Friday, April 05, 2019

Face recognition surveillance: Letter to Prime Minister Joseph Muscat

-Invasion of privacy through video surveillance-

To The Prime Minister of Malta, Dr Joseph Muscat

Copied to:

Commissioner Vera Jourova - The European Commission

Mr Giovanni Buttarelli , European Data Protection Supervisor

Anthony C. Mifsud - The Ombudsman, Malta

Mr Saviour Cachia - Information and Data Protection Commissioner - Malta

The Press

Malta IT Law Association

Dear Mr Prime Minister.

Last November 27th, 2018, I wrote to the European Commission and to the European Data Protection Supervisor on various queries which I had regarding the Safe City” project for video surveillance and face recognition technology in Malta. You may read a copy of the letter here:

Commissioner Vera Jourova replied on 4 April 2019. You may read a copy of the letter here:

Given the above I am hereby kindly requesting your feedback on the following:

1.       Any such processing must comply with the General Data Protection Regulation (EU) 2016/679 (GDPR) Directive (EU) 2016/680 (Directive) applies, where the processing is carried out by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. In this light, it is important to identify who is the data controller for the purposes of the processing carried out within the ‘Safe City’ project.

2.      A legal basis in national legislation, which determines at least the objective and purposes of the processing, and authorises the controller to perform the processing to the extent that the processing is necessary for the performance of a task in the public interest. According to settled case law, the protection of personal data requires that limitations in relation to that fundamental right can apply only in so far as it respects the essence of that right and is strictly necessary and proportionate.

3.      These requirements are even more stringent where the video surveillance uses facial recognition technology. Facial recognition constitutes biometric data for the purpose of uniquely identifying a natural person and thus processing of special categories of personal data.

4.      (As regards valid consent) The GDPR prohibits in principle the processing of special categories of personal data. As regards the use of that technology for video surveillance of public space, processing must be necessary not only for reasons of public interest, which might justify the video-surveillance as such, but requires reasons of substantial public interest. These substantial public interests must be laid down by law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject ( Article 9(2)(g) GDPR).

5.      The intended project requires a data protection impact assessment prior to the processing. Both a systematic monitoring of publicly accessible areas and the processing of special categories of data on a large scale, in particular using new technologies, constitute processing which is indeed likely to result in a high risk for the freedoms of natural persons. The data protection impact assessment shall contain, amongst others, an assessment of the necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

6.      The controller of such project is obliged to implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. In particular, the controller must implement appropriate technical and organisational measures designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects. Thereby, the controller shall take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms, both at the time of the determination of the means for processing and at the time of the processing itself. It is therefore for the accountability of the controller, to choose only such technology, which is compliant with the data protection principles and requirements, regardless whether that technology is developed by a European company or by a provider from outside the EU.

7.      As regards the involvement of processors, the GDPR requires that only processors should be used who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.

8.     The GDPR does not provide for an absolute obligation to carry out such information campaigns, but provides that the controller shall seek the views of data subjects or their representations on the intended processing, where appropriate.

9.      The central role of the national data protection supervisory authority: Where the data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the national data protection supervisory authority must be consulted prior to the processing. In any case, the supervisory authority must be consulted during the preparation of the proposal for legislative measure on which the processing for such project shall be based.

Dear Mr Prime Minister, I am sure you agree that it is in the public interest for such queries to be addressed.

Best regards,

Dr Michael Briguglio