Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
ITALIAN SUPERVISORY AUTHORITY: opinion of Sari Real Time system

ITALIAN SUPERVISORY AUTHORITY: opinion of Sari Real Time system

During today’s reunion, to which participates the Professor Pasquale Stanzione, the president, Prof. Ginevra Cerrina Feroni, the vice-president, avv. Guido Scorza and the Doc. Agostino Ghiglia, members and the cons. Fabio Mattei, general secretary;

SEEN the European Regulation (2016/679) of the European parliament and of the council of the 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – here in after GDPR);

SEEN the Decree-Law of the 30th of June 2003, n. 196, bearing the Code about personal data protection, integrated with changes introduced by the Decree-Law of the 10th of August 2018, n. 101 (here in after the “Code”);

SEEN the European Directive 2016/680 of the European parliament and of the council, about the natural persons protection with regard to personal data processing by relevant authorities for prevention, investigation, assessment and pursuit of crimes and or the execution of criminal sanctions, as well as the free circulation of those data and that abrogates the decision of the framework 2008/977/GAI of the Council;

SEEN the Law-Decree of the 18th of May 2018, n. 51, bearing the Implementation of the European Directive 2016/680 (hereinafter “Decree”);

SEEN the Regulation n, 1/2019 about inner procedures with external relevance aimed to the development of tasks and the exercising of powers demanding to the Italian Data Protection Authority (hereinafter “Regulation n. 1/2019”);

ESAMINED the system Sari Real Time and its connected previous impact assessment on personal data protection;

SEEN the observations of the Office, made by the General Secretary according to the article 15 of the Regulation of the Italian DPA n. 1/2000 on the organization and the functioning of the Office of the Italian Data Protection Authority;

Relator the lawyer Guido Scorza;

PREMISED THAT

The Ministry of the Inner Department of the Public Security has sent to this Authority the description of the system Sari Real Time, accompanied by a draft of the impact assessment, according to the article 23 of the Decree, in which are integrated the description of the architecture of the system and the relative operation instructions.

Since the produced documentation it results that the system Sari Real Time – in the present state of things it not in force – permits, with a series of video cameras installed in a specific geographical area, to analyze in real time faces of recorded subjects, by comparing them with a bank data (called “watch-list”), that can include until 10.000 faces.

If, by an algorithm of facial recognition is found a correspondence between a face included into the watch list and a face recorded by video cameras, the system is able to generate an alert which recalls the attention of the opertors. The system permits, in addition, to register the images recorded by video cameras, “by carrying out a video surveillance function”.

The system, projected and developed as a mobile solution, can be installed directly in the place where there is the exigence of having a technology of facial recognition in order to support Police Forces during the management of order and public security, or in relation to specific exigences of the Judicial Police.

In the impact assessment are recalled, in different ways, some legislative disposals, which are considered contributing with the aim of the classification and the juridical fundamental of the processing and, particular: some articles of the Code of Criminal Procedure (articles134 c.4, 234, 266, 431 c.1 lett. b, in addition articles 55, 348, 354 e 370 on the activity of the Judicial Police); the Decree of the Interior Ministry of the 24th of May 2007 (Identification of the processing of personal data carried out by the Data Processing Centre of the Department of Public Security or by the police on the data intended to be transferred to it, or by public security bodies or other public entities in the exercise of powers conferred by law or regulation, carried out by electronic means and their holders) ; art. 1 of the Consolidated Law on Public Security (T.U.L.P.S.), approved by Royal Decree no. 773 of 18 June 1931; Law no. 121 of April 1981 on the Administration of Public Security; Presidential Decree no. 15 of 15 January 2018, regarding the protection of personal data with regard to the processing of data carried out for police purposes; Legislative Decree no. 51/2018.

OBSERVES

1) The usage of facial recognition technologies for prevention and crimes repression purposes is object of high attention, like it is mentioned by the Guidelines of the European Council, which reports the intrusiveness that his brings for the right to the private life and to the dignity of people, together with the risks of negative consequences on other human rights and fundamental freedoms

The Guidelines recalls legislators and those ones who have the responsibility of adopt decision to establish specific legislation for the biometrical data processing by technologies of facial recognition for contrast purposes, in order to guarantee that their compromise is strictly necessary and proportionated to the purposes and are prescribed the necessary guarantees.

The images processing in order to identify people in the public contest is extremely sensitive and for this reason necessary a join impact assessment, in order to avoid that singular initiative, mixed together, by defining a new model of surveillance will introduce a no reversible change into the relationship between individual and authority.

It is important consider that the system realizes a automated processing on large scale that can refer to, among other things, to those persons in political and social manifestation, that are not subject of “attention” by Police Forces; and even if the in the impact assessment presented by the Ministry it is explained that the images will be immediately deleted, the identification of a person will be realized by the biometrical personal data processing of those ones are in the controlled spaces, in order to generate models which can be comparable to those one included into the “watch-list”. For this reason, it is determined an evolution of the very nature of surveillance activity, which would mark a transition from targeted surveillance of certain individuals to the possibility of universal surveillance.

2) The Sari Real Time system, aimed to carry out a personal data processing for prevention of crimes and offences to the public security and, also upon delegation of the Judicial Authority, to investigate, acetate and pursuit of crimes, is part of the field of application of the Decree.

The special discipline for this typology of processing, compared to those one mentioned by the GDPR, underlines that those processing determines a strong interference with their private life of data subjects, that shall underline a justification into an adequate legal basis.

The article 5 of the Decree, pursuant the article 3 of the European Directive 2016/680, requires that personal data processing by Police Forces shall be based on legislations, or, where it is required, of Regulation.

In compliance with the European Convention for the protection of human rights and fundamental freedoms, which article 8 requires that each person has the right of the respect of the private and familiar life and can not be any interferences of a public authority in the exercise of this right unless that this interference is required by the legislation and constitutes a measures that, in a democratic society, is necessary to the national security, the public security, the economic prosperity of the country, to the defense of the order and the prevention of crimes, the protection of the health or of the moral, or to the protection of rights and freedoms of others.

Also the article 52 of the Charter of Fundamental Rights of the European Union establishes that eventual limitation to the exercise of rights and freedoms recognized by the Charter – among which the right to the respect of private life, ex article 7, and those one to the protection of data of a personal nature, ex article 8 – shall be required by the Law and respect the essential content of rights and freedoms.

Personal data object of the processing are parts of particular categories of data in the article 9 of the GDPR, form of “biometrical data aimed at identify in a unique way the natural person”.

For the overmentioned circumstances, also in relation to the usage of the system during public events, the processing determines the possible involvement of additional personal data mentioned into the article 9 of the GDPR, like those one suitable to reveal political opinions or the trade union membership.

The article 7 of the Decree establishes that the processing of particular categories mentioned into the article 9 of the GDPR subjected to specific conditions, among which those one of being “specifically required by the European Rights or by the Law or, in cases required by the Law, by Regulation”.

However, in the documentation provided by the Ministry of the Interior and among the regulatory sources indicated by it, there is no specific provision allowing this type of treatment.

In particular, the Decree, even if it provides in the abstract such treatments, cannot be considered, in itself, as a source of legislation suitable to legitimize them, since it is intended to specify the conditions that allow the implementation, among which it identifies, the existence of a provision of Union law or of a national State specifically authorizing it.

The article 1 of the T.U.L.P.S. provides for the general tasks in which the activity of the Public Safety Authority is declined but does not contain any reference to the processing in question.

The d.p.r. of the 15th of January 2018, n. 15, identifying the methods of implementation of the principles of the Code with regard to the processing of data carried out for police purposes, adopted in implementation of Article 57 of the former Code, provides for and regulates the processing of data through video surveillance and camera, audio and video (Chapter V) systems ontologically different from those of biometric data.

Articles 134 co.4, 234, 266 and 431 co.1, lett. b, of the Criminal Procedure Code, referred to in the impact assessment, concern, respectively, the documentation of acts for audiovisual reproduction, the acquisition of writings or other documents by photography, cinematography, phonography and other means, interception of communications between persons present by means of portable electronic devices and interception of flows of telematic communications. Therefore, those provisions do not constitute an appropriate legal basis for the processing of biometric data for personal identification.

Finally, Articles 55, 348, 354 and 370 of the Code of Criminal Procedure, which are also mentioned in the impact assessment as reference sources, relate to the judicial police functions in ensuring sources of evidence and conducting investigations on places or persons, on the initiative or by delegation of the judicial authority, but do not provide for the processing of biometric data, so that they do not constitute that specific source of legislation required by art. 7 of the Decree.

3) In conclusion, there is no suitable legal basis at present, within the meaning of art. 7 of the Decree, to allow the processing of biometric data in question, as well as recently noted by the Authority in a case for some comparable profile (measure n. 54 of 26 February 2020, available on the website of the Authority, doc. web n. 9309458).

In this respect, it should be noted that this legal basis, as a result of the weighting of all the rights and freedoms involved, must, inter alia, make the use of such systems adequately predictable, without conferring such a wide discretion that its use depends in practice on those who will be called upon to dispose of it, rather than on the enactment of legislation.

This also applies to certain fundamental aspects of the use of the facial recognition technique in question, such as, by way of example, the criteria for identifying the subjects that can be included in the watchlist or those to determine when the system can be used. Consideration should also be given to the limitations of the techniques in question, which are known to be based on statistical estimates of the correspondence between the elements compared and, therefore, intrinsically fallible, estimating the possible consequences for those concerned in the event of false positives.

The previous observations absorb the need to examine the draft impact assessment produced by this Administration, with reference to which it is noted, however, that it is of particular importance to ensure the accuracy and ability to discriminate, which must be checked to ensure that the system is also fully adequate with regard to members of ethnic minorities.

IN THE LIGHT OF THE ABOVE THE AUTHORITY

According to article 24, paragraph 5 and the article 37, paragraph 3, letter c) of the Decree expresses the not favorable opinion in the terms in which into motivation on the project and warns the data controller that the processing of biometrical data  by the Sari Real Time system, appears not in compliance to the discipline mentioned into the Decree, in the absence of specific and adequate legitimate measures.

Pursuant to article 152 of the Code and the article 10 of the Legislative Decree of the 1st of September 2011, n. 150, by this proceedings can be proposed objection to the Judicial Authority, with application lodged to the ordinary Court of the place in which the data controller is based, within the expiring data of 30 days since the communication of the measure.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP

Recommended to you

Advanced Research