Irish municipality fined for GDPR non-compliant cameras, Finland devises centralized system
Data protection agencies in Europe are finding fault with surveillance projects and networks that violate national and GDPR regulations, but that involve little or no use of facial recognition and related biometric technologies. Ireland issues its first (and large) fine for surveillance operations in its third-largest city, Limerick, without lawful bases, while in Finland the data protection agency has worked with the police to devise new and compliant systems.
Limerick fined €110,000 for 401-camera system processing personal information
A three-and-a-half-year enquiry by Ireland’s Data Protection Commission (DPC) found multiple instances of non-compliance with GDPR and Irish data protection legislation surrounding the city and county’s deployment of a 401-camera surveillance network, automatic number plate recognition (ANPR) and two drones in public places.
The DPC’s December 2021 findings and “corrective powers exercised” are summarized by the Commission, and to summarize further, Limerick Council had installed some CCTV cameras without lawful basis, was processing personal data by CCTV cameras without lawful basis, likewise with ANPR. It also failed GDPR transparency requirements in terms of CCTV operation signage and policy availability.
Temporary bans are in place on processing personal data with CCTV cameras at some locations for the purpose of law enforcement until a legal basis can be found, likewise for CCTV cameras for traffic management.
The full DPC report on its decision finds that only 44 cameras in operation were permitted and compliant. 26 provided traffic management feeds, 13 were along a “Smarter Travel” walkway, 48 in a Smart CCTV Pilot Project across 14 towns and 314 in various locations such as housing estates, traveller accommodation sites and public spaces. 192 of these fed into monitoring centers for real-time surveillance. The report also notes that one of the cameras the Council intended to install includes facial detection.
The drones were used for tackling the illegal dumping of waste. They were not intended to record images but the Council acknowledged that if the drones did catch someone in the act, they would then capture images. This meant the Council is processing personal data for drone use.
IPVM reports that Limerick officials state cameras have not been uninstalled but functionalities violating GDPR have been deactivated. Its analysis also finds that the median GDPR fine across 30 countries had been around $3,900 meaning that Ireland’s first fine, at around $124,000 is one of the largest GDPR-related fines in Europe.
Finnish police build centralized surveillance system
The Police of Finland and the Data Protection Ombudsman have devised a new, centralized way to develop data protection practices for police surveillance in public spaces as the reality was out of line with the country’s legislation.
Municipalities were also at fault, specifically the City of Oulu and the way it cooperated with its police department. This led the Data Protection Ombudsman to engage with the police on an extensive risk assessment of technical surveillance – the recording of public places but without special categories of personal data used to identify people such as biometrics.
The assessment resulted in the police building a centralized camera system and updating their internal guidance. Surveillance systems set up by municipalities to monitor public places are brought into the new centralized system. New centralized user management allows for easier logging as required by legislation, as well as impact and risk assessment.
A new contract template which covers the processing of personal data and agrees data control is now in use between the police and any other authorities or municipalities they work with when carrying out surveillance.
Finnish police have previously considered the possibility of implementing facial recognition for recorded surveillance footage and its National Bureau of Investigation had autonomously used Clearview AI software in 2020, without National Police Board approval. This led to a statutory reprimand from the Deputy Data Protection Ombudsman in line with GDPR rules.