I’m just thinking out loud here but MAYBE, instead of linking to its guidance on information requirements, @ICOnews should go public on how it views the complete absence of a legal ground for most facial recognition systems.
Lets go through them one by one, shall we? #thread 1/
Lets go through them one by one, shall we? #thread 1/
https://twitter.com/iconews/status/1164071725975375873
Art. 6(1)(a): Most facial recognition systems are installed in public spaces where it is almost impossible to obtain a data subject’s consent. 2/
And even where this might be done (say by including it in applicable Ts&Cs) there is a good chance that this consent would not be seen as freely given because of Art. 7(4) GDPR, i.e. the prohibition on processing data for purposes unnecessary for contract performance. 3/
Art. 6(1)(b): For the same reason, we can also assume that the contract performance ground itself doesn’t work. Lets not forget that under settled CJEU case law “necessary” is a high threshhold to get over. 4/
Art. 6(1)(c):It’s also unlikely to be “in compliance with a legal obligation” when the crux of the matter is exactly that we currently not have any laws in place that permit/require face recognition. Getting those through Parliament in the current climate might be a challenge. 5/
But even, if we did, those laws would have to “constitute a necessary and proportionate measure in a democratic society “ to safeguard the objectives of certain public interests (Arts. 6(4) and 23(1)). So, again, necessity and proportionality likely stand in the way of this. 6/
Art. 6(1)(d): I think I may challenge my students to come up with a scenario where face recognition is necessary for the vital interests of the data subject or another natural person. 7/
Maybe anti-terrorist measures in an acute emergency might qualify, but the bulk collection of personal data that would be needed beforehand to make the systems work would most likely not meet the required proportionality threshholds. [cough Data Retention Directive cough] 8/
Art. 6(1)(e): Clearly, only very few controllers (the Met Police arguably among them) have any chance in hell of relying on the public interest ground. 9/
But even those who may, are similarly constrained by the need to lay down the specifics of that public interest in law under Arts. 6(3) and (4) and in accordance with the requirements of Art. 23(1). For the likelihood and success of that happening, see above. 10/
Art. 6(1)(f): Whatever “legitimate interest” a controller may have in this case is likely to be significantly outweighed by the overriding interests and fundamental rights and freedoms of the data subject. 11/
And lets not forget that this ground is not available to public authorities where processing is carried out in the performance of their tasks (Art. 6(7)). So this ground would in no way let the Met Police off the hook. 12/
And ok, yes, I’m a data protection lawyer, who lives and breathes this stuff. But this analysis has taken me < 20 minutes. So who are these lawyers, who have certified to both public and private controllers that they can go ahead with those schemes because “it’s probably ok”? 13/
And why does the ICO highlight its advice about “the right to be informed” when it is so blatantly clear to most experts that all the transparency in the world will not make 95% of this type of processing which is already going on “legal, proportionate, or justified”? 14/
Wouldn’t it be more appropriate to say this out loud, again and again, until it sinks in and controllers stop “innovating” in what they (incorrectly) perceive - or are told by their lawyers - to still be a “grey space”. 15/
Ideally, this time, BEFORE they embed infrastructure that cannot be removed later on when we finally recognise what a catastrophic failure of governance we have all been suffering? 16/
A reminder, @ICOnews , that you are not a political body. You don’t have to pussyfoot around the real legal issues or deal in distractions. You are a regulator tasked with providing actual guidance to both citizens and controllers and with enforcing the law. 17/
The King’s Cross investigation is a start in terms of enforcement. But if “increased transparency” is what you’re going for (again) in terms of your guidance, I’m not that hopeful that anything will come of it. 18/
“Increased transparency” didn’t help us much when you more or less let Google off the hook after it changed its privacy policies allowing it to combine and share personal data from all of its services. 19/
It didn’t help us when the UK government put pizza delivery-type flyers through our letterboxes to tell us that our NHS patient data would be uploaded to a central database and subsequently be made available to all and sundry. 20/
It didn’t help us when both Facebook and Google quietly bought up small competitors thereby sowing up the Big Data market and creating monopolies that we are now having to deal with after taking years to get the competition authorities interested. 21/
And it didn’t help us when you wrote/rewrote your cookie guidance three times in 12 months, each time making it easier for ad networks to put in place the online tracking systems that now threaten our democracies because they are used for political microtargeting. 22/
If we have learned anything from the last 10 years of regulating data-related innovation it’s that transparency alone is not the answer, it’s an absolute minimum requirement. Data minimisation, purpose limitation, storage limitation, fairness and lawfulness are where its at. 23/
So instead of harping on about the need to “provide information”, why not go all out for once and stress that the scenarios where controllers will actually have to provide information will be minimal because the overwhelming majority of all FRS is simply illegal under GDPR? 24/
Thank you for coming to my TED talk! ends/
Ok, because it has rightly been pointed out to me that I lazily applied the GDPR to FRS use by the Met Police when it actually falls under the LED and section 35(2) of DPA2018, here the equivalent analysis for that:
For processing by LEAs to be lawful Arts. 4(1)(a) and 8 LED also mandate an EU or member state law as authorisation. Section 35(2) DPA2018 includes a similar requirement. (H/t @GDPRtist ) So this is equivalent to Art. 6(3) and (4) GDPR.
Those authorising laws as well as FRS use by police itself (as executive action) are directly subject to the human rights constraints set out in the HRA/ECHR and, until Brexit, the EU Charter) (no need for Art. 23 GDPR). This means that proportionality requirements apply here too
Because of the implications that a significant deviation from the EU interpretation of fundamental rights would have on the UK’s ability to obtain adequacy (see Schrems), it is likely that the CJEU’s settled case law will be an important factor post-Brexit too.
As we have seen in Schrems, Digital Rights Ireland and Tele2/Watson, the CJEU has recently taken a dim view of blanket surveillance measures that disproportionately infringe individuals’ rights to privacy and data protection.
So even under the LED/DPA2018, the chances that FRS will be deemed to be lawful are very slim unless they manage to come up with a technology that enables the identification of specific targeted individuals while not affecting the rest of the population disproportionately.
Given that we are currently looking at trials that do not really discriminate between those groups, not least because they are used to train the algorithm, and that have reportedly already resulted in a high number of false positives, this is clearly not the case now.
So, as before, those trials clearly lack(ed) a legal ground and the ethics committee that waived them through should have a good look at itself. Maybe another reason why relying on ethics isn’t all it’s cracked up to be when it’s legal compliance we need.
Which, ironically, also reminds me of this comment made by a member of that very committee at ORGCon this year:
https://twitter.com/cybermatron/status/1150037941189795842?s=21
• • •
Missing some Tweet in this thread? You can try to
force a refresh
