Deputy Data Protection Ombudsman recently issued a reprimand to Finnish National Police Board for unlawful processing of special categories of personal data, i.e. use of controversial software for facial recognition by the Finnish National Bureau of Investigation for the prevention of child sexual abuse.

The Action of Finnish Police

Namely, the trial version of the subject software was used in early 2020, for identification of potential victims, without the approval or supervision of the National Police Board as personal data controller, which is liable to ensure that all parties engaged by the police are familiar with applicable regulations and procedures, i.e. that personal data processing is done in a lawful manner.

According to the provisions of Finnish regulations governing this matter, photographs represent biometric personal data, which is a special category of personal data, thus its processing requires particular care. In this sense and in this particular case, the controller also failed to establish in advance how long the data would be stored and whether they can be disclosed to third parties, hence the Deputy Data Protection Ombudsman ordered the controller to notify its activities to the subjects of such data processing, as well as to delete all collected data from the databases of disputable software.

Provisions on the processing of biometric personal data are also contained in domestic Law on Personal Data Protection (“Off. Gazette of RS”, no. 87/2018) (the “LPDP“).

Processing of Biometric Personal Data under the LPDP

The LPDP stipulates that biometric data are personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.

In addition, the LPDP prescribes that biometric data (processed for the purpose of unique identification of a natural person) represent a special type of personal data (along with the data whose processing discloses racial or ethnic origin, political opinion, religious or philosophical belief, or syndicate membership, as well as genetic data, data on health state or sex life or sexual orientation of a natural person), processing whereof is prohibited, except in situations set out by the law (Article 17 of the APDP).

In addition, processing of the above-mentioned special types of personal data conducted by competent authorities for special purposes is allowed only when necessary, provided that the relevant measures for the protection of rights of the data subjects are applied, in one of the following cases:

1. the competent authority is authorized by law to process special types of personal data;
2. processing of special types of personal data is done for the purpose of protecting vitally important interests of the subjects of data or another natural person;
3. processing refers to special types of personal data that the subject of such data obviously made accessible to the public.

What was Problematic with the Draft of the New Police Law of Serbia?

In relation thereto, please be reminded that the new draft of the law regulating internal affairs in Serbia was recently withdrawn from the procedure, as it was sharply criticized for several reasons, one of them referring to provisions problematic from the aspect of personal data protection.

Namely, Article 44 of the subject draft stipulated that police, during its activities, uses data processing systems such as, among other, the system for audio and visual surveillance comprised of a set of fixed and mobile cameras, software and hardware with analytical tools and other devices and equipment intended for recording at a public place, recording, and processing of audio and video recordings and photographs of faces, vehicles, and events (with information on location and time of the recorded audio or video recording and photographs). This article further prescribed that the segments of the stated system for audio and video surveillance would be used for automatic face detection, which includes the processing of biometric data of the detected face and bodily characteristics, as well as time and location and participation of such person in the event.

The above-stated provisions of the draft were criticized for their incompatibility with the principles of personal data processing and requirements for its legality under the LPDP, particularly with regards to necessity, expediency, and proportionality of processing, as well as lack of transparency in terms of the storage period of the collected personal data, and degree of protection of databases where they are stored. In other words, such a legal solution would bring a legal dichotomy in the field of personal data protection in Serbia and increase the risk from various abuses of the systems used and data collected through them.

Latest Guidelines in this Field

Finally, the World Economic Forum published recently A Policy Framework for Responsible Limits on Facial Recognition Use Case (Law Enforcement Investigations), which contains a series of specific guidelines aimed at ensuring reliable and safe use of technologies for this type of identification, whereby the main principles that responsible use of this technology is based upon include necessity, proportionality, and transparency, as well as ensuring the accuracy of used algorithms, risk mitigation, and supervision and responsibility related thereto.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.