First City in Pennsylvania Passes Ordinance on Controversial Facial Recognition Technologies

By Jennifer K. Wagner, J.D., Ph.D.



Previously on this blog, Patrick McKnight wrote about facial recognition technologies coming under increased congressional scrutiny, noting companion bills introduced on June 25, 2020 by Senators Markey and Merkley (S. 4084) and Representatives Jayapal and Pressley (H.R.7356) known as the “Facial Recognition and Biometric Technology Moratorium Act of 2020.” Mr. McKnight described facial recognition as “the next frontier of privacy legislation.” In addition to increased scrutiny from those on Capitol Hill, facial recognition technologies are facing increased scrutiny and criticism from state and local policymakers as well as scholars across the nation.


As highlighted in a recent report issued by the Government Accountability Office (GAO-20-522), there are only a few state laws protecting biometric information privacy specifically (i.e., those in Illinois, Washington, and Texas), but general data breach notification laws in several states encompass facial imaging data. Additionally, recent general data protection laws, such as the California Consumer Privacy Act (CCPA), contain carefully drafted definitions of “biometric information” to ensure the protection of “imagery of the face” and “faceprints.” There seems to be a growing movement to consider more specific legislation to address facial recognition technologies, as bills have been introduced in several states. Additionally, within the past 18 months, more than a dozen cities have passed some sort of ordinance banning, imposing a moratorium, or otherwise limiting facial recognition technologies, including San Francisco, CA; Somerville, MA; Oakland, CA; Berkeley, CA; Brookline, MA; Alameda, CA; Northampton, MA; Cambridge, MA; Springfield, MA; Boston, MA; Easthampton, MA; Portland, OR; Jackson, MS; and Portland, ME. The most recent locale to join this group is Pittsburgh, PA.


Pittsburgh Passes Ordinance on Facial Recognition Technology

A proposed ordinance introduced in August by Pittsburgh City Council member Corey O’Connor gained preliminary approval on September 16, 2020. A week later (on September 22), the Pittsburgh City Council voted (8-0 with one abstention) to pass the ordinance, and Pittsburgh Mayor Bill Peduto signed the bill on Sept. 24, 2020.


The ordinance requires law enforcement to seek approval from City Council before obtaining, accessing, or using “Facial Recognition Technology” or “Predictive Policing Technology” but allows law enforcement to make limited, temporary uses of “Select Surveillance Technology” if in response to “Exigent Circumstances” and limited to a period no longer than 90 days. The text of the ordinance suggests that approval is required for each technology rather than for each individual use case for a particular technology or information derived therefrom. The ordinance establishes four key definitions: Exigent Circumstances, Facial Recognition Technology, Predictive Policy Technology, and Select Surveillance Technology.


Privacy Law Advocates Should Hold Off on Celebrations

The ordinance has already been criticized as merely symbolic and lacking any meaningful substance. Notably, this ordinance leaves intact all existing access to facial recognition technologies that Pittsburgh law enforcement has at this time and does so in a sweeping manner, effectively enabling those services to be enhanced and expanded without any consultation with City Council pursuant to this ordinance so long as those changes are made not directly by Pittsburgh police but by whatever entity provides those services to the City of Pittsburgh (whether it be an operator, manager, or publisher of databases, programs, and technologies). This means, for example, that Pittsburgh police may continue to access and use the Pennsylvania Justice Network (JNET)—which enables statewide photo searches of PennDOT (driver’s licenses) and WebCPIN (mugshot photos and images from the Department of Corrections, Pennsylvania Board of Probation and Parole, and county prisons). When new facial recognition or predictive policing technology is desired, this ordinance simply mandates that City Council be part of the process prior to the technology’s acquisition or use.


Broader Significance

The Pittsburgh ordinance might not offer more than illusory constraints on law enforcement’s use of facial recognition technologies; nevertheless, it marks the beginning of broader policy conversations across the commonwealth regarding how Pennsylvania residents should be protected from unreasonable “dataveillance” and how to promote, at a minimum, transparency in how facial recognition technologies are used in Pennsylvania. For example, following news reports earlier this year that the Philadelphia police had tested out Clearview AI and that facial recognition was being deployed at PHL airport by Customs and Border Protection at some international gates, the Philadelphia City Council considered a resolution (Resolution No. 20026700) calling upon the Philadelphia Police Department and other law enforcement agencies “to establish clear boundaries and issue transparent policies” about how facial recognition technology is being used and “to ensure that this technology does not lead to racial biases in policing practices and outcomes or infringe on individuals’ civil liberties.” While the resolution was apparently withdrawn from the calendar in June, the topic is likely to arise again in some form there and elsewhere.


Already Allegheny County Council reportedly introduced an identical bill to the Pittsburgh ordinance, and attorneys should assume that other locations will follow suit. While facial recognition technologies are deployed in diverse contexts and by diverse actors, it is in the context of police body camera recordings that political pressure might lead to meaningful legislative reforms to strengthen oversight of and improve transparency for facial recognition technology practices. Act 22 of 2017 (S.B. 560), which ushered in an expansion of police body cameras, mandated law enforcement agencies to issue written policies specifically on any “use of facial recognition software or programs” [§67A07(a)(6)]. One might expect York, Scranton, Erie, Harrisburg, State College, and other areas in Pennsylvania in which body camera programs have been moving forward to be ripe for discussions about facial recognition technologies specifically and data justice issues more broadly.


At the state level, there do not appear to be any laws or bills under current consideration regarding facial recognition technologies specifically. Pennsylvania’s data breach notification law (73 Pa. Stat. §2301 et seq., Breach of Personal Information Notification Act) does not explicitly cover facial imaging or other biometrics data. During the 2019-2020 regular session, the Pennsylvania General Assembly has been considering several bills related to biometrics generally (including, among others, H.B. 1010 and S.B.955 on data breach notifications and H.B. 1049 on consumer data privacy) the text of which could be broad enough to apply to faceprints and facial imaging data. Careful reading of how terms of art are defined will be critical when evaluating the strengths, weaknesses, and potential impacts of any legislation that might be on the horizon regarding data protections broadly or facial recognition technologies narrowly.


Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics & Health Care Policy at Geisinger. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *