Europe’s incoming General Data Protection Regulation (GDPR) could take public safety companies by surprise, and even force them to shut down. This was the view, as technology companies at Critical Communications World (CCW) in Berlin showed facial recognition technology (FRT) and biometric solutions for public safety agencies.
“The risk here is that a lack of visibility may lead to drastic measures that undermine public safety. If an organisation fears a data breach has occurred, it is very likely they will shut down all their systems to quarantine the attack. And this results in the cessation of public safety services,” commented Peter Batchelor, public sector director at California-based Skybox Security.
UK Information Commissioner Elizabeth Denham wrote in a blog this week that police forces must demonstrate clearer grounds for using advanced FRT technologies. “For the use of FRT to be legal, the police forces must have clear evidence to demonstrate that the use of FRT in public spaces is effective in resolving the problem that it aims to address, and that no less intrusive technology or methods are available to address that problem,” she said.
“Strengthened data protection rules coming into law next week require organisations to assess the risks of using new and intrusive technologies, particularly involving biometric data, in a data protection impact and provide it to my office when the risks are difficult to address.”
Denham’s comments were a response to reports in the Independent and Wired in the UK that FRT software in the hands of at least two UK police forces has returned “false positives” in more than 98 per cent of cases, including at major sporting events. The UK’s biometrics commissioner has said the technology is “not yet fit for use”.
Following a freedom of information (FOI) request, it was revealed that South Wales Police had only positively matched 173 attendees of the UEFA Champions’ League Final in June 2017, out of a possible 2,297 alerts. Matches would go through a second screening to confirm if it was a true or false positive, which flagged potential invasion of privacy.
Further concerns around GDPR in public safety were flagged in March 2018, when it was revealed that Gwent Police failed to inform up to 450 people that hackers may have accessed their confidential information. This came to light after the organisation found that an online tool that allowed citizens to report incidents to the Police was exposed to hackers.
Speaking at CCW, Skybox Security’s Batchelor suggested public safety companies could be more vulnerable that they might have originally thought. “Like any other body, if a public safety organisation does not understand, nor have visibility of, their assets and systems that store and manage public data, then they cannot apply the required GDPR standards,” he said.
Motorola Solutions noted responsibility for data protection is with the organisation capturing and processing data, rather than with the author of the tools they employ to do so.
Vice president for Western Europe and North Africa Phil Jefferson commented: “At a high level, who knows? For us, there are two strands: how our customers use the data, and how we use data ourselves. To us, the responsibility of the data falls on the organisation rather than the device manufacturer.”