Discrepancy in enforcement between biometric data protection in public, private sectors

UK’s ICO plans to continue keeping fines low for the public sector, while on the continent CNIL has published the results of its investigation into police use of AI video analysis tools, and the GPDP fines Italian food delivery service Foodinho.

UK will continue to keep data privacy fines low for public sector

The UK Information Commissioner’s Office has published the results of its experimental reduction of fines for data breaches for public organizations – promising to continue the practice.

The two-year trial kicked off in June 2022 under the name Public Sector Approach (PSA). Its goal was to raise data protection standards among public bodies without burdening them with hefty monetary penalties. Instead, the public organizations received warnings, reprimands and enforcement notices, with fines only issued when necessary.

The measures resulted in public organizations paying only £1.2 million (US$1.5 million) in fines instead of a possible £23.2 million ($29.5 million), according to the ICO report. The ICO also published 60 reprimands to public sector organizations, including local councils, hospitals, municipal police, the Ministry of Justice and the National Healthcare Service (NHS) Trust.

“The review of the two-year trial shows the Public Sector Approach has had an impact, with some notable achievements, areas with more to do, unexpected challenges and unintended consequences,” says John Edwards, the UK Information Commissioner.

Edwards added that the ICO will launch a consultation based on the feedback it has received, concluding on January 31st, 2025.

CNIL reveals investigation results into police use of Briefcam software

French data privacy regulator has published the results of its investigation into the use of AI video surveillance by the French national police, including software made by BriefCam which offers facial recognition.

The National Commission for Information Technology and Civil Liberties (CNIL) concluded that the French Ministry of the Interior did not use the software to analyze video in real-time nor use real-time facial recognition in public spaces. The government agency, however, issued six formal notices to municipal police over regulatory breaches and warned that the Interior Ministry has not been submitting compliance paperwork on time.

The Ministry has pledged to comply with the formal notice, according to news agency AFP.

The investigation was kicked off in December 2023 after media uncovered the police purchases of video analysis software from Israeli firm BriefCam. According to French law, facial recognition is not allowed while AI software such as those made by Briefcam can be used legally for retrospective analysis of video captured by surveillance cameras but only with the proper steps, including authorization of the magistrate.

AI video analysis software gained prominence during the Paris Olympics 2024, where it was used to track crowds, abandoned luggage and threats in public spaces. To ensure that the system could be used in real-time during the Olympics, the government created a temporary experimental legal framework. The framework, however, still banned facial recognition.

The CNIL investigation did not cover the period of the 2024 Olympics and Paralympics Games which are analyzed in a separate investigation.

Italian data privacy watchdog issues $5.2M fine to food delivery service

Italian food delivery service Foodinho has received a 5 million euro ($5.2 million) fine for unlawfully processing the personal data of more than 35,000 delivery workers. The Milan-based firm, partially owned by Spanish start-up Glovo, was found to transmit riders’ geolocation data to third parties without their knowledge, even when they were not working.

The Italian Data Protection Authority (GPDP) also banned the company from using biometric data of its delivery workers, including facial recognition for identity verification.

Foodinho was previously fined in 2021, with GPDP forcing the firm to change the algorithms used to manage staff.

A further example of the discrepancy in enforcement can be seen in the treatment of U.S.-based facial recognition provider Clearview AI. Regulators in the Netherlands, France, Greece, Italy and the UK have all slapped massive fines, totalling $103 million, on the company for illegally collecting and processing biometric data.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  Clearview AI  |  CNIL  |  data protection  |  EU  |  GDPR  |  Information Commissioner’s Office (ICO)  |  regulation  |  UK