Research, the GDPR, and Mega Biometric Training Datasets: Opening the Pandora Box ¹

This paper sheds light on the challenges that the EU data protection pose to the constitution and the use of large-scale biometric datasets for research purposes. The paper analyses the GDPR (General Data Protection Regulation) rules applicable to research and explains their inadequacy for the constitution of large biometric datasets developed to train and test biometric recognition models. Researchers need a considerable amount of data to train and test their models. These data cannot be realistically obtained with the consent of individuals to whom the data relate. But can researchers collect them from publicly available sources, such as social media or open platforms, to create large biometric datasets? Under the current GDPR rules, it seems rather difficult for researchers located in the EU to do so. A thorough analysis of the provisions will explain the challenges that researchers face. In that context, one could have hoped that the Data Governance Act (DGA) would have brought some opportunities for research when it aimed at promoting data altruism. But it seems that the DGA is a missed opportunity to open up personal data for research purposes. As acknowledged by some companies, these regulatory impediments might force researchers to train their models outside the EU with datasets not subject to the EU data protection rules.