Opinion on Statutory Regulations on the Use of Facial Recognition Systems by Public and Private Sector Organizations and Incorporated Administrative Agencies
September 16, 2021
Japan Federation of Bar Associations
The Japan Federation of Bar Associations (“JFBA”) compiled an opinion paper, “Opinion on Statutory Regulations on the Use of Facial Recognition Systems by Public and Private Sector Organizations and Incorporated Administrative Agencies,” dated September 16, 2021, and submitted it on September 21, 2021 to the Commissioner General of the National Police Agency; the Superintendent General of the Metropolitan Police Department; the Chiefs of Prefectural Police Headquarters; the Minister of Internal Affairs and Communications; the Minister of Health, Labour and Welfare; the Chairperson of the Personal Information Protection Commission; prefectural governors; and mayors of the cities designated by Cabinet Order.
Summary of Opinion
- 1. The Government should exercise strict control as listed below over the use of facial recognition systems aimed at the general public, regardless of being used by public or private sector organizations or by incorporated administrative agencies, to ensure that their use of the systems will not violate the right to privacy and associated rights of citizens unjustifiably:
- (i) Prohibit, in principle, creating facial recognition databases and other data sources, and using the facial recognition system without the data subject’s explicit consent.
- (ii) Set strict criteria for exceptional cases where public administrative agencies, private businesses, and incorporated administrative agencies may create facial recognition databases and other data sources, and use the facial recognition system.
- (iii) Provide effectual oversight by the Personal Information Protection Commission.
- (iv) Publicize basic information about facial recognition systems
- (v) Enact legislation embracing the protection of rights of data subjects who are likely to have been entered into the database by mistake
- 2. In circumstances other than the ones described above, that is, in terms of facial recognition systems to verify certain individuals, as well as the once-only cross-referencing comparing the facial entries in storage media with facial images of specific individuals who opt into the cross-referencing, i.e., facial images that will not be saved in the facial image datasets, the use of facial recognition technology—regardless of being used by public or private sector organizations or by incorporated administrative agencies—should be limited to cases where the following criteria are met to ensure that the right to privacy and associated rights of citizens will not be violated unjustifiably:
- (i) An explicit statute permitting the use is in place.
- (ii) The facial recognition system is not used for individuals who do not consent to the use.
- (iii) Individual consent is not mandatory and optional choices are available so that people will not be subjected to detriments even if they do not consent to the use.
- (iv) The organization with a facial recognition system installed notifies the Personal Information Protection Commission that the facial recognition system has been set in place and is in use.
- 3. At least, the following activities must be discontinued:
- (i) Conducting police investigations using facial recognition technology even though there is no legislation that limits the scope of such investigations exclusively to investigation of serious organized crimes
- (ii) Employing facial recognition technology at healthcare receptions where patients check-in using the Individual Number Card (with a photo).
- (iii) Expanding the use of facial recognition data to a large extent by linking the Individual Number Card with the Health Insurance Card, etc., thereby further increasing the scope of facial recognition systems use.
- In addition, collecting and cross-referencing facial recognition data in public administration even though verification by face photos is working, should not be permitted because there is no need to implement it.