The Assistant of the Personal Data Protection Commissioner has issued a notice to the National Police Board in accordance with the Criminal Data Protection Act, as the police have illegally processed data belonging to special groups of personal data in the experimental use of facial recognition technology. The Central Criminal Police Unit for Combating Sexual Exploitation of Children had tested facial recognition technology to identify potential victims. The decision on the trial had been made by the police and the National Police Board was not aware of the trial.
In April 2021, the National Police Board notified the Office of the Data Protection Commissioner of a security breach involving the trial use of a facial recognition programme in the Central Criminal Police in early 2020. The police had trialled the US-based Clearview AI service to identify potential victims of child sexual abuse using facial images.
The police had used the service for a trial period and then stated that Clearview AI was not suitable for this purpose in Finland. During the investigation of the security breach, it emerged that the police had also tried a service called Arachnid for the same purpose.
The processing of personal data with facial recognition programmes had taken place without the consent or supervision of the data controller, the National Police Board. The police government had received information about the use of the Clearview AI service from the US online publication Buzzfeed News.
Data controller must ensure lawful processing of personal data
According to the Criminal Data Protection Act, the data controller is responsible for ensuring that personal data are processed lawfully. The Assistant Data Protection Supervisor states that the data controller’s responsibility for the processing of personal data has not been fulfilled in practice. The police government would have had a duty to ensure that police officers were aware of the regulations and procedures they had to follow.
For example, the controller must ensure that up-to-date instructions for the processing of personal data are in place and that adequate controls are in place for the processing of personal data. Training on the design and use of new processing methods is also the responsibility of the data controller. In this case, the actions of the controller had not prevented the unlawful processing of personal data.
The police also failed to take into account the conditions relating to the processing of special groups of personal data. Facial images are biometric personal data within the meaning of the Criminal Data Protection Act and belong to special categories of personal data. Such data must be processed with special care. Moreover, the processing of personal data had started without obtaining information on how the service used treats personal data. Prior to the introduction of the service, for instance, the police had not clarified how long the data would be kept or whether they could be passed on to third parties.
In addition to the observation, the Assistant Commissioner for Data Protection ordered the police commission to report the personal data breach to those whose identity is known. In addition, the police commission must ask Clearview AI to delete the data transmitted by the police from its storage media.