Cordery

Legal.Compliance.

European Court of Human Rights Facial-Recognition Privacy Ruling

Introduction

The European Court of Human Rights recently ruled that the use of facial-recognition technology with regards to a particular individual breached that individual’s rights having been far too intrusive. This article takes a brief look at this case.

What’s the case about?

The case of Nikolay Glukhin v. Russia concerns the Russian authorities’ use of facial-recognition technology against Mr. Glukhin following a demonstration that he had held on his own in the Moscow underground in August 2019. On that occasion he had travelled with a life-size cardboard figure of a protestor whose case had caused a public outcry and had attracted widespread attention in the media, with the figure holding a banner that said “You must be f**king kidding me. I’m Konstantin Kotov. I’m facing up to five years [in prison] under [Article] 212.1 for peaceful protests”.

During routine monitoring of the internet the police discovered photographs and a video of Mr. Glukhin’s demonstration in the underground that had been uploaded on the public social-media site Telegram. A few days later, seemingly through the use of facial-recognition technology to identify Mr. Glukhin from screenshots taken of the Telegram material, using, it would appear, closed-circuit television (CCTV) surveillance cameras, Mr. Glukhin was located and arrested while he was travelling in the Moscow underground.

Mr. Glukhin was then convicted in administrative-offence proceedings for failing to notify the authorities of his solo demonstration using a “quickly (de)assembled object”, and was fined 20,000 Russian roubles (around Euro 283/USD$ 311). The screenshots taken of the material on Telegram and of the video-recordings from the CCTV surveillance cameras were used in evidence against him.

Mr. Glukhin appealed his conviction but it was upheld by a court on appeal. He then took his case to the European Court of Human Rights on the basis that his administrative conviction and the use of facial-recognition technology in the processing of his personal data had breached his rights, including under Article 8 (right to respect for private life) of the European Convention on Human Rights (“ECHR”).

What did the court rule?

The court ruled that the processing of Mr. Glukhin’s personal data in the context of his peaceful demonstration, which had not caused any danger to public order or safety, had been particularly intrusive. The court concluded that ‘the use of highly intrusive facial recognition technology in the context of [Mr. Glukhin] exercising his [ECHR] right to freedom of expression is incompatible with the ideals and values of a democratic society governed by the rule of law […]. The processing of [Mr. Glukhin’s] personal data using facial recognition technology in the framework of administrative offence proceedings – first, to identify him from the photographs and the video published on Telegram and, secondly, to locate and arrest him while he was travelling on the Moscow underground – cannot be regarded as “necessary in a democratic society”’.

The court ruled that, accordingly, Article 8 of the European Convention on Human Rights had been breached, and Mr. Glukhin was awarded Euro 9,800 (around USD$ 10,782) plus his costs and expenses of Euro 6,400 (around USD$ 7,041), to be paid by the Russian state.

What are the takeaways?

Whilst, as we’ve reported before, data protection issues can arise in the context of the European Convention on Human Rights, the issue of facial recognition also concerns businesses, under data protection rules. If businesses are considering using facial recognition technology they should consider doing the following:

  • Undertaking a Data Protection Impact Assessment (DPIA) to better determine the range of data protection issues that might apply and how to practically address them;
  • Depending on the circumstances, consider getting individuals to sign up to an image release waiver (to cover privacy and also other issues). Bear in mind however that there can be issues with a consent-based approach under UK GDPR and EU GDPR, so this will also require careful planning;
  • Being transparent – when collecting personal data from individuals always consider being upfront with them about what their personal data will be used for, and also consider putting in place a data retention plan and policy; and,
  • Last but by no means least, bear in mind that compensation claims alleging data protection infringements against businesses continue to be on the rise.

More information

We’ve previously written about facial recognition and privacy issues here: https://www.corderycompliance.com/ico-fines-dp/, here: https://www.corderycompliance.com/clearview-ai-italy-gdpr-fine/, here: https://www.corderycompliance.com/clearview-to-close-oz-ops/.

See also our article about using CCTV/surveillance cameras on business premises here: https://www.corderycompliance.com/client-alert-using-cctv-on-business-premises-dp-implications/.

For other compliance articles that we have written about concerning the European Convention on Human Rights please see here: https://www.corderycompliance.com/echr-ruling-azerbaijan-forced-labour-claims/, here: https://www.corderycompliance.com/lux-whistleblowing-echr-judgement/, here: https://www.corderycompliance.com/echr-spanish-supermarket-cctv-ruling-2/, here: https://www.corderycompliance.com/european-court-murder-anonymization-rtbf-judgement/, here: https://www.corderycompliance.com/client-alert-european-court-cctv-damages-judgment/, here: https://www.corderycompliance.com/european-court-of-human-rights-rulings-on-website-user-generated-content/, and here: https://www.corderycompliance.com/barbelescu-judgment-monitoring-employee-communications-data-protection/.

We write about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/

The court’s judgment can be found here: https://hudoc.echr.coe.int/#{%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-225655%22]}

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.