I refuse to believe that a vending machine using facial recognition without the knowledge of customers can be GDPR compliant.
How can individuals give their consent?
How can they know what their data is being used for?
How could they possibly request their data be removed?
My partner just pointed out that our local Coop has self service tills with cameras on them…but the difference is, you can see yourself on the screen, you know you’re being filmed. Whether they then use facial recognition is another matter I guess.
The folks that say ‘if you’ve done nothing wrong you have nothing to fear’ don’t really understand the value and manner in which data is sold these days.
@JugglingWithEggs
I am sure they put a small sticker on the back of the machine that states "By pressing the vend button you agree to us doing what the fuck we like" and the will cover them legally.
#snark
@JugglingWithEggs Our Coop would do better to spend their time and effort and money on trying to make the self service tills actually work to sell you stuff.
Whenever I've been there (in the before times, of course, I don't go to the shops now they're all plague-ridden) either all the self service tills haven't been working at all, or they've all been cash only when I've only got a card on me, or they're all card only when I've only got cash on me.
> The folks that say ‘if you’ve done nothing wrong you have nothing to fear'
...are strangely resistant if you ask to install a camera pointing at their toilets.
@JugglingWithEggs
There are absolutely legitimate anti-theft reasons to have cameras on unattended machinery but as the vending machine example shows "They" cannot be trusted to not harvest data for other purposes.
@JugglingWithEggs Especially what gets classed as 'wrong' these days.
@JugglingWithEggs In many jurisdictions, it's a legal requirement that people be notified about a camera being in use. Some retailers fulfill this by posting a notice at the door, but some think that such a notice might be seen as unfriendly, and fulfill this requirement by just putting a monitor with the camera feed at a supposedly conspicuous place, such as above an entrance gate.
@JugglingWithEggs Here's one way it could be compliant:
(1) The picture is analysed for demographics (age, gender, colour etc) in real time and then immediately deleted.
(2) The resulting statistics are not stored in any way that could be related back to the card you used for the transaction.
It's (2) that's hard of course. If you're trying to collect data about, say, which drink elderly black females like buying I suspect that it's not possible to anonymise it sufficiently that it couldn't be tied to the till receipts and cards used, even if there are no timestamps on the data.
It makes you wonder in what way the vending machine was malfunctioning in relation to facial recognition…has something already blocked the camera, was it deleting images before they could be sent to a database or something else?
@JugglingWithEggs It makes me wonder why the vending machine would stop, well, vending stuff, just because some inessential auxiliary system had failed.
@JugglingWithEggs
Sending in a Subject Access Request costs a postage stamp and could lead to all sorts of harmless fun.
@JugglingWithEggs does Canada have an equivalent to GDPR? I'd have assumed it might, but this might fall under an exemption like many countries have for filming in public places.
@JugglingWithEggs @paulhutchinson From the article, that would be a straight breach of the first principal "Data processing must be fair lawful & transparent". If you don't know data is being processed then it's not transparent.