Video surveillance and artificial intelligence: sanctions against a Public Body by the Italian DPA
Background of the case
The Municipality of Trento participated in the "Marvel" and "Protector" research projects aimed at developing technologies to enhance urban security.
In particular, the Marvel project involved the acquisition of videos from surveillance cameras and audio files from microphones installed on a public street. These data were then anonymized and analyzed using AI techniques to find possible events relevant to public safety.
The Protector project included the collection of videos and the analysis of hate posts on Twitter on YouTube to identify possible risks and threats to places of worship.
Legal framework assessed by the DPA
Firstly, the DPA deemed the GDPR applicable, highlighting the inadequacy of the data anonymization techniques used. For audio files, particularly, the technique used was the voice substitution, which did not remove the spoken content that could contain personal data. For video files, face and license plate blurring did not prevent identification through other physical characteristics or contextual elements.
The DPA stated, therefore, that the processing fell under Articles 9 and 10 of the GDPR, concerning the processing of special categories of personal data and data relating to criminal convictions and offenses. Particularly, the Protector project processed data revealing possible religious beliefs, while the Marvel project aimed to detect events relevant to public safety, potentially constituting offenses.
Confirmed violations
Regarding the principle of lawfulness of the processing of personal data, the DPA stated that there was a lack of an adequate legal basis to justify the data processing. In its defense, the Municipality of Trento based its processing on Article 2 of Regional Law No. 2/2018 and Articles 3 and 7 of the Municipality's Statute, which include, among local administrative functions, the cultural, social, and economic development of the population. However, the DPA stated that these provisions could not constitute a valid legal basis as they only assign a very generic competence to the Municipality, without meeting the quality requirements for the legal basis.
In support of its thesis, the DPA referred to the case-law of the European Court of Justice, which stated that the legislation underlying a measure which allow a data processing must provide clear and precise rules governing its scope and application. Additionally, according to the European Court of Justice, the legislation must impose minimum requirements so that data subjects have sufficient guarantees to effectively protect data against the risk of abuse.
As a further violation, the DPA highlighted that the privacy notice did not provide all the information required to data subjects. The notice, particularly, did not inform data subjects on: (i) the purpose related to a research project; (ii) the fact that the content of the recordered conversations would also be acquired and processed for the Marvel project; (iii) the data retention period.
The DPA also highlighted that the Municipality did not conduct an adeguate data protection impact assessment (DPIA) before launching the "Marvel" and "Protector" projects, that is a must have requirement for data processing like the one in analysis providing a large-scale systematic surveillance and the use of AI. The DPIA provided by the Public Body in the proceeding, particularly, was inadequate as it lacked a certain date, it was not signed by an authorized representative, and it did not sufficiently cover all data processing operations, particularly for the "Protector" project and data from "Twitter" and "YouTube." The DPIA, moreover, failed to assess the necessity and proportionality of data processing and it did not consider all the possible risks to the rights and freedoms of individuals.
Sanctions
The DPA ordered the Municipality to pay a sanction of 50,000 euros and banned the processing of personal data already collected within the projects “Marvel” and “Protector”, ordering the deletion of such data.
Conclusion
The case of the Municipality of Trento highlights the importance of strict application of the GDPR, especially in contexts involving surveillance and artificial intelligence. Public authorities, as any other data controller, must ensure that the processing of personal data using AI system is supported by a solid legal basis and that anonymization techniques are genuinely effective. This case also highlighted the stringent approach of the Italian Data Protection Authority in enforcing data protection regulations.
Article provided by INPLP member: Chiara Agostini (RP Legal & Tax, Italy)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)