On 23 July 2020, the ICO published the first two reports in connection with the beta phase of its regulatory sandbox, one of which relates to Heathrow Airport's proposed use of facial recognition technology (“FRT”) to automate the passenger airport journey (the "APJ").
The Heathrow Airport report summarises the progress made by Heathrow as part of an ambitious project to improve the speed, efficiency and security of passengers' journeys through the airport. The APJ involves verifying a photograph of an individual taken at check-in against a template ID source such as a passport or ID service. Biometric matching would then be used at subsequent stages, including self-service bag drops and boarding gates, to confirm it is the same passenger.
Whilst the ICO has indicated that Heathrow appears to be on track to begin automating the passenger journey, the report identifies a number of risks and actions that Heathrow will need to resolve before it can roll-out a data privacy compliant APJ procedure.
Clarify the role of parties in processing biometric data
The ICO’s view is that Heathrow is likely to be characterised as a joint controller, along with each of the partner airlines, in relation to the processing of biometric data processed through the APJ. This is principally because Heathrow would jointly make the decision to introduce FRT in the airport terminal, determine the means and manner through which identity verifications take place and have their own business interest in introducing FRT.
In relation to an additional proposal by Heathrow to match “on the day” photographs against passenger information in the US Customer and Border Protection’s Traveller Verification Service (“TVS”), the ICO formed the view that Heathrow would more likely be a processor on behalf of relevant partner airlines. This is because Heathrow is providing a service to, and acting on the instructions, of partner airlines (assumed to be the controllers for the purpose of the example). The ICO has advised Heathrow to give careful consideration to a number of risks associated with the proposed TVS processing, including in particular how all parties can comply with the GDPR's rules around international transfers in relation to the transfer of passenger personal data to the US. A particularly pertinent point given the recent Schrems II decision which is discussed in more detail here.
Confirm the process for obtaining explicit consent
Consent is likely to be the most appropriate lawful basis for processing passenger biometric data. Heathrow asked the ICO to consider whether a 2009 amendment to the Immigration Act 1971 provided a sufficient lawful basis under Article 6, 1(C) of the GDPR, namely compliance with a legal obligation. The ICO’s view was that the proposed processing of biometric data proposed by Heathrow goes beyond the limits of that amendment, which requires Heathrow to use a biometric system to prevent international transitioning passengers from breaking UK border security controls in common departure lounges. The ICO did, however, acknowledge that similar amendments to the Immigration Act, or other legislation, may in the future provide Heathrow with a sufficient lawful basis to process biometric data.
Heathrow sought clarification from the ICO on what could be considered a recordable, unambiguous indication of explicit consent to satisfy Article 7 of the GDPR. Heathrow’s existing approach relies on full consent statements which are accepted by passengers before their biometric data is processed. In order to reduce the time taken through the APJ, Heathrow’s preferred approach was to rely on layered communications and affirmative action as a means of showing an express statement of explicit consent. The approach outlined by Heathrow involved passengers initially joining a queue labelled for APJ processing. Passengers would then walk past signage which clearly states that the act of scanning a boarding pass will be taken as an express indication of consent to biometric processing. The ICO concluded that this approach was largely inadequate.
Heathrow has signalled that they will now postpone their APJ plans to undertake further evaluation in relation to the process for obtaining consent. For now, Heathrow will rely on its existing procedures whereby passengers must click “yes” to confirm their consent for biometric processing.
The ICO has also recommended that Heathrow seek to work with industry partners to create a Code of Conduct under Article 40 that enables them to set out in a clear, transparent and standardised manner how they will approach the challenge of utilising passenger's biometric data for the purpose of confirming/verifying identities.
While compliance with data protection legislation is just one piece of the regulatory puzzle when considering the use of FRT systems, the Heathrow report sends a clear message to organisations. They will need to have clear procedures in place for obtaining explicit consent as well as robust mechanisms to deliver transparency information. This will apply regardless of any negative impacts on overall service delivery or customer journey and any limitations it may impose on the ability of organisations to automate an end to end process.
For now, the utopian vision of arriving at the airport 30mins prior to departure, zipping through security in 10mins, all without speaking to a human, appears to be some way off.
The first reports from participants in our regulatory sandbox have been published, revealing the outcomes of collaborations between the ICO and two of the organisations who were among the participants in the pilot phase of the scheme.