A series of injunctions have been issued by CNIL of France, for the mismanagement of a database containing fingerprints.
The CNIL of France has recently issued a series of injunctions to a government ministry – the Ministry of the Interior, for the alleged illegal storage of data, poor file management, and a lack of information given to persons whose data is stored on their system. The Automated Fingerprints File, initiated in 1987, containing the fingerprints and handprints of various people implicated in investigations, had accumulated a sizable database of the prints of over 6.2 million people. Many of these files should have been deleted for various reasons.
CNIL has accused the Ministry of the Interior of storing data unlawfully, as well as keeping data stored well beyond its lawful retention period.
According to a Euractiv report, CNIL criticized the Ministry of the Interior last month, for storing data that was not provided for under the legislation. Depending on the gravity and the nature of an offense, this data may be stored for either 10, 15 or 25 years. In the event of an acquittal or dismissal of a case however, all fingerprints and data must be deleted. In 2019, at the time of the CNIL investigation into this government ministry, over 2 million records were being kept past their retention periods. In addition, several million manual files were being kept without a legal basis, despite digitization efforts over several years. The CNIL has asked that about 7 million manual files be deleted in spite of the fact that they had not surpassed their retention period.
The injunctions issued by CNIL also concerned matters of security and information dissemination.
One of the issues raised by the CNIL was that police were able to access the files containing the aforementioned biometric information as well as other personal information with a password of only 8 characters. This data was therefore deemed insufficiently secured by the privacy authority. In addition, according to the laws of France, individuals whose information is being processed must be informed on the purposes of, as well as the responsible party or parties for that processing. This information must be disseminated to the individuals either at the time of collection or at the time of the decision.
CNIL has given the Ministry of the Interior a timeframe to take corrective action for the series of injunctions issued.
As of July 2021, the State had notified CNIL that more than three million cards had been deleted in compliance with the rules of the retention periods. With regards to the manual files however, CNIL has rejected the suggested 4 year period for their destruction, stating that the age of the cards concerned, the duration of the breach and the nature of the data concerned, did not allow for that. CNIL asked that the physical filles be disposed of by 31st December, 2022. For all other matters of compliance, the CNIL has given a deadline of 31st December 2021. According to the law, a fine cannot be imposed on the State.
Retrospective facial recognition to be used by London police starting late this year or early next year.
The UK’s Metropolitan Police Service (MPS) has gotten authorization to use retrospective facial recognition technology, and will likely begin buying and using the technology as early as the end of this year. This technology has been tried and tested by the South Wales police force and has already proven how useful it can be to law enforcement. We recently published an article on the use of facial recognition technology by various government agencies in the United States, however it is important to note that unlike some of the US agencies mentioned, the London Metropolitan Police will not be using live facial recognition.
A four-year contract signed recently will deploy the use of retrospective facial recognition in London in the coming months.
A four-year contract has recently been signed with Northgate Public Services, worth £3,084,000 to deploy the use of this technology in the coming months. This technology is expected to result in a significant amount of time saved in officers being able to reconcile an image of a person with their identity. Images that have been captured by cameras at crime scenes like burglaries, assaults, shootings or images shared or submitted by members of the public, will soon be used to identify persons, using retrospective facial recognition. This is expected to help make significant progress in solving crime and keeping citizens of London safe.
While retrospective facial recognition is less controversial than live facial recognition, the Metropolitan police will undergo consultations on governance before using this technology.
Unlike live facial recognition which compares live images with those on a specific watchlist, retrospective facial recognition will allow matching with a much broader list. Live facial recognition is considered a lot more controversial and has received quite a bit of backlash, including from the Information Commissioner. Her remarks were recently quoted on Forbes regarding live facial recognition. She commented that “We should be able to take our children to a leisure complex, visit a shopping centre or tour a city to see the sights without having our biometric data collected and analysed with every step we take.” Although retrospective facial recognition is less controversial, the Metropolitan Police Service is consulting with the London Policing Ethics Panel (LPEP) about governance, and is expected to meet the panel to discuss the project next month.
“Even though it is retrospective facial recognition, photographs and videos are processed for the purpose of uniquely identifying an individual, therefore the additional requirements for carrying out sensitive processing should be observed and a DPIA might be required”, points out Cristina Contero Almagro, Partner in Aphaia.
Facebook View sunglasses questioned by the Irish and Italian authorities, regarding whether they effectively notify data subjects that they are being recorded.
A new product by Facebook in collaboration with Ray Ban, is now coming under question by European data protection authorities. The product, called “Facebook View” was introduced to the general public with a short promotional video of Mark Zuckerberg speaking about these innovative glasses, which can take photos and record video. In the video, Mr. Zuckerberg made an attempt to appease possible qualms from the public on the privacy of this technology, citing that an LED light goes on, on the frame of these sunglasses, to notify those around when the glasses are recording. However this feature is now being called into question by the Irish and Italian regulators: the Irish DPC, and Garante respectively. Their main question: is a light on the frame enough to significantly notify people that they are being recorded?
Facebook View sunglasses are seen as much less conspicuous than a camera or cell phone, in communicating that recording is in progress.
It is important that when people are being recorded that they have a sense that this is happening. When someone pulls out a camera or a cell phone for example, the general assumption is that recording is in progress or a photo is being taken. People are not assuming automatically that they are being recorded when they see someone wearing a pair of Ray Bans. Most people are also not looking for a light on a pair of glasses under regular circumstances. The Irish and Italian authorities, according to this joint statement recently issued, do not believe that a pair of sunglasses can adequately give notice that recording is in progress.
The relevant authorities call on Facebook to demonstrate the effectiveness of the LED light to inform people that recording is in progress, as well as run an information campaign.
The Irish DPC and Garante claim that it has not been demonstrated to them that comprehensive testing was done by Facebook, to ensure that an LED light would effectively communicate to people that they are being recorded. Facebook is now being called to demonstrate the effectiveness of the LED light to inform people that they are being recorded. In addition, the authorities are asking Facebook to run an information campaign to adequately alert the public on how this new product may result in much less obvious recording of their images.
“Facebook should also explain whether there are any plans to combine the information recorded using the Facebook View sunglasses with Facebook existing databases. This scenario seems likely considering that Facebook core product consist on users sharing photos and videos on the social network, where they can tag their friends and contacts” points out Cristina Contero Almagro, Partner in Aphaia.
Right to erasure is behind Slovenia supervisory authority IPRS’s recent decision, ordering a controller to delete 88 photos.
Slovenian SA recently ordered a data controller to delete a collection of 88 photos of a data subject, taken over a period of time 7 to 15 years ago. The order, which came this July, was on the basis of the data subject’s right to erasure, as reported by the EDPB. Article 17 of the GDPR gives data subjects the right to obtain, from the controller, the erasure of personal data concerning him or her without undue delay, under certain conditions. The controller in this case, a content production agency, creating content on the topic of lifestyle, processed a collection with a total of 88 photos of the data subject, and complainant in this case. The data subject claimed she did not give permission to have her personal data processed, and then explicitly objected to the processing of her personal data stating also that there were no compelling legitimate grounds for the processing of her data.
The controller declined the data subject’s demand to have the photos deleted, claiming that the processing was lawful.
The controller refused the data subject’s demands to have her photos removed claiming that the processing was lawful under Article (6) (1) (f) of the GDPR. However, controller’s claims that the processing was needed for exercising his freedom of expression with regard to media activities, as well as for the public’s right to information and on the basis of legitimate interests did not hold up. The Supervisory Authority maintained that the data subject in this case has the right to erasure of her personal data, and that the right to personal data protection needs to be balanced with the right to freedom of expression and information.
The photos and other data features on the website were organized in such a way that a profile could be created on the data subject through a search of her name.
The Slovenian Supervisory Authority found that all the photos indeed represented personal data which formed part of a filing system. The thumbnail and the description of the photos were accompanied by the first and last name of the individual. From the photos and the information provided,it was possible to determine which events she attended, who her company was, and also her personal characteristics. A search for the data subject’s name through the website’s search engine could create a profile highlighting the photos and data about her in particular. The content of the website cannot be understood as reporting on a specific event, because it enables a search on the basis of first and last name.
The Supervisory Authority ordered the removal of the photos and any related data, upholding the data subject’s right to erasure.
The Supervisory Authority ordered that the controller must delete, not just the photos from the website, but also the name of the individual, URL address and any metadata that enabled access to photographs. Publications of this nature are usually intended only for revealing interesting information to satisfy the curiosity of members of the public who seek information about public events and on the personal lives of specific people. However, by the Slovenian Supervisory Authority’s measure, the data subject was not an absolute public figure, and the content of the website did not contribute to any debate of social importance nor did they relate to any topic of public interest. In addition, the controller failed to demonstrate its legitimate interests. As a result, the Slovenian SA decided to uphold the complaint.