The APDCAT promotes with twenty control authorities a resolution to strengthen the regulation of the use of facial recognition systems

The Catalan Data Protection Authority (APDCAT) participated in the 44th edition of the Global Privacy Assembly (GPA), which took place from October 25 to 28 in Istanbul. This international conference, which annually brings together more than 130 data protection authorities from around the world, has focused this year on finding the balance between the defense of privacy and rapid technological development.

In the framework of the activities of the International Enforcement Cooperation Working Group (IEWG) and the Working Group of Ethics and Data Protection in Artificial Intelligence (AIWG), the APDCAT has contributed to promote a resolution promoted at the initiative of European Data Protection Supervisor, along with twenty other data protection authorities. The text recognizes that, in the context of complex and high-risk technological innovations such as facial recognition, where differences in regulation create uncertainty, clear and consistent global data protection and privacy standards are needed.

In this sense, it establishes the principles that must govern this type of technology:

1. Lawful Basis: Organizations using facial recognition must have a clear legal basis for collecting and using biometrics.
2. Reasonableness, necessity and proportionality: Organizations must establish and be able to demonstrate the causality, necessity and proportionality of the use of facial recognition technology.
3. Interference with human rights: Organizations must assess and mitigate illegal or arbitrary interference with privacy and other human rights.
4. Transparency: the use of facial recognition must be transparent for the people and groups affected.
5. Accountability: The use of facial recognition must include clear and effective accountability mechanisms.
6. Data protection principles: The use of facial recognition must respect all data protection principles.

The resolution agrees by 2023 to develop a plan to promote these principles with a set of strategic external stakeholders, as well as to evaluate and review the real-world application of the principles by developers and users of facial recognition systems.

International cooperation in cybersecurity

On the other hand, another resolution has been approved, of which the APDCAT has also been a co-sponsor, to promote the improvement of regulation in the field of cybersecurity in the face of the damage caused by cyberattacks. Promoted by the British regulator (ICO), the initiative has had the support of the data protection authorities of Canada, Colombia, Estonia, France, Gibraltar, Israel, Jersey, the Philippines, Korea, Switzerland and Turkey, in addition to Catalonia.

The text acknowledges that the increasing digitization of the global economy and society brings increasing and significant risks to the personal data of individuals held by public and private organizations. A risk that can include accidental as well as deliberate threats, such as attempted surveillance and access to data in many jurisdictions, often across borders.

The resolution agrees to move forward in determining the powers and responsibilities of the GPA member authorities in the matter of cybersecurity and to explore the possibilities of international cooperation, knowledge and information sharing. This includes technical expertise and best practices among GPA members, to avoid duplication of investigations or other regulatory activities on cybersecurity issues and regulatory approaches related to data protection and privacy.

The International Enforecement Cooperation Working Group (IEWG) of the GPA must present its work before autumn 2023, as well as a workplan to fulfill the commitments adopted, focused on clear and practical outcomes.