit or other organization) handles the data of users and customer (collectively called data subjects) in a responsible, secure, transparent and non-abusive fashion, thus allowing the user to be in the control of her/his data or data pertaining to her/his identity. This means that organizations can only handle your personally identifiable data at your request, with your consent and must stop using any and all such data at your request. One may think that such conditions are common sense. Nonetheless, it is very important that such common sense is put in a single, unified legislation for the entire European Union, enabling users to know their rights and businesses to operate in a uniform, consistent way in the European market.

More specifically, the GDPR covers the following points:

  • Processing of personally identifiable data is lawful if the user gives his explicit consent, if it’s in the public interest (not to be confused with a private interest of a group, organization) or if it’s required by applicable law. (Article 6)
  • Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited, unless explicit consent is given by the user. Such explicit consent must be provable under non-repudiation. (Article 9)
  • The data processor is not under any requirement to maintain, process or acquire additional information about the user in order to comply with the GDPR.
  • The user has the right to inquire about the information stored or processed by an organization (Articles 15: Right of access by the data subject)
  • The user has the right to correct or amend any incorrect data stored or processed by an organization (Articles 16: Right to rectification)
  • The user has the right to request the complete erasure of her/his personal data as stored or processed by an organization, including but not limited to withdrawal of consent (Articles 17: Right to erasure, also known as "Right to be forgotten")
  • The user has the right to request that stored data is not processed at any point, except for those purposes mandated by law (Articles 18: Right to restriction of processing)
  • Organizations must notify data users of compliance to their requests of inquiry, deletion or restriction. (Articles 19)
  • The user has the right to request all information held by an organization about her/him, “in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller (organization processing the data)”(Article 20)
  • The user has the right to object to the processing of her/his data (Article 21)
  • The organization processing personal information shall do so using state of the art methods for processing only data necessary for each specific purpose (Article 25: Data protection by design and by default)
  • The organization processing personal information shall do so using state of the art methods to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”(Article 32)

How does VisageCloud help?

VisageCloud gives its customer granular access and control of the information being stored. This is especially important as biometric information is considered personal data which can be used to uniquely identify a person, as it is defined in Article 9.

For instance, should a user revoke request for her/his data being stored or processed (under Articles 17, 18), our customer can immediately remove all the information of such user from the VisageCloud records, within seconds. While this is also possible with the solutions of many of our competitors, the organization handling this data can never produce a clear, incontestable proof of erasure so to be provided to regulating bodies, as the way data in handled in opaque, behind-the-scenes of the cloud provider. This is one of the main reasons why VisageCloud is also available on-premise.

Assuming one of the users who has expressed their consent for biometric data (facial biometric signature) invokes, at a later date, her/his right of access to that biometric data (right granted for Article 15), none of the cloud solutions provided by our competitors will be able to help, since none of them actually releases the data representing the facial biometric signature in any form. VisageCloud uses open, transparent data processing and makes user data fully available to customers regardless of whether our customers use our solution deployed in-cloud or on-premise. This, of course, includes the facial biometric data.

While the managed in-cloud version of VisageCloud uses state-of-the-art encryption for all data, both in transit and at rest, our solution is also available on-premise for clients who are required by regulation, law or internal procedures to handle their data with additional layers of audit or physical, hardware or software security. This is not the case with any of our cloud based competitors.

Should you have more questions about how VisageCloud can help in achieving compliance with security, regulatory or compliance requirements, do not hesitate to contact us.

Handling of non-identifiable information

One of the main use cases for VisageCloud is providing retail and out-of-home advertising analytics, thus bringing more insight to retail managers, event organizers or facility managers. Many of our customers often ask how this information complies with the GDPR.

It should first be stated that the information processed, stored and transmitted for the purpose of performing a demographic analysis is NOT personally identifiable information. Specifically, knowing that 23 people who have been in your store are female, caucasian, between the age of 23 and 25 does not pragmatically allow the organization to identify who said individuals were. Statistical data collected and analyzed by VisageCloud therefore does not require consent of the data subject (user, natural personal). Moreover, Article 9 paragraph 2 point j) clearly states that the provisions requiring explicit consent of the user do NOT apply if “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.

To such extent, if the purpose of the data processing provided by VisageCloud are statistical in nature (retail analytics, out-of-home advertising, vending machine or smart kiosk analytics) the facial biometric signature is neither required, nor is it processed, stored or transmitted.

One may indeed bring the argument that merely transmitting and processing an image depicting one or several individuals constitutes handling of biometric data and thus requires the consent of the data subjects, even if such a picture is never stored in a persistent media. It can in turn be argued that capturing images on the private property of the organization processing the data does NOT constitute a breach of intimacy, privacy or the right to control personal information. Otherwise, security cameras, which capture and store images of individuals in commercial or even residential spaces would not be allowed. It is however advisable and fair-use that users are informed of the presence of such image/video capture devices. The most effective way of doing this is by using prominent signs at the entrance to the area in which the cameras are located, by reinforcing this with further signs inside the area and by publishing further fair processing information detailing Data Subjects’rights.

Conclusions and Next Steps

VisageCloud is a solution designed with performance, accuracy and security in mind. However, these qualities are attained while preserving fair-use, full-control over data and compliance with privacy regulations, including the GDPR.

Should you have further questions or specific requirements on leveraging state-of-the-art facial classification and recognition while preserving full compliance, do not hesitate to contact us.

Contact us

Let us explore together how VisageCloud can best work for your use case

VisageCloud

P: +40.724.714.234

Bucharest, Romania

© 2018 VisageCloud