I’m just thinking out loud here but MAYBE, instead of linking to its guidance on information requirements, @ICOnews should go public on how it views the complete absence of a legal ground for most facial recognition systems.

Lets go through them one by one, shall we? #thread 1/
Art. 6(1)(a): Most facial recognition systems are installed in public spaces where it is almost impossible to obtain a data subject’s consent. 2/
And even where this might be done (say by including it in applicable Ts&Cs) there is a good chance that this consent would not be seen as freely given because of Art. 7(4) GDPR, i.e. the prohibition on processing data for purposes unnecessary for contract performance. 3/
Art. 6(1)(b): For the same reason, we can also assume that the contract performance ground itself doesn’t work. Lets not forget that under settled CJEU case law “necessary” is a high threshhold to get over. 4/
Art. 6(1)(c):It’s also unlikely to be “in compliance with a legal obligation” when the crux of the matter is exactly that we currently not have any laws in place that permit/require face recognition. Getting those through Parliament in the current climate might be a challenge. 5/
But even, if we did, those laws would have to “constitute a necessary and proportionate measure in a democratic society “ to safeguard the objectives of certain public interests (Arts. 6(4) and 23(1)). So, again, necessity and proportionality likely stand in the way of this. 6/
Art. 6(1)(d): I think I may challenge my students to come up with a scenario where face recognition is necessary for the vital interests of the data subject or another natural person. 7/
Maybe anti-terrorist measures in an acute emergency might qualify, but the bulk collection of personal data that would be needed beforehand to make the systems work would most likely not meet the required proportionality threshholds. [cough Data Retention Directive cough] 8/
Art. 6(1)(e): Clearly, only very few controllers (the Met Police arguably among them) have any chance in hell of relying on the public interest ground. 9/
But even those who may, are similarly constrained by the need to lay down the specifics of that public interest in law under Arts. 6(3) and (4) and in accordance with the requirements of Art. 23(1). For the likelihood and success of that happening, see above. 10/
Art. 6(1)(f): Whatever “legitimate interest” a controller may have in this case is likely to be significantly outweighed by the overriding interests and fundamental rights and freedoms of the data subject. 11/
And lets not forget that this ground is not available to public authorities where processing is carried out in the performance of their tasks (Art. 6(7)). So this ground would in no way let the Met Police off the hook. 12/
And ok, yes, I’m a data protection lawyer, who lives and breathes this stuff. But this analysis has taken me < 20 minutes. So who are these lawyers, who have certified to both public and private controllers that they can go ahead with those schemes because “it’s probably ok”? 13/
And why does the ICO highlight its advice about “the right to be informed” when it is so blatantly clear to most experts that all the transparency in the world will not make 95% of this type of processing which is already going on “legal, proportionate, or justified”? 14/
Wouldn’t it be more appropriate to say this out loud, again and again, until it sinks in and controllers stop “innovating” in what they (incorrectly) perceive - or are told by their lawyers - to still be a “grey space”. 15/
Ideally, this time, BEFORE they embed infrastructure that cannot be removed later on when we finally recognise what a catastrophic failure of governance we have all been suffering? 16/
A reminder, @ICOnews , that you are not a political body. You don’t have to pussyfoot around the real legal issues or deal in distractions. You are a regulator tasked with providing actual guidance to both citizens and controllers and with enforcing the law. 17/
The King’s Cross investigation is a start in terms of enforcement. But if “increased transparency” is what you’re going for (again) in terms of your guidance, I’m not that hopeful that anything will come of it. 18/
“Increased transparency” didn’t help us much when you more or less let Google off the hook after it changed its privacy policies allowing it to combine and share personal data from all of its services. 19/
It didn’t help us when the UK government put pizza delivery-type flyers through our letterboxes to tell us that our NHS patient data would be uploaded to a central database and subsequently be made available to all and sundry. 20/
It didn’t help us when both Facebook and Google quietly bought up small competitors thereby sowing up the Big Data market and creating monopolies that we are now having to deal with after taking years to get the competition authorities interested. 21/
And it didn’t help us when you wrote/rewrote your cookie guidance three times in 12 months, each time making it easier for ad networks to put in place the online tracking systems that now threaten our democracies because they are used for political microtargeting. 22/
If we have learned anything from the last 10 years of regulating data-related innovation it’s that transparency alone is not the answer, it’s an absolute minimum requirement. Data minimisation, purpose limitation, storage limitation, fairness and lawfulness are where its at. 23/
So instead of harping on about the need to “provide information”, why not go all out for once and stress that the scenarios where controllers will actually have to provide information will be minimal because the overwhelming majority of all FRS is simply illegal under GDPR? 24/
Thank you for coming to my TED talk! ends/
Ok, because it has rightly been pointed out to me that I lazily applied the GDPR to FRS use by the Met Police when it actually falls under the LED and section 35(2) of DPA2018, here the equivalent analysis for that:
For processing by LEAs to be lawful Arts. 4(1)(a) and 8 LED also mandate an EU or member state law as authorisation. Section 35(2) DPA2018 includes a similar requirement. (H/t @GDPRtist ) So this is equivalent to Art. 6(3) and (4) GDPR.
Those authorising laws as well as FRS use by police itself (as executive action) are directly subject to the human rights constraints set out in the HRA/ECHR and, until Brexit, the EU Charter) (no need for Art. 23 GDPR). This means that proportionality requirements apply here too
Because of the implications that a significant deviation from the EU interpretation of fundamental rights would have on the UK’s ability to obtain adequacy (see Schrems), it is likely that the CJEU’s settled case law will be an important factor post-Brexit too.
As we have seen in Schrems, Digital Rights Ireland and Tele2/Watson, the CJEU has recently taken a dim view of blanket surveillance measures that disproportionately infringe individuals’ rights to privacy and data protection.
So even under the LED/DPA2018, the chances that FRS will be deemed to be lawful are very slim unless they manage to come up with a technology that enables the identification of specific targeted individuals while not affecting the rest of the population disproportionately.
Given that we are currently looking at trials that do not really discriminate between those groups, not least because they are used to train the algorithm, and that have reportedly already resulted in a high number of false positives, this is clearly not the case now.
So, as before, those trials clearly lack(ed) a legal ground and the ethics committee that waived them through should have a good look at itself. Maybe another reason why relying on ethics isn’t all it’s cracked up to be when it’s legal compliance we need.
Which, ironically, also reminds me of this comment made by a member of that very committee at ORGCon this year:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cybermatron 🕷

Cybermatron 🕷 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Cybermatron

15 Dec 20
Aaargh! I hate being “Reviewer 2” but once, just once would I like to peer review a well-written, well-structured article that isn’t clearly just a chapter of someone’s PhD with no further consideration given to how to turn it into its own, fully-fledged and coherent narrative.
Even if I agree with all your good intentions and nearly all of your arguments, if you don’t spend some time kicking this thing into shape before submission, there is very little a reviewer can do to get you published. Here’s a few tips:
1. Start by challenging yourself to cut the thing down by a third. Yes, always. You may not manage all of it, but it will force you to sharpen your argument and eliminate a lot of extraneous detail.
Read 16 tweets
15 Dec 20
Normal people I know of have just arranged a three-household birthday party next Sat because it’s a week before Christmas and “what does it matter, if we’d be allowed to do it then anyway?”. The government’s wooly messaging on this issue is causing harm going far beyond Christmas
Am I furious with those people? Yes I am. Every single one of them. And not just because I have just decided not to go home even though my mum is really unwell because I don’t want to put her at further risk, and a vaccine is coming and I’m not going to fall at the last hurdle.
I am furious because I don’t want any of them to get Covid either just for being idiots.
Read 6 tweets
29 Sep 20
Dear @Jeremy_Hunt , who just said on @Channel4News that “nobody could have predicted the current situation at Universities”, I will happily grant you access to my inbox so you can read the many email exchanges where my academic colleagues and I, you guessed it, predicted this.
Sadly we were ignored. We were ignored because your government does not view higher education as a public good, refused to provide financial support to Universities and thus forced them to lie to students that we could provide a “normal” student experience...
... to get them to enrol in programmes and sign accommodation contracts to prevent them from going under.
Read 7 tweets
26 Sep 20
What a pile of crock! A thread.
theguardian.com/education/2020…
“It is crucial that gender stereotyping is addressed in schools and discussed in age-appropriate ways with children and young people: it is also crucial that young people questioning their gender identities are supported and listened to without judgment...
... Suggesting to children that it is possible to be born in the wrong body is misleading, regressive and potentially very harmful, and it is good that the DfE has clarified that this should not be done.”
Read 15 tweets
12 Sep 20
In DP terms, I think loss of control is most closely linked to violations of the purpose limitation principle.
Like @mireillemoret said, this is then also connected to a lack of transparency and, I would argue, fairness (in the Art. 5 sense). But as far as algorithmic decision-making is concerned, purpose limitation is clearly where its at.
Having said that, I’m starting to get very suspicious of the concept of *control* (nevermind *property*) as our loadstar, given its current link solely to the individual data subject, who is mostly not equipped to exercise that control responsibly.
Read 12 tweets
11 Sep 20
Ok. I’ve done it. For the first time in my life I joined a trade union today.

What finally pushed me over the edge? My employer asking us to ensure that any video footage we record is sub-titled to comply with new disability legislation.
To be clear, I am not disputing that the University should do this. If we are using video recordings, sub-titling is imperative to ensure equality of opportunity not just for students with hearing issues but also for those whose first language is not English.
Listening to a recording is not the same as being in a room with your tutor. There will inevitably be comprehension issues. Sub-titling helps with those.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(