The Litigation Chamber of the APD today reprimanded the City of Antwerp for its pilot project for smart noise measurement in its student district, which took place in 2022. According to the Litigation Chamber, the implementation of the project violated several provisions of the GDPR, such as the principle of legality and transparency. The Litigation Chamber orders the city to delete all voiceprints and raw audio files containing voices collected during the project.
Pilot project: noise capture in the student district of Antwerp
In 2022, the City of Antwerp installed 30 sound sensors in a targeted area of the city. The aim of this pilot project was to map noise pollution in the student district and to remedy it using technology.
The sensors recorded ambient noise continuously (7 days a week, 24 hours a day), stored in the form of 10-second “raw audio files”. When, between 7 p.m. and 7 a.m., the recorded sounds exceeded a certain noise level, the sensors prepared a voiceprint (“Mel spectrogram”), i.e. an (imaged) representation of a specific voice. These voiceprints were used to train an artificial intelligence model to classify different types of noise and activate a “nudging” system (encouragement to stop the noise).
At the end of 2022, the Inspection Service of the APD ordered the city of Antwerp to temporarily suspend the project. The law allows the Inspection Service to issue interim measures in order to avoid a situation that could cause serious, immediate and difficult-to-repair damage.
Lack of valid legal basis and appropriate guarantees
After investigation by the Inspection Service, the file was then analysed by the Litigation Chamber of the APD, which found, among other things, that the project was not based on a valid legal basis. The sensors collected sensitive data (voice prints are biometric data) or necessarily contained sensitive data (recorded conversations may include information on, for example, health or political opinions). However, the GDPR prohibits the processing of sensitive data except in a limited number of cases (listed in art 9.2 of the GDPR ). In the present case, the City of Antwerp could not validly invoke any of these exceptions.
The Litigation Chamber also notes shortcomings in terms of transparency. Among other things, it points out that the city allegedly communicated that conversations would not be recorded, but analysis of the file shows that this was indeed the case.
Finally, it notes that the voice prints were processed in an unencrypted manner on a Google cloud, whose parent company is located outside the European Economic Area (in the USA), and this with full knowledge of the facts and without appropriate risk mitigation measures.
The Litigation Chamber and the Inspection Service highlight, on the one hand, that the opinion of the city’s data protection officer (“DPO”), who had pointed out potentially problematic elements, was not sufficiently listened to; and on the other hand, that the analysis of the risks linked to the project for the rights and freedoms of individuals (also called ” AIPD “) was deficient. However, taking these remarks into consideration and an appropriate risk analysis would have made it possible to implement measures to mitigate the risks identified by the DPO, and potentially to avoid committing violations of the GDPR.
Sanction
To sanction the breaches noted in terms of, among other things, legality of processing, transparency, AIPD and transfer of data to third countries, the Litigation Chamber of the APD:
- addresses a reprimand to the City of Antwerp, and,
- orders him to delete all raw audio files containing vocals as well as voiceprints.
Before issuing its sanction, the Litigation Chamber took into consideration the fact that this was a time-limited pilot innovation project aimed at solving a recognised problem (noise pollution), and that the city had cooperated in the investigation.
Hielke Hijmans, President of the Litigation Chamber, concludes: “Data protection and innovation are not mutually exclusive. However, such technological projects must be well supervised, taking into account the potential risks for individuals, and implementing measures to mitigate them. In this sense, we insist on the importance of implementing a thorough impact analysis, and the involvement of the data protection officer.”
The APD also recalls that it provides data controllers with resources to guide them in new technologies, such as its information brochure on AI systems or its report on its “Smart Cities” study day .