D-ID would not name particular customers that use its technology, but Perry said the company mainly works with retailers, car companies, and “large conglomerates that deploy CCTV in Europe.” Ann Cavoukian, a D-ID advisory board member and former privacy commissioner for the Canadian province of Ontario, says the solution is “a total win-win.”

Other experts, however, say that the company misinterprets Europe’s General Data Protection Rule, doesn’t do what it’s supposed to, and—even if it does—probably shouldn’t be doing it anyway.

GDPR violation?

Three leading European privacy experts who spoke to MIT Technology Review voiced their concerns about D-ID’s technology and its intentions. All say that, in their opinion, D-ID actually violates GDPR. (It could, however, be legal in non-EU areas.)

Race is a special category under GDPR, which means processing data that infers race is illegal without explicit consent, explains Gaëtan Goldberg, a data privacy lawyer with GDPR watchdog NOYB. Violations of GDPR rules can result in fines of €20 million or 4% of a company’s annual revenue, whichever is higher.

When presented with these concerns, David Mirchin, a privacy lawyer who advises D-ID, disagreed with the experts. He claims that “there never is a point where D-ID’s Smart Anonymization solution analyzes, reveals, or stores” this type of sensitive data. Perry adds that D-ID is happy to anonymize ethnicity data as well. The outside lawyers, however, contend that simply detecting the faces, whether to “anonymize” them or not, is a violation.

Perry and Mirchin also argue that it’s okay to feed anonymized biometric data to algorithms. But while GDPR doesn’t apply to anonymous data, the startup doesn’t actually anonymize the video in any case, says Michael Veale, a privacy expert at University College London. The scrambled video would not be considered anonymous under GDPR. With truly anonymous data, one piece of information can’t be linked back to a particular individual even when it is combined with other data. That’s a high bar.

But even if altered footage doesn’t look exactly like you, it can be combined with other information—location data taken from social media, for example, or credit card records—and traced back. Plus, says Veale, the technology still would not automatically give companies carte blanche to “repurpose CCTV for quite frivolous business purposes that aren’t something with a serious public interest, like fighting crime.”

Spirit of the law

The fact that D-ID positions itself as a privacy solution is revealing. With elements of new data protection laws like GDPR and the California Consumer Privacy Act remaining open to interpretation, some companies are proving ingenious at marketing themselves. These technologies “comply” with regulations in a way that benefits the companies that want to make money from data, rather than the people whose data is being captured. This is a violation of the spirit of the law, say critics. Britt Paris, an information science scholar at Rutgers University, calls D-ID exploitative and an example of “further encroachment of the datafication of everyday life.”

But Cavoukian, the D-ID board member, says she is not a “privacy fundamentalist” and thinks there’s nothing wrong with collecting data so long as people’s exact identities are obscured.