The National Police Board of Finland has recently been reprimanded for unlawful processing during a facial recognition trial by the National Bureau of Investigation unit.
Finnish police have been reprimanded for the unlawful processing of special categories of personal data during a facial recognition technology trial. The National Bureau of Investigation unit which specializes in the prevention of child sexual abuse had experimented with facial recognition technology to aid in identifying potential victims in early 2020. The Bureau used facial recognition technology to aid with identifying possible victims of child sexual abuse with the US-based Clearview AI service. According to this report, the National Police Board was not aware of this trial, as the decision to try the software had been made independently by the National Bureau of Investigation unit.
The data controller, the National Police Board was held accountable for the data breach, and its inability to supervise this operation as the processor was not sufficiently informed of the protocol to special category data.
The National Police Board, in the capacity of the controller of the data processed by the police in Finland, informed the Office of the Data Protection Ombudsman in April 2021of the personal data breach. The National Bureau of Investigation unit made the decision to use Clearview AI, independent of the guidance of the National Police Board, and as a result the controller was uninformed and unable to approve and supervise the facial recognition technology trial. The investigative unit, after experimenting with the use of this technology in early 2020, deduced that the use of this technology was not suitable for Finnish authorities. In April of 2021, the National Police Board notified the Office of the Data Protection Ombudsman of the personal data breach involving the use of facial recognition technology during this trial period, after becoming aware of the situation through Buzzfeed News, an online media company from the US.
The National Police Board did not advise the National Bureau of Investigation unit
on the manner in which special categories of data should be handled, or on the process of lawfully going about the processing and as a result was held responsible for the personal data breach. The Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security puts the responsibility of lawful processing of personal data on the controller. In addition, under the GDPR, processors do not have the same compliance obligations as controllers. According to Article 24 of the GDPR, the data controller must actively demonstrate full compliance with all data protection principles. Therefore, the Data Protection Ombudsman has held the National Police Board accountable for this incident.
The National Police Board was reprimanded and ordered to take corrective action.
The National Police Board of Finland, as the controller was held accountable for the breach and reprimanded. The Data Protection Ombudsman has also ordered that the National Police Board notify all data subjects whose identities can be confirmed of the personal data breach. In addition, the Board must request that all data collected by Clearview AI be deleted from their storage database.