Italian Supervisory Authority rejects the Ministry of the Interior facial recognition system
On 16 April 2021, the Italian Supervisory Authority (“Garante”) published an opinion on the facial recognition system named “Sari Real Time”, developed on behalf of the Ministry of the Interior, in which expresses its denial to the activation of the system and warns the controller that the related processing of biometric data would be unlawful.
“Sari Real Time” is a facial recognition system – never activated yet – composed by cameras installed in a pre-defined and delimitated territorial area that, by the processing of biometric data, alerts the police authority whenever the system finds a match between a passersby’s face and one of the 10.000 faces stored in its datacenter. In the Ministry of Interior data protection impact assessment (DPIA) draft, the system is described as an helper of the Police members in preventing public disorder and managing the public security in several high risk events (e.g. public demonstration at risk of riots).
In its opinion, the Garante reminds that the exploitation of facial recognition system for the purposes of the prevention, investigation, detection or prosecution of criminal offences has always been under the watchful eye of the Council of Europe that, in fact, adopted specific recommendations on this item, drawing the Legislators attention on the respect of two basic conditions: the proportionality of purpose and the appropriateness of security measures.
Long story short, the Council of Europe, in accordance with the provisions of the Directive 2016/680 (“Law and enforcement Directive”), has always underlined that the individual’s biometric data can be processed only in the scope of a targeted surveillance denying, on the other hand, the possibility of using facial recognition system for mass-surveillance purpose.
After reminding that, the Authority states that “Sari Real Time” isn’t in compliance with the above-mentioned limit because, by allowing the surveillance of all the passersbyes of the territorial perimeter covered by the system, the processing isn’t restricted to specific individuals suspected of criminal, being instead designed as a real mass-surveillance tool.
Furthermore, the Garante pinpoints the absence of a legal basis for such a processing.
Once having highlighted that the Sari Real Time processing falls in the scope of the Law and enforcement Directive and that this act allows the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences only if based on Union or Member State law, the Authority ends by saying that any specific legal provision allowing the processing of biometric data is indicated in the DPIA draft by the controller
In conclusion, considering the lack of legal basis and the invasiveness of the processing that would have been carried out by the system, the Garante completely rejects its activation.
You can read the opinion here.