Replacing boarding pass with facial recognition at Gardermoen?



Published 01 July 2020
News image

No, we still have to use boarding passes, passports and other travel documentation to get through at Gardermoen. But at Heathrow, this may be changing. Heathrow airport and the UK Data Protection Authority (ICO) are cooperating in a regulatory "privacy sandbox" to see if passenger journeys may be streamlined by using biometrics. Facial recognition at check-in, bag drops and boarding gates would save time if privacy issues can be tackled.

Last year, UK was the first country in EU to set up a regulatory sandbox to help companies develop new services, with assurance that they have built-in privacy from the start. Sandboxes can offer a constructive engagement between the regulator and the companies launching new services throughcollaboration and exchange of ideas.

ICO received 64 applications to participate in their sandbox, 10 were accepted. Heathrow was one of them. Another project that was accepted was the exploration of voice technology in healthcare by Novartis.

The Norwegian Data Protection Authority, Datatilsynet, has recently been granted NOK 3 million from the government to set up a similar service and is then the second authority to do so in Europe.

Datatilsynet will focus on projects using AI. It could be a brilliant possibility for companies to have guiding on complex questions. How shall fairness, data minimalisation or retention times be interpreted in AI? With very few industrial code of conducts and little specific guiding, it is often a challenge to assess what is compliant.

Equally important, it is very useful to know at an early stage of the development how Datatilsynet views a project. As we have seen in the media recently with "Smittestopp", the app that Datatilsynet deemed as lacking legal basis, it is often difficult to navigate and launch new projects when it is uncertain how Datatilsynet will assess the degree of compliance. Being in the regulatory sandbox will reduce such risks.

The exact details of how the Norwegian sandbox will work and what deadlines there will be for application are not yet known. If Datatilsynet chooses the UK model, we will see different threshold criteria for participation. For instance, the ICO prioritized projects that were highly innovative compared to existing technology and companies being able to demonstrate accountability. Even though start-ups may apply, many of the projects that received support in the UK are mature organizations that are able to document a will to comply with the GDPR.

The sandbox will not render the participants exceptions from the rules in the GDPR, but Datatilsynet has actually said that they may provide exemption from enforcement measures while the projects are developed.

Given the broad interpretation possibilities of the rules in the GDPR, particularly on how to implement privacy by design, this is good news. Solutions that are put into operation after being developed in the sandbox, will also serve as precedent examples and will be of help to other businesses that want to develop similar solutions.

Datatilsynet is presently inviting companies to voice their needs and wishes for the sandbox. In an ideal world, Datatilsynet should have resources to guide and advice far more companies than they actually do today. As this is not the case, the sandbox is perhaps the next best solution. Given the experience from the UK, it is fair to assume that many companies will send an application to participate. For all companies planning to launch services based on AI onwards, this is the time to act. And write a good application.