Abstract

Facial Recognition Technology (FRT) is becoming a powerful tool in this Technological era. It has proved to be a great tool for surveillance by helping in identifying missing children and people, unidentified persons, criminals, convicts, and others. This paper analyzes the legal framework needed to govern Facial Recognition Technology. The introduction provides that it works by comparing the formulated mathematical representation of a person and is not limited to unlocking phones. The background describes the emergence of FRT as how the system was developed by Woodrow Wilson Bledsoe in the 1960s that paved its way to Windows, Android, iPhone, and Surveillance cameras. This paper further discusses that FRT is being used by both Government and Private entities in Aadhar, DigiYatra, identification purposes, KYC, and taking attendance. The Right to Privacy in relation to FRT is also discussed and how there is a need to make stringent laws. Furthermore, Legal Framework in India examines the Information Technology (Amendment) Act, 2008, and Digital Personal Data Protection Bill, 2022. Following this, the comparative analysis of Legal frameworks in different countries such as the European Union, the United States of America, and, the United Kingdom provides different insights. Finally, the paper provides recommendations for emphasizing privacy rights and has a comprehensive legal framework in India.

Keywords

Facial Recognition Technology (FRT), Legal Frameworks, Regulation, Privacy, Data Protection Bill

I. Introduction

Facial Recognition Technology (FRT) is a process of using software to analyze the identity of persons whether they are the same or not by just comparing the formulated mathematical representation of a person with the one already existing in the database. FRT is not just limited to unlocking phones, rather it is one of the greatest surveillance tools ever made. It provides the percentage of resemblance representing the likelihood of whether the two persons are the same or not. The precision of the result depends on various factors such as the quality of photograph, quality of lighting, angle, use of makeup, expressions, variations in pose, and more. With the increasing advent of FRT, it is important to increase its accuracy and make regulations to govern the same.

II. Research Methodology

The paper is based on secondary data put together on Regulation of Facial Recognition Technology: Analyzing the Legal Frameworks Needed to Govern the Use of Facial Recognition Technology. The websites of the government of India, statutes, authentic national and internal newspapers, articles, and journals are cited as sources of the final report.

The research paper also includes an analysis of a virtual survey conducted by the author through google forms for constructing research efficiently.

This study sets out to explore, analyze and gain insight into what Facial Recognition Technology is, what is the need for governing the same, where it is used, and various legislations at both national and international levels. There is an in-depth analysis of the legal framework for FRT in this paper that highlights how it will ensure the Rights of Consumers by safeguarding their data.  A quantitative as well as qualitative approach was selected as the most appropriate method for this exploratory research study.

III. Literature Review

The following sources are referred to as sources of extensive research that are contributing

authentic and reliable information on the topic of Regulation of Facial Recognition Technology: Analyzing the Legal Frameworks Needed to Govern the Use of Facial Recognition Technology.

1. Thorin Klosowski, Facial Recognition Is Everywhere. Here’s What We Can Do About It, NEW YORK TIMES WIRECUTTER (July 15, 2020), https://www.nytimes.com/wirecutter/blog/how-facial-recognition-works/#privacy-tips

This source discusses the background of FRT.

2. UIDAI, https://uidai.gov.in/en/about-uidai/legal-framework.html, (last visited July 18, 2023)

This source is of Govt. of India that is used to establish the use of FRT in Aadhar.

3. INDIA.GOV.IN, https://www.india.gov.in/spotlight/digi-yatra-new-digital-experience-air-travellers, (last visited July 16, 2023)

This source of Govt. of India discusses the use of FRT in Airports by DigiYatra

4. Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha, Facial Recognition Technology in India, THE CENTRE FOR INTERNET AND SOCIETY, 11 (2021), https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://cis-india.org/internet-governance/facial-recognition-technology-in-india.pdf&ved=2ahUKEwjmvOb9jZqAAxWKGogKHZDWDiQ4ChAWegQIBBAB&usg=AOvVaw0k3sSaadGEsvDnm8kglZYM

This journal as a source is used for the detailed study of the use of FRT, its use, and Laws relating to the same in both National and International Levels.

5. Article 21 of the Indian Constitution to discuss the Right to Privacy and FRT

6. Information Technology Act, 2000 to discuss its provisions Sec. 43A, 69, and 69B and their impact on FRT

7. Digital Protection Bill, 2022 and PRS LEGISLATIVE RESEARCH, https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022, (last visited July 19, 2023)

These sources are used to establish how it will govern Data Protection.

8. UNCTAD, https://unctad.org/page/data-protection-and-privacy-legislation-worldwide, (last visited July 19, 2023)

This source is used to discuss comparative study of Data Protection Laws around the Globe.

IV. Background

The ^[1]emergence of FRT dates back to the 1960s when a system was developed to identify photos of faces by Woodrow Wilson Bledsoe which was later improvised in the ’70s, ’80s, and ’90s to pave the way to modern recognition systems. Following the improvisations, ^[2]Illinois’s Biometric Information Privacy Act came into effect in 2008. Further, in 2011, FRT was used to confirm the identity of ^[3]Osama bin Laden then ^[4]Deep face Photo tagging by Facebook in 2014 was revealed following which, FRT was introduced into personal devices in 2015 in ^[5]Windows Hello and ^[6]Android’s Trusted Face which further came in ^[7]iPhone X and FaceID in 2017.

V. Where FRT is Being Used

FRT systems have been used for various purposes, from unique identification of every individual by way of Aadhar, to surveillance, identification of missing children, solving crimes, taking attendance, and KYC, it has come a long way even though there is a clear lack of information to the public on how the data is being collected, stored, and used.

Here’s how the Government and Private entities are using the information:

A. Government Entities

   1. Aadhar

In the form of ^[8]Aadhar, FRT was introduced by the Unique Identification Authority of India (UIDAI) in the year 2018, which is the National Identity System that authenticates the identity by way of an iris scan. The technology creates a multi-factor authentication and its Application Programming Interfaces (APIs) can be incorporated into any electronic device.

Further, the Aadhar-enabled system is being operated by the ^[9]NCPI by which individuals can ^[10]complete transactions by biometric verifications.

   2. Digi-Yatra

The ^[11]Ministry of Civil Aviation launched the Digi Yatra Policy in 2018 under which FRT has been deployed at Airports to give every air traveler a paperless, hassle-free, and seamless journey. It made the passenger boarding process simple by utilizing the FRT by using the digi-yatra ID. However, the process was voluntary and for sharing facial data through digi-yatra, consent is required. ^[12]From 2019, passengers have the option to use their face as a boarding pass.

   3. Identification of Missing Children

In the case of ^[13]Sadhan Haldar v The State NCT of Delhi, use of an Automated Facial Recognition System (AFRS) was issued by Delhi High Court to track the missing children. Although the number of tracked children was 10,617, only 3202 of them were verified.

   4. Identification at Political Protests

^[14]FRT has been used extensively for screening people who are attending political protests to filter out missing or accused persons, prisoners, and unidentified persons.

   5. Deployment by Different States

Specific initiatives such as the Punjab Artificial Intelligence System ( PAIS) have been deployed by the Punjab Police, the e-beat book app in certain states, Pehchaan in Uttar Pradesh, Face Tagr, Neoface, and the National Automated Facial Recognition System have been deployed in various states. However, it’s pertinent to note that there is no specific law to govern the same^[15].

B. Private Entities

   1. Mobile Companies or Applications

FRT is commonly used by mobile phone companies like Apple, Samsung, Vivo, OnePlus, and Xiaomi for encryption, right from unlocking the phone to unlocking the encrypted apps.

The Mobile applications are also using FRT to enhance System Security, User Safety, and Engagement. This includes Facebook’s Deep Photo Tagging, Amazon’s Image Analysis for User Authentication, “^[16]Rekognition” which helped in user identity verification online.

   2. KYC for Opening Bank Accounts, etc.

^[17]eKYC is being used for opening bank accounts and applying for Aadhar and PAN card online which is based on FRT. This process has made the manual time-consuming processes easier.

   3. Used in Institutions for Taking Attendance

Private institutions like schools, colleges, offices, and hospitals are using the FRT extensively for taking attendance of their students and staff.^[18]

VI. FRT and Right to Privacy

Since FRT is being used by both the Government and Private entities, the question arises, what is the privacy policy of the same and how are these entities going to use that data? Are they going to store it or will dispose it off?

The Right to Privacy is a Fundamental Right enshrined under ^[19]Article 21 of the Constitution of India with a strong backing of legal precedent, ^[20]K.S Puttaswamy (Retd) vs Union of India. Currently, there are no ^[21]regulations that would govern the use of FRT, create standards for its quality, and set a standard of accuracy that is to be used for FRT. Major missing is the Data Protection Law due to which those persons cannot be held accountable who misuse the personal data of individuals. Currently, ^[22]64 FRT systems are being monitored by the IFF’s Project Panoptic both at the Central and State Levels. These include Biometric Authentication, especially for attendance by ministries of road, transport, power, defence, highway, and others. The FRT system has also been opted for by private entities for attendance, KYC, phone unlocking, app encryption, and others. So it becomes important to limit the data that is being collected by the system and in case of misuse, make some accountability mechanisms. It is pertinent to note that the collection of data should be done keeping in mind the ‘Right to Privacy’ which is a fundamental right. The Authorities should make sure the data is not used for any unethical or unlawful purposes.

Besides, the use of personal data without the consent of the user is deemed to be a violation of his fundamental right. One of the incidents which throw light on how the absence of Data Protection Law affects individuals is of ^[23]Delhi Police which used the data for tracing and identifying missing children, criminals, at political rallies and others. Here, the issues relating to misidentification and mass surveillance have arisen because Delhi Police is using FRT without the consent of Persons involved which is raising concern about the Right to Privacy.

VII. Analyzing the Legal Framework

No fixed statute governs the FRT in India. But some provisions interpret the need for laws to govern the use of FRT specifically taking into mind The Right to Privacy, how and where the state should be stored, which data should be stored, consent of specific individual(s) for collection of the same and more.

– Is there an existing legal framework governing FRT in India

There is no specific legal framework to govern FRT in India. However, with more people coming online with the expansion of the Internet, the Government is aiming to make its policies to ensure there is a safe, open, accountable, and trusted Internet for its users. The primary provision which we have is the Right to Privacy as envisaged under Article 21 of the Constitution of India. The IT Act has some provisions as well to govern the use of biometric data. Center has also attempted framing legislation for protection of Data in the form of Digital Personal Data Protection Bill, 2022 six years after the Supreme Court held Privacy a Fundamental Right, which is to be tabled in Parliament’s Monsoon Session. Furthermore, Shri Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, in a ^[24]written reply to a question in Rajya Sabha referred Sec. 69A and the Digital Personal Data Protection Bill, 2022 for regulation of Facial Recognition Technology.

– Relevance and implications of the Information Technology (Amendment) Act, 2008

Sec. 43A, 69, and 69B of the Information Technology (Amendment) Act, 2008 lays down the provisions of powers of the Central or State Government.

• As per ^[25]Sec 43A of the Information Technology (Amendment) Act, 2008, the Body Corporate dealing with the personal data of users and storing it in its computer resource ought to keep that data protected. In case, it fails to do so that causes wrongful loss or gain to any person due to negligence on the behalf of that body corporate in maintaining or implementing reasonable security measures, such body corporate or entity would be liable to pay damages by way of compensation to the person aggrieved. The government is exercising its powers to prescribe rules regarding the reasonable security practices and procedures that are to be complied with while taking into account the sensitive personal data which includes biometric information and biometric information further includes technologies that analyze or measure facial patterns.

Therefore, it is pertinent to consider wider scope while interpreting the existing laws until there is a proper statute.

• As per ^[26]sec. 69, Central or State Government or any of its appointed officers has the power to issue directions for interception, monitoring, decryption of any information through Computer resource if they think it’s appropriate for sovereignty, integrity, defense or security of India or for maintaining friendly relations with foreign states or for preventing the commission of any cognizable offence and the intermediary shall when called upon by the agency have to intercept, monitor or decrypt that specific information and provide information stored in computer resource. The intermediary shall provide access to such computer resources which are receiving, generating, or transmitting such information. If any intermediary fails to comply with the provisions then imprisonment of seven years and fine shall be imposed.

• As per sec. ^[27]69B, the Central Government has the power to monitor and collect traffic data or information for enhancing Cyber Security through any Computer Resource. However, directions under this section shall be issued except, if the order is made by competent authority. Here, the competent authority is the Secretary to the Government of India under the Ministry of Communications and Information Technology in the Department of Information Technology.

– Analyzing the draft Data Protection Bill of 2022 and its provisions related to FRT

The Ministry of Electronics and Information Technology has prepared a ^[28]draft Bill, known as the Digital Personal Data Protection Bill, 2022 which is approved by the Cabinet and to be tabled in Parliament’s Monsoon Session. Upon becoming law it will have a pertinent role in Trade Negotiations of India with other Nations especially with the European Union (EU) whose General Data Protection Rules (GDPR) are among the World’s most exhaustive Privacy Policy. Although the government withdrew the earlier data protection bill from Parliament, this improvised bill proposes that the law will apply to Digital Personal Data within India including the Digital India Bill which will be succeeding the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022 as well as the policy for non-personal data governance. It requires data fiduciaries that collect personal data to prevent Data Breach, non-compliance of which would lead to a highest penalty of Rs. 250 Crores per instance. Besides, the RTI Act could be diluted as personal data is likely to be protected under the Data Protection which will make sharing of data with the applicant difficult. ^[29]As per this bill, only that data will be processed for which the individual has given consent and it will be the obligation of data fiduciaries to keep data secure, maintain the accuracy of data, and delete it once the purpose for which it has been collected is completed. The right of obtaining information, seeking correction or erasure of data, and grievance redressal has also been granted to individuals.

VIII. Comparative study of the legal frameworks governing FRT in other states

The need for laws regulating FRT is not limited to India, the rules regarding deployment of the same have been discussed all over the world. And as per ^[30]UNCTAD out of 194 countries, 137 countries already have their legislation for the protection of user data considering the privacy of individuals.

The percentage of countries based on their adoption of legislation regarding data protection laws are:

• 71% of countries have Legislation
• 9% have Draft Legislation (India is one of them)
• 15% countries do not have Legislation
• 5% of countries’ data is not available.

In Asia, 57% of countries (i.e. out of 60, 34 countries), and in Africa, 61% of countries (i.e. out of 54, 33 countries) have adopted the Legislation for Data Protection, while the percentage of Least Developed Countries remain low at 48% making it 22 countries out of 46 having Privacy or Data Protection Laws.

The following laws have been established by various states:

1. European Union

The ^[31]GDPR of the European Union (EU) is the most stringent privacy law all around the world. The objective of GDPR is to give control of the data of European Citizens to them. The rules regarding the processing of personal data by EU by Institutions, bodies are given under Regulation ^[32]2018/1725. The ^[33]National Bodies have also been set up by EU Countries in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU.

2. United States of America

In the ^[34]USA, each state is a sovereign entity that has the right to create and regulate the laws according to their needs. The Data Privacy law is governed by:

• Children’s Online Privacy Protection Act (COPPA) limits the use of data collected about children under 13 years of age which is the reason the social media sites like Instagram, Facebook, and Twitter require to verify the age of their users whether they are 13 years or older at the time of signing up.
• California Consumer Privacy Act (CCPA) gives rights to consumers to know which of their personal data information is being collected by businesses and to whom it is sold.
• California Privacy Rights Act which was passed in 2020 and came into effect in 2023 give consumers the extended right to correct their inaccurate data and limit its use and disclosure of sensitive data.

3. United Kingdom

There are no specific laws to govern the FRT in ^[35]the UK but the specific responsibilities have been set up by the Information Commissioner in the Data Protection Act, 2018. While addressing public concerns on June 18th, 2021, on Live Automated FRT in public places, the Information Commissioner gave the option to its people to comply with Data Protection Act and Regulations for storage or security of data, and inform consumers whenever their data is being used i.e., Right to be informed and several other rights.

IX. Analysis of Virtual Survey

A general survey was conducted for The Amikus Qriae, on Regulation of Facial Recognition Technology: Analyzing the Legal Frameworks Needed to Govern the Use of Facial Recognition Technology

The response was from around 130 people from different colleges enrolled in various courses and even from multiple states, with 32 answers from Punjab, followed by Delhi, Uttar Pradesh, Maharashtra, Chandigarh, Haryana, and many other states and union territories of India. Surprisingly, there was an equal male-to-female ratio and even four responses from people who do not prefer to reveal their gender.

Most people, around 120, were aware of FRT, out of which about 105 people were mindful of it missing the specific regulation. About 54.6% of people who responded are aware that the government is using FRT, about 30.8% were only aware of it being used in phones, and the rest were not familiar with the term. A question about legislation in the survey was: “Are you aware of any government provision for regulation of FRT?” In the response 65.2% of people said they only know about Right to Privacy, 18.3% about the IT Act, 9.4 knew about the Digital Data Protection Bill and the rest responded with all of the above.

The next question introduced was, “Do you know how your data is handled by the system?”

for which the response was diverse, stating that 58.5% responded with “It is sold to other companies,” 27.7% with “It is secured under privacy policy,” 5.4% with “Only the government has access to it” and 8.5% didn’t know about it. The immediate next question was, “Do you know you can control your data?” followed by, “Do you think we will have more control over our data if the Digital Data Protection Bill becomes an Act?”. The responses stated that around 61.5% were of the view that they cannot control their data. For the second question, there was “Yes” from the majority of the people that are around 51.5%, who said that they think it will give them more control over their data.

XI. Suggestions

The legislature should:

• Make specific regulations for the control of FRT and define clear guidelines for the collection and storage of data.
• Strengthen Privacy Rights to regulate the use of data collected by systems
• Look into international legislatures for regulating FRT
• Establish independent regulatory authority to ensure the effective implementation of regulations governing FRT
• By the time specific regulations come into force, the Judiciary should give guidelines for a wider scope of regulations governing data privacy.

XII. Conclusion

This paper has analyzed that FRT is being used by both Government and Private entities and the legal framework to regulate it. It discussed the Right to Privacy, Information Technology Act, and Digital Data Protection Bill and what is their role in regulating FRT. Further, the study of the legislature of  EU, USA, and UK’s Data Protection Laws is done to compare it with the Indian Laws. Based on the findings, recommendations are made to ensure the use of FRT to be more responsible and accountable thereby safeguarding the data protection rights of its citizens.

Author:

Jasmeet Kaur

St. Soldier Law College, Jalandhar

---

^[1] Thorin Klosowski, Facial Recognition Is Everywhere. Here’s What We Can Do About It, NEW YORK TIMES WIRECUTTER (July 15, 2020), https://www.nytimes.com/wirecutter/blog/how-facial-recognition-works/#privacy-tips

^[2] Lydia de la Torre, Elliot Golding & India K. Scarver, The Illinois Biometric Information Privacy Act (“BIPA”): When Will Companies Heed the Warning Signs?, 13 Nat’l L. Rev. 200 (2023)

^[3] Reuters Staff, U.S. tests bin Laden’s DNA, used facial ID: official, REUTERS, (May 2, 2011, 11:51 AM), https://www.reuters.com/article/us-binladen-dna/u-s-tests-bin-ladens-dna-used-facial-id-official-idUSTRE7411HJ20110502

^[4] Will Oremus, Facebook’s New Face-Recognition Software Is Scary Good, SLATE, (March 18, 2014, 5:45 PM), https://slate.com/technology/2014/03/deepface-facebook-face-recognition-software-is-97-percent-accurate.html

^[5] Nick Statt, Microsoft’s Windows Hello will make your face, finger or iris the new sign-in, CNET, (March 17, 2015, 10:46 AM), https://www.cnet.com/news/privacy/microsoft-introduces-windows-hello-for-signing-in-with-your-face-finger-or-iris/

^[6] Cameron Summerson, Why Face ID Is Much More Secure Than Android’s Face Unlock, HOW TO GEEK, (January 30, 2019), https://www.howtogeek.com/403453/why-face-id-is-much-more-secure-than-androids-face-unlock/

^[7] Sean Hollister, iPhone X: How Face ID works, CNET, (September 20, 2017, 2:56 PM), https://www.cnet.com/tech/mobile/apple-face-id-truedepth-how-it-works/

^[8] UIDAI, https://uidai.gov.in/en/about-uidai/legal-framework.html, (last visited July 18, 2023)

^[9] Soumyarendra Barik, UIDAI, NPCI Piloting Face Authentication For Aadhaar, MEDIANAMA, (October 6, 2020), https://www.medianama.com/2020/10/223-aadhaar-facial-recognition/

^[10] NPCI, https://www.npci.org.in/what-we-do/aeps/product-overview, (last visited July 18, 2023)

^[11] INDIA.GOV.IN, https://www.india.gov.in/spotlight/digi-yatra-new-digital-experience-air-travellers, (last visited July 16, 2023)

^[12] Poulomi Saha, Delhi airport to install facial recognition technology, trials to begin from September 6, INDIA TODAY, (September 5, 2019), Delhi airport to install facial recognition technology, trials to begin from September 6 – India Today

^[13] Sadhan Haldar v. The State NCT of Delhi W.P. (CRL) 1560/2017

^[14] Elonnai Hickok, Pallavi Bedi, Aman Nair and Amber Sinha, Facial Recognition

Technology in India, THE CENTRE FOR INTERNET AND SOCIETY, 11 (2021), https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://cis-india.org/internet-governance/facial-recognition-technology-in-india.pdf&ved=2ahUKEwjmvOb9jZqAAxWKGogKHZDWDiQ4ChAWegQIBBAB&usg=AOvVaw0k3sSaadGEsvDnm8kglZYM

^[15]Ibid

^[16] AWS BLOG, https://aws.amazon.com/blogs/machine-learning/identity-verification-using-amazon-rekognition/, (last visited July 19, 2023)

^[17] THE ECONOMIC TIMES, https://economictimes.indiatimes.com/industry/banking/finance/banking/ekyc-digital-kyc-for-opening-bank-accounts-to-make-process-secure-uidai/articleshow/70878315.cms, (last visited on July 19, 2023)

^[18] Isha Jain, Facial recognition attendance for teachers, students in state, THE TIMES OF INDIA, (Dec 11, 2022, 08:39 IST), https://timesofindia.indiatimes.com/city/lucknow/facial-recognition-attendance-for-teachers-students-in-state/articleshow/96143984.cms

^[19] INDIA CONST. art. § 21

^[20] K.S. Puttaswamy (Retd) v. Union of India (2017) 10 SCC 1

^[21] Anushka Jain, The tech vs privacy face-off, FORBES INDIA, (Aug 24, 2021, 12:08:50 PM), https://www.forbesindia.com/article/independence-special-2021/the-tech-vs-privacy-faceoff/69963/1

^[22] Ibid

^[23] Gyan Prakash Tripathi and Anushka Jain , Explained | Delhi Police’s use of facial recognition technology, THE HINDU, (August 21, 2022 11:07 pm), https://www.thehindu.com/sci-tech/technology/explained-delhi-polices-use-of-facial-recognition-technology/article65793897.ece

^[24] PIB Delhi, Facial Recognition Technology, pib.gov.in, (23 December, 2022, 1:59PM), https://pib.gov.in/PressReleasePage.aspx?PRID=1885963

^[25] Information Technology Act, 2000, § 43A, No. 21 Acts of Parliament, 2000 (India)

^[26] Information Technology Act, 2000, § 69, No. 21 Acts of Parliament, 2000 (India)

^[27] Information Technology Act, 2000, § 69B, No. 21 Acts of Parliament, 2000 (India)

^[28] MeitY, https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.meity.gov.in/writereaddata/files/The%2520Digital%2520Personal%2520Data%2520Potection%2520Bill%252C%25202022_0.pdf&ved=2ahUKEwiUzee3rpqAAxVG_2EKHfQxAfYQFnoECAoQAQ&usg=AOvVaw3Y1eW2T3kQw9jDjqIcZ_In (last visited July 19, 2023)

^[29] PRS LEGISLATIVE RESEARCH, https://prsindia.org/billtrack/draft-the-digital-personal-data-protection-bill-2022, (last visited July 19, 2023)

^[30] UNCTAD, https://unctad.org/page/data-protection-and-privacy-legislation-worldwide, (last visited July 19, 2023)

^[31] EUROPEAN COMMISSION, https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en, (last visited July 19, 2023)

^[32] EUR-LEX, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1552577087456&uri=CELEX:32018R1725, (last visited July 19, 2023)

^[33] EUROPEAN DATA PROTECTION BOARD, https://edpb.europa.eu/about-edpb/about-edpb/members_en, (last visited July 19, 2023)

^[34] Conor Murray, U.S. Data Privacy Protection Laws: A Comprehensive Guide, FORBES, (Apr 21, 2023, 09:02 AM), https://www.google.com/amp/s/www.forbes.com/sites/conormurray/2023/04/21/us-data-privacy-protection-laws-a-comprehensive-guide/amp/

^[35] Elisa Ribeiro, Facial Recognition cameras- what your rights are, DAS LAW BLOG, (May3, 2023), https://www.daslaw.co.uk/blog/facial-recognition-cameras-what-your-rights-are