Last month Brad Smith, president of Microsoft, wrote a powerful open letter calling on Congress to regulate facial recognition technology.  We support his effort and congratulate Microsoft for starting this much needed conversation.

At the core of that discussion is the tension between the need to protect our privacy and the imperative to encourage innovations that will make our lives much better. Facial recognition certainly has the potential to improve our lives tremendously, from adding convenience to improving security and more.

We believe that Congress should start by considering Europe's GDPR (General Data Protection Regulation) which governs the protection of Personally Identifiable Information. We also believe that private companies that are working at the forefront of this facial recognition revolution ought to model their privacy protection practices on the guidelines specified in the GDPR until Congress acts.

The basic principles that we should all be following when handling facial recognition data are therefore those of the GDPR:

1. lawfulness, fairness and transparency: People should know who has their biometric information.

2. purpose limitation: People should know why we have their biometric information.

3. data minimization: The biometric data is part of a collection of other identifying information, we should collect only what is necessary.

4. accuracy: People should be able to update information about themselves and should be able to ask us to erase it (opt out).

5. storage limitation: We should keep the identifying information only as long as needed for the service that we are providing.

6. integrity and confidentiality: We should keep their data encrypted and safe.

7. accountability: People should be able to verify that we are doing all of the above.

We take our customers’ privacy very seriously and are extending our efforts to help our competitors achieve the same level of data protection that we have with our Open API.

At Whoo we want every person in the US to know who can recognize them and why.  And we make it easy to control the accuracy of that data and to opt out.  Arturo Falck President

visit us at Whoo.ai 646.228.6341 | LinkedIn PS: A little background on GDPR from wikipedia: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of individuals (formally called data subjects in the GDPR) inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU. Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. PPS: a note on PII (Personally Identifiable Information) from wikipedia: NIST Special Publication 800-122[5] defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records;(…)"