On a windy February morning, the Joint Oireachtas Committee on Justice was sitting within Leinster House discussing the upcoming use of facial recognition technology (FRT) for an Garda Síochána. Various speakers and experts addressed concerns about the accuracy of facial recognition, the impacts FRT would have on civil rights and freedom of speech, and the issue of the lack of transparency of the algorithm chosen for FRT use. I do not want to delve into those issues; they were covered in more detail and communicated better by those speakers, but one notable omission in the discussions was the recent European Court of Justice case concerning the retention policy for personal data, including biometric data, stored in databases.
Retention Periods
I want to focus firstly on a specific case (C-118/22) recently settled by the European Court of Justice. A Bulgarian man was convicted for providing false testimony during a criminal inquiry and requested that his name be removed from police records after completing a one-year suspended sentence and undertaking legal rehabilitation. Following the request, the state refused under a Bulgarian law that permits the storage and processing of personal data from police records, taken for profiling purposes, until the person dies. This law was challenged and then referred to the European Court of Justice.
The ECJ ruled that national legislation requires data controllers to periodically review whether that storage is still necessary and to grant the data subject the right to have those data erased if that is no longer the case. The court ruled that such persons do not all present the same degree of risk of being involved in other criminal offences, which does not justify a uniform period of storage of the data relating to them. Factors such as the nature and seriousness of the offence committed or the absence of recidivism may mean that the risk represented by the convicted person does not necessarily justify the storage of the data relating to that person in the police records until their death.
What this means in plain English is that police records on an individual for a minor, non-violent crime like failing to tell the truth as a witness should have the same retention period for personal data use by the police as a person convicted of terrorism, and that there needs to be guidance issued for those categories of crimes with the appropriate retention period for those crimes.
Purpose Limitation
The next big thing is the creation of this database, as in, will it merge current databases held by the state (passport photos, social welfare, prison records) or will it be a new database built from scratch? If it is merging a current database, it leaves a lot of questions about the legal basis for data collection and whether importing data from one database to another would violate the principle of purpose limitation stated under Article 5(1)(b) of the General Data Protection Regulation (GDPR).
When processing personal data, under the GDPR, an organisation must lay out the purpose of the data and be explicit in its use. This is to ensure that the data is used for a clear and intended purpose, so it cannot be used for other reasons. An example is if you are giving your email to a shop for a digital receipt; they cannot use it for marketing reasons. The same logic applies to current national databases. If they are creating a new database from scratch, more information is needed to know how they are targeting the individuals who will be on it.
Inter-Departmental Sharing
Another important case to reference when discussing database use, especially when it could come from another department or use, is the 2019 ruling by the Data Protection Commission that the Public Service Card (PSC) cannot be used for any purpose outside of its remit of validating those collecting a social welfare payment under the Department of Social Protection. The state was looking to expand the use of the PSC to other departments (the Department of Transport for the use of taking drivers licence exams).
The Data Protection Commission ruled that there was no legal basis for the use of the card for third party use with other departments and that the card must be used within the remit of the Department of Social Protection. The DPC also ruled that the Department of Social Protection had a “blanket and indefinite retention of underlying documents and information,” which violated the 1988 and 2003 Data Protection Acts and would violate the 2018 Data Protection Act as it also highlights the issue of purpose limitation within the Act. And finally, the Data Protection Commission ruled that the Department of Social Protection was not transparent in the processing of personal data related to the public service cards.
Conclusion
There is clear European Court of Justice and Irish Data Protection Commission precedence around purpose limitation, and without further clarity within the Act around the issues highlighted above, there is a strong belief that any FRT database that is not transparent, has a clear and strict purpose, and provides clear records around data retention could be challenged either nationally or raised with the European Court of Justice in the future.
While there are a lot more privacy and data protection reasons to mention when discussing Facial Recognition like the accuracy requirement under Article 5, how can individuals express their rights, and even the success of any polices develop to curb misuse or any effects on rights to free speech, or even expressing the right to object to facial recognition (there is a whole other piece of research that highlights how the London Metropolitan Police were horrific at this. See the “Independent Report on the London Metropolitan Police Service’s Trial of Live Facial Recognition Technology” by Professor Pete Fussey & Dr. Daragh Murray). This article is meant to cover a just few of the many strands on this topic.
References
- Press Release of judgement of the Court in Case C-118/22 – https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-01/cp240020en.pdf
- Opening statement to the Joint Oireachtas Committee on Justice by the Irish Council for Civil Liberties and Digital Rights Ireland – https://www.iccl.ie/wp-content/uploads/2024/02/ICCL-DRI-opening-statement.pdf
- Submission by the Irish Council for Civil Liberties and Digital Rights Ireland to the Joint Oireachtas Committee on Justice Draft General Scheme of the Garda Síochána (Recording Devices) (Amendment) Bill 2023 – https://www.iccl.ie/wp-content/uploads/2024/02/ICCL-and-DRI-FRT-submission.pdf
- Article 5 of the GDPR (Purpose Limitation) – https://gdpr-info.eu/art-5-gdpr/
- Public Service Card, defined by Citizens Information – https://www.citizensinformation.ie/en/social-welfare/irish-social-welfare-system/public-services-card/
- Data Protection Commission Press Release on the Public Service Card – https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-matters-pertaining-public-services-card
- Independent Report on the London Metropolitan Police Service’s Trial of Live Facial Recognition Technology by Professor Pete Fussey & Dr. Daragh Murray – https://repository.essex.ac.uk/24946/1/London-Met-Police-Trial-of-Facial-Recognition-Tech-Report-2.pdf