-Invasion of privacy through video surveillance-
To The Prime Minister of Malta, Dr Joseph Muscat
To The Prime Minister of Malta, Dr Joseph Muscat
Copied to:
Commissioner Vera Jourova - The
European Commission
Mr Giovanni
Buttarelli , European Data Protection Supervisor
Anthony C. Mifsud - The Ombudsman,
Malta
Mr Saviour Cachia - Information
and Data Protection Commissioner - Malta
The Press
Malta IT Law Association
Dear Mr Prime Minister.
Last November 27th, 2018, I
wrote to the European Commission and to the European Data Protection Supervisor
on various queries which I had regarding the Safe City”
project for video surveillance and face recognition technology in Malta. You may read a copy of the letter here: https://mikes-beat.blogspot.
Commissioner Vera
Jourova replied on 4 April 2019. You may read a copy of the letter here: https://mikes-beat.blogspot.
Given the above I am hereby
kindly requesting your feedback on the following:
1.
Any such
processing must comply with the General Data Protection Regulation (EU)
2016/679 (GDPR) Directive (EU) 2016/680 (Directive) applies, where the
processing is carried out by competent authorities for the purposes of the
prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties. In this light, it is important to identify who
is the data controller for the purposes of the processing carried out within
the ‘Safe City’ project.
2.
A legal
basis in national legislation, which determines at least the objective and
purposes of the processing, and authorises the controller to perform the
processing to the extent that the processing is necessary for the performance
of a task in the public interest. According to settled case law, the protection
of personal data requires that limitations in relation to that fundamental
right can apply only in so far as it respects the essence of that right and is
strictly necessary and proportionate.
3.
These requirements are even more stringent where
the video surveillance uses facial recognition technology. Facial recognition
constitutes biometric data for the purpose of uniquely identifying a natural
person and thus processing of special categories of personal data.
4.
(As regards
valid consent) The GDPR prohibits in principle the processing of
special categories of personal data. As regards the use of that technology for
video surveillance of public space, processing must be necessary not only for
reasons of public interest, which might justify the video-surveillance as such,
but requires reasons of substantial public interest. These substantial public
interests must be laid down by law which shall be proportionate to the aim
pursued, respect the essence of the right to data protection and provide for
suitable and specific measures to safeguard the fundamental rights and
interests of the data subject ( Article 9(2)(g) GDPR).
5.
The
intended project requires a data protection impact assessment prior to the
processing. Both a systematic monitoring of publicly accessible areas and the
processing of special categories of data on a large scale, in particular using
new technologies, constitute processing which is indeed likely to result in a
high risk for the freedoms of natural persons. The data protection impact
assessment shall contain, amongst others, an assessment of the necessity and
proportionality of the processing operations, an assessment of the risks to the
rights and freedoms of data subjects, and the measures envisaged to address
those risks, safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance with the GDPR.
6.
The
controller of such project is obliged to implement appropriate technical and
organisational measures to ensure and be able to demonstrate that processing is
performed in accordance with the GDPR. In particular, the controller must
implement appropriate technical and organisational measures designed to
implement data protection principles, such as data minimisation, in an
effective manner and to integrate the necessary safeguards into the processing
in order to meet the requirements of the Regulation and protect the rights of data
subjects. Thereby, the controller shall take into account the state of the art,
the cost of implementation and the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for rights
and freedoms, both at the time of the determination of the means for processing
and at the time of the processing itself. It is therefore for the accountability
of the controller, to choose only such technology, which is compliant with the
data protection principles and requirements, regardless whether that technology
is developed by a European company or by a provider from outside the EU.
7.
As regards the involvement of processors, the GDPR
requires that only processors should be used who provide sufficient guarantees
to implement appropriate technical and organisational measures in such a manner
that processing will meet the requirements of the GDPR and ensure the
protection of the rights of the data subjects.
8.
The GDPR
does not provide for an absolute obligation to carry out such information
campaigns, but provides that the controller shall seek the views of data
subjects or their representations on the intended processing, where
appropriate.
9.
The
central role of the national data protection supervisory authority: Where the data protection impact assessment
indicates that the processing would result in a high risk in the absence of
measures taken by the controller to mitigate the risk, the national data
protection supervisory authority must be consulted prior to the processing. In
any case, the supervisory authority must be consulted during the preparation of
the proposal for legislative measure on which the processing for such project
shall be based.
Dear Mr Prime Minister, I am
sure you agree that it is in the public interest for such queries to be
addressed.
Best regards,
Dr Michael Briguglio
