Mercadona’s facial recognition ends in a fine of 2.5 million euros: what the Data Protection Agency says and what lessons can be learned
The circle is closed with the Mercadona’s controversial facial recognition. The supermarket company will pay 2.5 million euros fine to the Spanish Data Protection Agency (AEPD) in relation to the pilot project that it implemented in 48 stores.
The sentence has been published several weeks after the Provincial Court of Barcelona to pronounce on the same case, concluding that there was a “violation of privacy” in this project.
These are the arguments of the Data Protection Agency about Mercadona’s facial recognition, a case that highlights the complexities of this type of surveillance system.
The sanction to Mercadona as a wake-up call for this type of systems
According to explains the company itself, the system “applied a technological filter and a second visual verification established that the identified person had a restraining order current of the establishment “.
But nevertheless, the AEPD has concluded that the General Data Protection Regulation has been violated. Specifically, article 6 (Legality of the treatment) and Article 9 (Treatment of special categories of personal data). For this reason, a penalty of two million euros is imposed, accompanied by other amounts for violations of other articles of the RGPD.
This sanction has been reduced by 20% because Mercadona has voluntarily decided to carry out the payment, having taken into account as a mitigating factor of special relevance that no recidivism or reiteration. Mercadona explains that it had judicial authorization and close contact with the corresponding authorities was maintained from the outset, sharing all the procedures with the AEPD before starting the test. But nevertheless, one of the grounds for sanction is the incorrect evaluation of impact.
Mercadona carried out a pilot project with a technology that is in the sights of Data Protection agencies. A test that was not carried out with the sufficient rigor necessary, as determined by the AEPD, and that has resulted in a fine. A sanction that the Agency considers “proportional, effective and deterrent“This last point, in relation to what it will serve for other companies seeking to implement facial recognition systems take into account all the above.
Mercadona states that “now the most responsible and rigorous is terminate this pilot test“They choose to pay the penalty and close the procedure before Data Protection.
What aspects of the facial recognition project have led to the sanction
Jorge Garcia Herrero placeholder image, a lawyer specialized in Data Protection, makes a review of the Agency’s ruling. Among the proven facts, it is found that Mercadona started the project in June 2020 and it was not until May 2021 that it was terminated in its forty establishments. About a year of time during which these establishments were using facial recognition technology at their entrance.
How did the Mercadona system differentiate those who had a court order? The company relied on its own lawsuits against those who shoplifted and asked the judge to order precisely this measure. A “good idea”, according to Garcia Herrero, but where the AEPD accuses them of have started before conducting the impact assessment. An impact report where the risks regarding the company’s own workers and that of vulnerable clients such as minors were not assessed, according to the AEPD.
According to the Agency, biometric data is processed without sufficient basis nor are basic public interest requirements met.
The company is “complacent”, to say the least, in justifying the need for the measure.
This is one of the great lessons for personal data protection professionals: “the customer is not always right”. pic.twitter.com/6FVne3HdWY
– Jorge Garcia Herrero -Cookieless since 2000- (@jgarciaherrero) July 27, 2021
One of the deep debates about these facial recognition systems is the difference between the use of data for specific people and for the rest. The AEPD understands that there is legitimacy for the convicted, but not for the “not convicted”.
Another aspect taken into account with biometric data processing systems is the need for the measure. The AEPD explains that “utility” is confused with “necessity”. Although these facial recognition systems can be “useful”, they are not strictly necessary and therefore consider that the Data Protection regulation prevents their use in cases such as Mercadona, where it is considered that the public interest is not being protected , but rather, private interests.