Data protection agencies in Europe are critical of surveillance projects and networks that violate national and GDPR regulations, but involve little or no use of facial recognition and related biometric technologies. Ireland imposes its first (and significant) fine for surveillance operations in its third largest city, Limerick, without legal grounds, while in Finland the data protection agency has worked with the police to design new compliant systems.
Limerick fined €110,000 over 401 camera system processing personal information
A three-and-a-half-year investigation by the Irish Data Protection Commission (DPC) revealed several instances of non-compliance with GDPR and Irish data protection law surrounding the rollout by the City and County of a surveillance network with 401 cameras, automatic license plate recognition (ANPR) and two drones in public places.
The conclusions of the DPC of December 2021 and the “corrective powers exercised” are abstract by the Commission, and to sum up further, Limerick Council had installed CCTV cameras without legal basis, was processing personal data by CCTV cameras without legal basis, same with ANPR. It also failed to meet GDPR transparency requirements in terms of CCTV operation signaling and policy availability.
Temporary prohibitions are in place on the processing of personal data with CCTV cameras in certain locations for law enforcement purposes until a legal basis can be found, similarly for CCTV cameras for management traffic.
Full CPD report on its decision finds that only 44 cameras in operation were authorized and compliant. 26 provided traffic management streams, 13 were along a “Smarter Travel” walkway, 48 in a smart CCTV pilot project in 14 cities, and 314 in various locations such as housing estates, accommodation sites passengers and public spaces. 192 of them powered monitoring centers for real-time monitoring. The report also notes that one of the cameras the Council intended to install includes facial detection.
Drones have been used to combat illegal dumping of waste. They weren’t intended to record footage, but the Council recognized that if the drones caught someone in the act, they would then capture footage. This meant that the Council processed personal data for the use of drones.
IPVM reports that Limerick officials say the cameras were not uninstalled but GDPR-violating features were disabled. His analysis also finds that the median GDPR fine across 30 countries was around $3,900, meaning that Ireland’s first fine, at around $124,000, is one of the largest fines related to GDPR. GDPR in Europe.
Finnish police build centralized surveillance system
The Finnish police and the Data Protection Ombudsman have designed a new centralized way to develop data protection practices for police surveillance in public spaces because the reality was not in line with the country’s legislation.
The municipalities were also at fault, in particular the city of Oulu and the way it cooperated with its police department. This led the Data Protection Ombudsman to engage with the police in a thorough risk assessment of technical surveillance – the recording of public places but without particular categories of personal data used to identify individuals such as biometrics.
The assessment led the police to build a centralized camera system and update their internal guidelines. Surveillance systems put in place by municipalities to monitor public places are integrated into the new centralized system. The new centralized user management allows for easier logging, as required by legislation, as well as impact and risk assessment.
A new model contract that covers the processing of personal data and accepts data control is now used between the police and any other authorities or municipalities they work with when monitoring.
Finnish police have previously considered the possibility of implementing facial recognition for recorded surveillance footage and their National Bureau of Investigation had used Clearview AI software on a standalone basis in 2020, without the approval of the National Police Board. . This led to a statutory reprimand from the Deputy Data Protection Ombudsman in accordance with GDPR rules.
biometrics | cameras | video surveillance | data protection | face detection | Finland | Ireland | license plate readers | regulation | smart cities | video surveillance