The Reclaim Your Face movement is growing, and our demands for transparency, limiting the accepted uses and respect for humans are becoming more and more common across Europe. New organisations are joining the coalition each week, and people across Europe continue to sign the petition to add their voices to our demands. Now, thanks to campaigning by Homo Digitalis in Greece and Bits of Freedom in the Netherlands, we’re getting closer to real political and legislative changes that will protect our faces and our public spaces from biometric mass surveillance.

By RYF leads Homo Digitalis and Bits of Freedom

Dutch DPA speaks out against biometric surveillance in public space

On 23 November, Dutch broadcasting station BNR did a morning show on facial recognition in publicly-accessible areas. In the Netherlands, these so called ‘smart’ cameras are used more and more in supermarkets, companies and football stadiums. In the 2-hour radio show, Lotte Houwing from Bits of Freedom put forward the case for a ban and more effective enforcement against biometric surveillance technologies in publicly-accessible spaces.

Later in the show the vice-president of the Dutch data protection authority (DPA), the Autoriteit Persoonsgegevens, was interviewed. She explained that the increase in the use of facial recognition technologies in the Netherlands is because of the abuse of the legal ground of “substantial public interest”. The explanatory memorandum which accompanies Dutch privacy laws gives the example of the security of a nuclear power plant as a possible justification for the use of such technologies. This means that you cannot use these technologies against petty thieves.

The Dutch DPA thinks that part of the problem of these harmful deployments is caused by misunderstanding and lack of knowledge about what is a legitimate use of facial recognition and other biometric surveillance technology. To tackle illegitimate uses, the DPA has now sent directed guidelines to explain the law to the different industry associations that have been the biggest users of this invasive technology. So far, there has not been a direct promise regarding enforcement measures against illegitimate deployments to follow this phase of targeted information. However, the vice-president was very clear about the DPA’s perspective on biometric surveillance in public space: “It is as if somebody is following you around with a camera and a notebook throughout the whole day. That’s a surveillance society we do not want.”

We embrace these statements of the DPA and encourage them to take concrete action for our fundamental rights and freedoms in publicly-accessible spaces. Reclaim Your Face and BanThisBS!

Civil society complaints against biometric surveillance lead to official investigations in Greece

In Greece, the work of EDRi member Homo Digitalis has started to bear fruit. In June 2020 the Greek watchdog submitted two strategic complaints before the Hellenic DPA against a centralised biometric database of the Hellenic Police. The database contains fingerprints and facial images of all Greek passport holders. However, based on the EU laws on passports (namely, Regulation 2252/2004 & Regulation 444/2009) as well as the set case-law of the Court of Justice of EU (for example, the Willems case and the Schwarz case), biometric data shall be stored in the storage medium of the passport itself – the document we carry in our pockets and bags. More precisely, the EU laws neither prohibit nor allow for national central databases of biometric data to exist at Member State’s level. So, the EU countries that are interested in establishing such biometric databases must take their own legislative initiatives on this matter.

However, as Homo Digitalis claims, this is not the case for Greece. Specifically, there is no Greek law in place providing in detail all the necessary safeguards about this centralised database, such as its functions, the rules for the related data processing activities, as well as the security and organisational measures that shall be in place. It is crucial to remember that based on EU law -Article 10 of the Law Enforcement Directive – processing of biometric data is allowed where it is strictly necessary, subject to appropriate safeguards, and authorised by the European Union or Member States law. So, the lack of such national legislation clearly violates European data protection laws.

In August 2020, the Hellenic DPA launched an official investigation regarding this centralised database following Homo Digitalis’ complaints. But, the positive news from Greece does not stop here! Do you remember the actions of Homo Digitalis in March 2020, described in a previous EDRi-gram, against a smart-policing contract of the Hellenic Police? It related to smart devices enabling facial recognition and automated fingerprint identification during police stops. In August 2020 the Hellenic DPA started an official investigation regarding this complaint, as well! Stay tuned for related developments and closely follow the ReclaimYourFace campaign for more.