IT experts warn of greater privacy risks with facial recognition CCTV

A plan for facial recognition software to be integrated with a CCTV system inside Paceville, has been met with caution by IT experts warning of privacy concerns.

The Malta IT Law Association said that any introduction of facial recognition technologies require new laws to balance fundamental rights and freedoms of citizens, with the obligations of authorities in their fight against crime and the preservation of public order.

A government company, Safe City Malta, is planning to deploy a Huawei ‘safe city’ monitoring system that employs both high definition CCTV and facial recognition software to assist police officers in their monitoring of towns and cities.

Paceville is test case for facial recognition CCTV that could be deployed nationwide

MITLA said that whilst the use of state-of the art technology by law enforcement officials is key for the prevention, detection and investigation of criminal activities, the processing of personal data through the use of such systems has to conform with prescribed laws, and must constitute a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of natural persons.

Facial biometric data is already a special category of data defined under a new EU General Data Protection Regulation (GDPR), which will come into force in May 2018. As such, the processing of biometric data through facial recognition tools is subject to a stricter legal regime.

Under the Maltese Data Protection Act, biometric data is already recognised as sensitive personal data.

But the MITLA said that facial recognition software and its impact on privacy was far higher than static surveillance cameras since the processing of personal data, specifically biometric data, is much more acute, automated and process-heavy. “This exacerbated by the fact that the proposed technology often exposes accuracy deficiencies, misidentifying gender and/or race. The potential introduction of such technologies at a nationwide scale makes a local debate even more urgent,” MITLA said.

“In light of the risk posed by emerging technologies, including facial recognition applications, such balance will not be easily achieved and will require careful consideration.”

MITLA said that apart from compliance with GDPR rules, police will have to process biometric data in line with EU rules on the protection of natural persons for the purpose of prevention of crime, which has to be transposed by member states by May 2018.

“In fact, EU Directive 2016/680 lays down that member states shall protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. These principles are also enshrined in the Council of Europe Recommendation R87/15 regulating the use of Personal Data in the Police Sector,” MITLA said.

Both the EU directive and Maltese law lat down that processing of biometric data can only be permitted when it is strictly necessary and subject to adequate safeguards as prescribed by national or EU law.

“Such specific laws currently do not exist. The 2016/80 Directive is intended to better protect citizen’s data, regardless of whether they are a victim, criminal or witness,” MITLA said.

It also said that the GDPR specifically highlights the ‘privacy by design’ principle, that data controllers must implement technical and organisational measures for data protection at all stages, and the necessary safeguards when any risks on the rights and freedoms of natural persons are severe.

“MITLA shall continue monitoring developments with respect to the recent announcements regarding the plans currently underway to introduce facial recognition technologies and shall look forward to contributing in a constructive debate. We encourage discussion around the development of a legally and ethically sound policy and system with true European standards.”