Call for a ban on facial recognition

Call for a ban on facial recognition: EDPB and EDPS release a joint statement

The EDPB and EDPS have made a collaborative call for a ban on facial recognition for automated recognition in public spaces. 

 

 The EDPB and EDPS call for a ban on the use of AI for biometric identification in publicly accessible spaces. This includes facial recognition, fingerprints, DNA, voice recognition and other biometric or behavioral signals. This call comes after the European Commission outlined harmonized rules for artificial intelligence earlier this year. While the EDPB and EDPS embrace the introduction of rules addressing the use of AI systems in the EU, by institutions, bodies or agencies, the organizations have expressed concern over the exclusion, from the proposal, of cooperation from international law enforcement. The EDPB and EDPS also stress that it is necessary to clarify that the existing data protection regulation within the EU applies to any and all personal data processing under the scope of the draft AI regulation. 

 

The EDPB and EDPS call for a general ban on the use of AI in public spaces, particularly in ways which might lead to discrimination. 

 

In a recently released joint statement, the EDPB & EDPS recognize that extremely high risks are posed by remote biometric identification of individuals in public spaces, particularly the use of AI systems using biometrics to categorize individuals based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited. According to Article 21 of the Charter of Fundamental Rights, “Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited.” In addition the organizations are calling for a prohibition on the use of AI to deduce the emotional state of natural persons except in specific cases. One example of this in the field of health includes cases where patient emotion recognition is relevant and important. However the EDPB and EDPS maintain that any use of this sort of AI for any type of social classification or scoring should be strictly prohibited. “One should keep in mind that ubiquitous facial recognition in public spaces makes it difficult to inform the data subject about what is happening, which also makes it all but impossible to object to processing, including profiling” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner

 

The EDPB and EDPS call for greater clarity on the role of the EDPS as competent and market surveillance authority. 

 

The organizations in their joint opinion, embrace the fact that the European Commission proposal designates the EDPS as the market surveillance authority and competent authority for the supervision of institutions, agencies and bodies within the European Union. However the organisations are also calling for further clarification on the specific tasks of the EDPS within that role. The EDPB and EDPS acknowledge that data protection authorities are already enforcing the GDPR and LED in the context of AI involving personal data. However the organizations are suggesting a more harmonized regulatory approach, involving the DPAs as designated national supervisory authorities, as well as  consistent interpretation of data processing provisions across the EU. In addition, the statement calls for greater autonomy to be given to the European Artificial Intelligence Board, in order to avoid conflict and create an atmosphere for an  AI European body free from political influence. 

 

Do you want to learn more about facial recognition in public spaces? Check our vlog.

Do you use AI in your organisation and need help ensuring compliance with AI regulations? We can help you. Aphaia provides EU AI Ethics Assessments, Data Protection Officer outsourcing and ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments. We can help your company get on track towards full compliance.

Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

EDPS guidance on temperature checks

EDPS guidance on temperature checks during the COVID-19 pandemic

Temperature checks during COVID-19, the global health crisis, have become a necessary part of the continuity of general affairs. The EDPS has released guidance to help institutions in navigating this sphere keeping the privacy of the individual at the forefront.

 

Due to the COVID-19 situation many of the European Union members have implemented several safeguards and protocols to protect and prevent outbreaks during the COVID-19 pandemic. So many of the EU organisations actually have found it necessary to implement into workplaces and other important bureaucratic centres many key safety measures, one of which are mandatory temperature checks . However in the world of data protection and privacy and the rights of Citizens under the EU charter it is very possible that these safety mechanisms could infringe on the rights of many individuals who have the right to private life without interruption. 

 

The EDPS has indicated mandatory guidelines to ensure safety and privacy of EU individuals.

 

There are a few guidelines that the EDPS has made mandatory for these European institutions which promise to ensure that both safety and privacy protection are paramount in the pandemic ecosystem. One of the key measures implemented is that no recording or processing of personal data is allowed when temperature information is being measured. In other words either manual testing must be done using a hand thermometer and there is a personnel operating this manual thermometer and they must not record these results or add them to any filing system. However, if there is an automated system such as a thermal camera, it is paramount that these cameras are not setup or integrated into a cloud or filing system that will add the temperature information of the individuals, be it visitors or otherwise, to these sites’ database under any specific criteria as outlined by the EDPS guidelines . 

 

On site personnel must be trained to not only monitor the machine, but verify the validity of the initial reading, and recalibrate temperature measuring devices when necessary.

 

In addition, there must be a trained personnel who can not only monitor the machine in live time as it is not allowed to record information, but there must also be the ability to explain to individuals the reason for the thermal testing. The repeatability of the testing must be reliable due to  persons having the right for multiple tests or readings of their temperature to be taken to verify the validity of the initial reading. The personnel present must also be able to explain and discern how the machine works and also training on how to calibrate the sensor must also be implemented on to the personnel trusted with this task . Again it is a complete violation to take this temperature information added to any form of filing system or personnel file as this could lead to a direct violation of the EU charter of rights for its citizens and EDPS guidelines.

 

Institutions must meet  additional requirements to meet the minimum standard requirement for institutions navigating the pandemic.

 

However , one of the key factors in the charter are also workplaces and public spaces must have the minimum standard requirement to meet work health protocols and during the COVID-19 outbreak, masks, disinfecting gels/sanitizers and temperature checks all fall under the jurisdiction of minimum health protocols. Therefore this is mainly about achieving a key balancing act with the protocols of safety and privacy at these EUI sites. The key concern for the EDPS is maintaining the balance of legality and safety for its citizens so there are many clauses and subsections that can be related to the COVID situation as far as lawfulness goes. 

 

Individuals entering these sites must be kept informed and given full disclosure.

 

In addition to this, it is also very important that the persons who are entering the sites are aware of the reason for the screenings and that they are given full disclosure. This information should be readily available at any point in time. In the event that  a person has taken multiple readings and has surpassed the temperature threshold for entering one of these sites, they should also be given assistance in the form of directions to find a doctor or a nurse or a COVID testing centre nearby. They should be provided with some form of written receipt of denial of entry to validate any bureaucratic or official need to verify the reason for the inability to enter the site. 

 

Employees should all be given alternatives for continuing to work amid the health crisis.

 

In the case of employees, it is paramount that alternative working methods be considered such as remote work due to the disruption of one’s personal and private life due to this test that may be automated or carried out by machine or on-site personnel. These protocols allow persons to have minimal disruption in their life, while taking full advantage of health screenings and temperature checks without any privacy issues. 

 

It is imperative that devices used for temperature checks be maintained and recalibrated on a regular basis.

 

It is also important to note that due to the fact that the threshold for the COVID-19 temperature is within a 1 degree C margin of error, recalibration and maintenance on these automated or more complex temperature reading devices must be carried out regularly, and by qualified personnel. Again, these technologies must not be connected to any cloud storage or filing system and all of the readings must be done in live time with the aid of a person who is not simply viewing the data, but is qualified to understand, and to scrutinise any error that the machine may make, as it is  unconstitutional by the charter freedoms of the European Union to let an automated machine make those level of decisions without human input. Therefore, it is paramount that someone is there to verify and clarify the results gathered by these machines.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.