(Information sent by the signatory company)
The consulting firm assesses the possible application in Spain of facial recognition systems for minors arriving from China or the United States.
Madrid, April 8, 2024.-
The protection of minors' data on the Internet and on current technological devices is one of the main workhorses of today in terms of security and privacy.
Among the main difficulties that organizations and legislators face is the challenge of establishing mechanisms that guarantee the security, privacy and intimacy of children and adolescents online, but that at the same time do not involve any interference with their personal data, something that It is extremely complicated.
The controversy comes from the methods chosen. From China or the United States, facial recognition systems are already used to control the access of the best to the Internet, but what about in Spain? Would it be legal?
Facial recognition of minors in Spain
Would it be possible to apply this type of parental control systems in Spain? Does European law allow the use of such intrusive systems if the objective is the data protection of minors?
The reality is that in Spain facial recognition devices for parental control are NOT allowed, if we stick to what is said by the European Commission on Data Protection (CEPD).
And recently this body made it clear that biometric data belongs to the category of specially protected data, whether used for authentication or identification.
Until then, biometric data was not considered a special category of data if it was only used for authentication, which left it open for use, for example, to record workers' work hours. However, the CEPD overturns the Supreme Court's jurisprudence and eliminates this distinction, granting the same special category to biometric data for authentication and identification.
On the other hand, in addition to the prohibition of the use of biometric data for authentication or identification, there is also the special protection that minors must have due to the fact that they are minors.
Is there any loophole that allows facial recognition for parental control?
The consulting firm Grupo Atico34, a national data protection company, has expressed itself about the possibility that this type of action would be permitted because the intended purpose is more important than the restricted rights. In this case, the good of the minor is, without a doubt, a greater good, but in this case proportionality comes into play.
In this regard, Miguel Quintanilla, head of compliance at the consultancy, points out that “the means implemented for the authentication or identification of minors must be relevant and proportionate, therefore, the use of facial recognition systems does not make sense when they exist. "other alternatives (...) we must also take into account that these types of devices are not infallible and that they can be easily manipulated."
In Spain, the Spanish Data Protection Agency (AEPD), together with the National Commission of Markets and Competition (CNMC) and the Mint and Stamp Factory, is developing a tool for identifying minors that verifies the age of the user through an official document. In this case, there is nothing that implies biometric identification, and its implementation will not be an obligation for companies either.
At the same time, the Government is promoting other measures that go against the use of this type of technology. Without going any further, the President of the Government, Pedro Sánchez, announced on the International Day for the Protection of Personal Data the creation of a commission of experts that will be in charge of ensuring a safe digital environment for children and young people.
The objective is not only to control and limit the access of minors to adult content on the Internet, understanding these as sexual content, but also uncontrolled access to online games, casino or betting portals, etc.
There are also Spanish technology companies that are developing facial recognition tools, hoping that this kind of regulatory limbo will be resolved once and for all with the hope of one day being able to put their product on the market. However, it seems that the wind is blowing in the other direction and that the identification and authentication of people may not be the final objective of these devices, unless the CEPD changes its mind again.
The United States and China, the precursors
One of the first countries to implement this type of measures was China. It has been years since the company Tencent, in collusion with the Chinese government, imposed a limitation on minors' access to its video games in the Asian giant. Specifically, it uses facial recognition to detect and expel minors who are playing between 10 at night and 8 in the morning.
To carry out this type of control, Tencent and the Chinese Government use a facial recognition system that connects to a state database. Obviously, this method requires a level of identification and control of the population that is incompatible with European legislation, in this case the RGPD (General Data Protection Regulation) and the Spanish LOPDGDD (Organic Law on Data Protection and Guarantee of Data). Digital Rights).
Another country that has implemented facial recognition of minors is the United States. However, as Miguel Quintanilla, head of data protection at Grupo Atico34, points out, “in the United States, the controversy surrounding the use of this type of biometric recognition devices, which are used above all in schools and institutes, is clear. For example, the State of New York has just banned the use of these systems because it considers them disproportionate.”
In addition, and following the Chinese model, the ESRB, an American video game age rating agency, has designed a facial recognition system for parental verification that is already being studied by the FTC or Federal Trade Commission.
Conclusions about the use of biometric devices for the protection of minors' data
The first, the risk involved in using this type of systems in a regulation such as that of the European Union, which places special emphasis on the protection of individual data, in this case minors.
On the other hand, the requirement that data protection companies have to always keep their clients and partners informed about these types of issues, in addition to being prepared to face any type of problem related to data protection and new technologies .
Issuer: GRUPO ATICO34
For more information:
Fernando Tablado
Tel. 91 489 64 19
