Police reprimanded for illegal processing of personal data with facial recognition software
The Deputy Data Protection Ombudsman has issued a statutory reprimand to the National Police Board for illegal processing of special categories of personal data during a facial recognition technology trial. The National Bureau of Investigation unit specialising in the prevention of child sexual abuse had experimented with facial recognition technology in identifying potential victims. The decision to try the software had been made independently by the police unit, and the National Police Board was not aware of the trial.
As the controller responsible for the processing of personal data by the police, the National Police Board notified the Office of the Data Protection Ombudsman in April 2021 of a personal data breach involving the trial use of facial recognition software by the National Bureau of Investigation in early 2020. The police had experimented with identifying possible victims of child sexual abuse with the US-based Clearview AI service.
The police had used the service for its trial period and found that Clearview AI was not suitable for the work of authorities in Finland for this purpose. During the investigation of the personal data breach, it turned out that the police had also tried a service called Arachnid for the same purpose.
The processing of personal data with facial recognition software had been performed without the approval or supervision of the controller, i.e. the National Police Board. The National Police Board had been informed of the use of the Clearview AI service by Buzzfeed News, an online media based in the US.
The controller must ensure the lawfulness of processing personal data
According to the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security, the controller is responsible for the lawful processing of personal data. The Deputy Data Protection Ombudsman notes that the controller’s responsibility has not been fulfilled in these operations. It would have been the duty of the National Police Board to ensure that police personnel are familiar with regulations and the required procedures.
For example, the controller must ensure that up-to-date instructions are available for the processing of personal data and arrange sufficient supervision for the processing. Training personnel in the design and implementation of new processing methods is also the controller's responsibility. In this case, the measures taken by the controller had not prevented the unlawful processing of personal data.
Neither had the police taken into consideration the requirements for processing special categories of personal data. Facial images are biometric data as referred to in the Act on the Processing of Personal Data in Criminal Matters and in Connection with Maintaining National Security and also fall under special categories of personal data, which must be processed with particular care. Furthermore, the processing had been begun without obtaining information on how the service being used processed personal data. For example, the police had not determined in advance how long the data would be stored or whether it could be disclosed to third parties.
In addition to the reprimand, the Deputy Data Protection Ombudsman ordered the National Police Board to notify the data subjects of the personal data breach insofar as their identity could be determined. The National Police Board must also request that Clearview AI erase the data transmitted by the police from its storage platforms.
The Deputy Data Protection Ombudsman's decision in Finnish (Finlex)
Additional information:
Deputy Data Protection Ombudsman Jari Råman, jari.raman(at)om.fi, tel. +358 29 566 6757