Facial recognition: Homo Digitalis calls on Greek DPA to speak up
In the spring of 2019, the Hellenic Police signed a €4 million contract with Intracom Telecom, a global telecommunication systems and solutions vendor, for a smart policing project. Seventy five percent of the project is funded by the Internal Security Fund (ISF) 2014-2020 of the European Commission.
In the spring of 2019, the Hellenic Police signed a €4 million contract with Intracom Telecom, a global telecommunication systems and solutions vendor, for a smart policing project. Seventy five percent of the project is funded by the Internal Security Fund (ISF) 2014-2020 of the European Commission. The Hellenic Police published a press release for the signature of this contract in December 2019, while the vendor had publicly announced it earlier, in July 2019.
Based on the technical specifications of the contract, the vendor will develop and deliver to the Hellenic Police smart devices with integrated software enabling facial recognition and automated fingerprint identification, among other functionalities. The devices will be in the size of a smartphone, and police officers will be able to use them during police stops and patrols in order check and identify on the spot individuals who do not carry identification documents with them. The police officers will also be able to take a close-up photograph of an individual’s face and collect her/his fingerprints. Then, the fingerprints and the photographs collected will immediately be compared with data already stored in central databases after which the police officers will get the identification results on their devices.
The Hellenic Police claims that this will be a more “efficient” way to identify individuals in comparison to the current procedure, i.e. bringing any individuals who do not carry identification documents to the nearest police station. Based on the timetable for the implementation of the project, the devices and the related systems should be fully functional and ready for use within 20 months of signing the contract. Thus, it is anticipated that the Hellenic Police will be able to use these devices by the beginning of 2021.
Once the Hellenic Police published its press release in December 2019, EDRi observer Homo Digitalis addressed an Open Letter to the corresponding Greek minister requesting clarifications about the project. More precisely, based on the provisions of the Directive 2016/680 (LED) and the Greek Law 4624/2019 implementing it, Homo Digitalis asked the Minister of Citizen’s Protection whether or not the Hellenic Police has consulted the Hellenic Data Protection Authority (DPA) on this matter and/or conducted a related Data Protection Impact Assessment (DPIA) and what the applicable safeguards are, as well as to clarify the legal provisions that allow for such data processing activities by the Hellenic Police.
In February 2020, the Hellenic Police replied but neither confirmed nor denied that a prior consultation with the Hellenic DPA took place or that a DPIA was conducted. Moreover, Homo Digitalis claims that the
Hellenic Police did not adequately reply about the applicable safeguards and the legal regime that justifies such data processing activities.
As a result of this inaction from public authorities, on March 19, 2020 Homo Digitalis filed a request for opinion to the Hellenic DPA regarding this smart policing contract. The request is based on the national provisions implementing article 47 of the LED which provides for the investigatory, corrective and advisory powers of the DPAs.
With this request, Homo Digitalis claims that the processing of biometric data, such as the data described in the contract, is allowed only when three criteria are met: 1. it is authorised by Union or Member State law, 2. it is strictly necessary, 3. and it is subject to appropriate safeguards for the rights and freedoms of the individual concerned. None of the above mentioned criteria is applicable in this case. Specifically, there are no special legal provisions in place allowing for the collection of such biometric data during police stops by the Hellenic police. Moreover, the use of these devices cannot be justified as strictly necessary since the identification of an individual is adequately achieved by the current procedure used. Nevertheless, such processing activities are using new technologies, and are very likely to result in a high risk to the rights and freedoms of the data subjects. Therefore, the Hellenic Police is obliged to carry out, prior to the processing, a data protection impact assessment and to consult the Hellenic DPA.
Read more:
Homo Digitalis’ request for opinion to the Hellenic DPA (only in Greek, 19.03.2020)
https://www.homodigitalis.gr/wp-content/uploads/2020/03/HomoDigitalis.pdf
Press Release of Hellenic Police (only in Greek, 14.12.2019)
http://www.astynomia.gr/images/stories/2019/prokirikseis19/14122019anakoinosismartpolicing.pdf
Press Release of Intracom Telecom (02.07.2019)
http://www.intracom-telecom.com/en/news/press/press2019/2019_07_02.htm
The technical specifications of the smart policing contract (Only in Greek, 12.04.2018)
http://www.astynomia.gr/images/stories/2018/prokirikseis18/12042018-texn_prod.pdf
Homo Digitalis’ Open Letter to the Minister of Citizen’s Protection (only in Greek, 16.12.2019)
https://www.homodigitalis.gr/posts/4662
Reply to Homo Digitalis’ Open Letter by the Hellenic Police (only in Greek, 14.02.2020)
https://www.homodigitalis.gr/wp-content/uploads/2020/02.pdf
(Contribution by Eleftherios Chelioudakis, EDRi observer Homo Digitalis, Greece)