Holiday parks adjust use of facial recognition after investigation by Dutch DPA

The Dutch DPA started the investigation after receiving tip-offs from citizens. "People were surprised," says Monique Verdier, vice chair of the Dutch DPA. "Where they used to access the swimming pool using a card or a wristband, facial recognition was suddenly deployed. For adults, but also for children. Solely for gaining access to the swimming pool. Is that allowed, just like that? That is what they wanted to know."

Facial recognition is usually prohibited

The General Data Protection Regulation (GDPR) sets strict requirements to the deployment of facial recognition. "Deployment is in principle prohibited. And that is for a reason," says Verdier. "Once such a facial scan has been made of you, you have lost control. Then you can be identified and followed everywhere. Your face is unique, and you cannot just swap it for a new face."

In principle, facial recognition is permitted in 3 cases only:

1. If the facial recognition serves only a personal or household purpose, such as unlocking a phone.
2. If the facial recognition is necessary for purposes of authentication or security. Such necessity, however, does not arise easily. It must concern a substantial public interest. For example, the security of a nuclear power plant or information that constitutes a state secret.
3. If the person whose face you scan explicitly consents to this.

Explicit consent for facial recognition

In the case of access control for a swimming pool, option 3, explicit consent, is the only possible option. A substantial number of requirements apply for the way in which an organisation has to ask people for consent for applying facial recognition.

To name a few: the organisation has to inform people properly to ensure that they really know what they say 'yes' to. In addition, they must be free – and feel free – to say 'no'. This means, among other things, that an alternative must also be available. In this case: that you can also get access using a card or wristband, for example.

Various violations by holiday parks

The investigation by the Dutch DPA showed that all holiday parks failed to comply with the law. The Dutch DPA identified various violations:

• Sometimes, parks did not even ask for consent. Or they did not ask clearly enough.
• Sometimes, guests could not use an alternative for facial recognition. Or there was an alternative, but the holiday park did not inform the guests about this of its own accord.
• Other holiday parks informed the guests insufficiently about the facial recognition and about the rights the guests have as soon as an organisation uses their personal data for facial recognition.
• Often, the guests did not receive any information about how long the holiday park retains the data and who receives the data.

Verdier: "This is very serious. You are not allowed to pressurise people into surrendering their biometric data. Yet this is exactly what happened here: people pay for a nice holiday, including swimming pool, and are faced with a fait accompli: if you want to swim, you will have to surrender your data. That is prohibited."

What now?

The Dutch DPA has imposed an order on the holiday park that does not yet meet the requirements of the law. The holiday park is given time until early December to adjust their way of working where facial recognition is concerned. If the park fails to do this, the Dutch DPA may impose other measures. Verdier: "In that case, the company has had sufficient opportunity to meet the requirements of the law. A different measure, such as a fine or an incremental penalty, may be necessary then."