The processing of biometric data through facial recognition systems by competent authorities should only be permitted when strictly necessary and must be subject to adequate safeguards laid down at law, and no such specific laws currently exist, the Malta IT Lawyers Association (MITLA) said.
The association was refereeing to e report in MaltaToday, which said Paceville is going to be a test case for facial recognition CCTV that could be deployed nationwide.
The report said a new government company called Safe City Malta is planning to present a proof of concept for Paceville through the deployment of a system utilising high-definition CCTV cameras with facial recognition software that can identify individuals and criminals.
MITLA said that whilst the use of state-of the art technology by law enforcement officials is key for the prevention, detection and investigation of criminal activities, the processing of personal data through the use of such systems has to conform with prescribed laws and must constitute a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of natural persons.
“MITLA would like to point out that facial biometric data is a special category of data as defined under the new EU General Data Protection Regulation (GDPR), which will come into force in May 2018. As such, the processing of biometric data through facial recognition tools is subject to a stricter legal regime. Under current legislation, most notably, EU Directive 95/46/EC as well as the Maltese Data Protection Act and related subsidiary legislation, biometric data is already recognised, especially through the publications of Art.19 Working Party as sensitive personal data. Facial recognition software applications and its impact on privacy is far higher than static surveillance cameras since the processing of personal data, specifically biometric data, is much more acute, automated and process-heavy. This exacerbated by the fact that the proposed technology often exposes accuracy deficiencies, misidentifying gender and/or race. The potential introduction of such technologies at a nationwide scale makes a local debate even more urgent.”
Any introduction of facial recognition technologies, irrespective whether launched as a pilot project or not, will require the introduction of an ad hoc legislative framework which will carefully need to balance the fundamental rights and freedoms of the citizens with the obligations and duties of competent authorities in their fight against crime and the preservation of public order, MITLA said.
“In light of the risk posed by emerging technologies, including facial recognition applications, such balance will not be easily achieved and will require careful consideration.”
Apart from compliance with the rules laid down in the GDPR, the processing of biometric data by law enforcement agencies will also need to be carried out in line with the provisions of EU Directive 2016/680 on the protection of natural persons with regard to the processing of data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences. This Directive will need to be transposed by Member States by the 6th of May 2018.