A project like ‘Safe City Malta’ will need a data protection impact assessment before it can be carried out the EU Commissioner for Justice has said.
In a written response to Local Councillor Michael Briguglio, Ms Věra Jourová explains that with such a large scale project that would gather so much data from public areas and using sophisticated technologies, that processing could ‘likely result in a high risk for the freedoms of natural persons.’
For this reason, a data protection impact assessment would therefore need to include ‘an assessment of the necessity and proportionality of the processing operations, an assessment of the risks to rights and freedoms of data subjects, and measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.’
This response comes following a letter sent by Briguglio to Ms Jourová and her colleagues leading other related EU departments involved in Security, Digital Technology and Data Protection. Briguglio calls on the services of the Heads of the Commissions over the Maltese government’s plan to introduce facial recognition technology (FRT) into some of Malta’s most populated streets.
Newsbook.com.mt had previously reported on the proposal for installing FRT cameras to be piloted in Malta through the newly established company ‘Safe City Malta’. The decision was part of two Memoranda of Understanding signed between the Maltese government and the Chinese technology firm Huawei.
The new cameras would be intended for roll out in Paceville to aid police in investigating fights, prevent theft and stabbings. The cameras could ultimately help them pick out a face in the crowd.
The Malta Information Technology Law Association had voices its concerns about the legality of such technologies in accordance with GDPR rules, as well as how the information would be processed. MITLA also stressed the importance of debating the balance between the rights and freedoms of the citizen and the roles and responsibilities of law enforcement to maintain law and order. They say that ‘such balance will not be easily achieved and will require careful consideration.’
The United States had originally voiced its national security concerns over the firm becoming involved with one of its large telecoms company AT&T. They believed Huawei to be an ‘instrument of the Chinese State,’ and thus had the liability to carry out espionage which subverted the integrity of the US’ telecommunications. The deal with AT&T was ultimately scrapped and the sale of the Mate 10 handset cancelled.
Needs to be in line with GDPR
Briguglio points out that according to Professor Joseph A. Cannataci of the University of Malta’s Department for Information Commerce and Governance, the grounds for the ‘Safe City Malta’ project would need to be in line with the EU General Data Protection Regulation (GDPR), EU Police Directive and the Council of Europe Convention no.108 on Data Protection (Protocol CETS 223). These instruments of European law are also presented by the MITLA.
In the public interest and who controls the data
In addition to an impact assessment, Jourová also states that the persons who are identified as the trusted data controllers must then also determine that the task being carried out and the processing of the data, ‘is necessary for the performance of a task in the public interest.’
She adds that, ‘According to settled case law, the protection of personal data requires that limitations in relation to that fundamental right can only apply in so far as it respects the essence of that right and is strictly necessary and proportionate.’
With this in mind, Jourová goes further to explain that the data controller should be held accountable for their actions and choose technology which complies with the regulations.
‘It is therefore for the accountability of the controller, to choose only such technology, which is compliant with the data protection principles and requirements, regardless whether that technology is developed by a European company or by a provider from outside the EU.’
While asking for detailed information from the government surrounding the project dynamics of ‘Safe City Malta’, Briguglio also hopes that the EU Commissioners can help encourage the government to carry a public consultation on the issue seeing as it will affect them directly.
Jourová acknowledges the limitations of the GDPR regulations to encourage such public involvement stating instead that ‘where appropriate,’ ‘the controller shall seek the views of data subjects or their representations on the intended processing.’
In the public interest Mr Prime Minister
Following on from the Letter to the EU Commissioners and the response from the EU Justice Commissioner Věra Jourová, Briguglio issues nine points raised by Jourová which outline a demand for transparency on the legal as well as practical elements of the ‘Safe City Malta’ project.