While designing the technical intricacies of deep learning and scaling our operations to tens and hundreds of thousands of faces, we always keep in mind the business challenges that our customers face. While excellence in user experience and technical performance often spearhead business objectives, compliance is a crucial part of success. One such challenge that we identified in the area of compliance is the approaching date of enforcement for the General Data Protection Regulation, the 25th of May 2018. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. While the regulations set forth are of direct interest for businesses operating within the boundaries of the European Union, the GDPR establishes best practices for properly, securely and responsibly handling user/customer data in general.
For this reason we designed the technical aspects of VisageCloud by keeping in mind the data protection, control and security leverages needed to achieve GDPR compliance.
At a high level, GDPR requires that the data controller (or data processor, either a business, non-profit or other organization) handles the data of users and customer (collectively called data subjects) in a responsible, secure, transparent and non-abusive fashion, thus allowing the user to be in the control of her/his data or data pertaining to her/his identity. This means that organizations can only handle your personally identifiable data at your request, with your consent and must stop using any and all such data at your request. One may think that such conditions are common sense. Nonetheless, it is very important that such common sense is put in a single, unified legislation for the entire European Union, enabling users to know their rights and businesses to operate in a uniform, consistent way in the European market.
More specifically, the GDPR covers the following points:
VisageCloud gives its customer granular access and control of the information being stored. This is especially important as biometric information is considered personal data which can be used to uniquely identify a person, as it is defined in Article 9.
For instance, should a user revoke request for her/his data being stored or processed (under Articles 17, 18), our customer can immediately remove all the information of such user from the VisageCloud records, within seconds. While this is also possible with the solutions of many of our competitors, the organization handling this data can never produce a clear, incontestable proof of erasure so to be provided to regulating bodies, as the way data in handled in opaque, behind-the-scenes of the cloud provider. This is one of the main reasons why VisageCloud is also available on-premise.
Assuming one of the users who has expressed their consent for biometric data (facial biometric signature) invokes, at a later date, her/his right of access to that biometric data (right granted for Article 15), none of the cloud solutions provided by our competitors will be able to help, since none of them actually releases the data representing the facial biometric signature in any form. VisageCloud uses open, transparent data processing and makes user data fully available to customers regardless of whether our customers use our solution deployed in-cloud or on-premise. This, of course, includes the facial biometric data.
While the managed in-cloud version of VisageCloud uses state-of-the-art encryption for all data, both in transit and at rest, our solution is also available on-premise for clients who are required by regulation, law or internal procedures to handle their data with additional layers of audit or physical, hardware or software security. This is not the case with any of our cloud based competitors.
Should you have more questions about how VisageCloud can help in achieving compliance with security, regulatory or compliance requirements, do not hesitate to contact us.
One of the main use cases for VisageCloud is providing retail and out-of-home advertising analytics, thus bringing more insight to retail managers, event organizers or facility managers. Many of our customers often ask how this information complies with the GDPR.
It should first be stated that the information processed, stored and transmitted for the purpose of performing a demographic analysis is NOT personally identifiable information. Specifically, knowing that 23 people who have been in your store are female, caucasian, between the age of 23 and 25 does not pragmatically allow the organization to identify who said individuals were. Statistical data collected and analyzed by VisageCloud therefore does not require consent of the data subject (user, natural personal). Moreover, Article 9 paragraph 2 point j) clearly states that the provisions requiring explicit consent of the user do NOT apply if “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
To such extent, if the purpose of the data processing provided by VisageCloud are statistical in nature (retail analytics, out-of-home advertising, vending machine or smart kiosk analytics) the facial biometric signature is neither required, nor is it processed, stored or transmitted.
One may indeed bring the argument that merely transmitting and processing an image depicting one or several individuals constitutes handling of biometric data and thus requires the consent of the data subjects, even if such a picture is never stored in a persistent media. It can in turn be argued that capturing images on the private property of the organization processing the data does NOT constitute a breach of intimacy, privacy or the right to control personal information. Otherwise, security cameras, which capture and store images of individuals in commercial or even residential spaces would not be allowed. It is however advisable and fair-use that users are informed of the presence of such image/video capture devices. The most effective way of doing this is by using prominent signs at the entrance to the area in which the cameras are located, by reinforcing this with further signs inside the area and by publishing further fair processing information detailing Data Subjects’rights.
VisageCloud is a solution designed with performance, accuracy and security in mind. However, these qualities are attained while preserving fair-use, full-control over data and compliance with privacy regulations, including the GDPR.
Should you have further questions or specific requirements on leveraging state-of-the-art facial classification and recognition while preserving full compliance, do not hesitate to contact us.
Let us explore together how VisageCloud can best work for your use case