The Italian ‘Garante per la protezione dei dati personali’ (Italian data protection authority) published a press release on November 14th, 2022, in which it announced that it had opened two separate investigations into the use of ‘smart video systems’ by two Italian municipalities.
First, the Italian watchdog opened an investigation into a project carried out by the municipality of Lecce, in Southern Italy, which involved, among other things, launching a system that provides for the use of facial recognition technology. In this respect, the Italian DPA recalled that under both European and Italian law, “the processing of personal data carried out by public entities, by means of video devices, is generally permitted if necessary for the performance of a task in the public interest or related to the exercise of public powers”.
It is worth highlighting the fact that the Italian parliament adopted a moratorium on the use of facial recognition in public places, which will last until December 21st, 2023, unless data processing of such kind “is carried out for investigations by the judiciary or prevention and repression of crimes”.
The Garante asked the municipality to provide a description of the chosen system, the purposes of and legal basis for the data processing, a list of the databases consulted by the device and an impact assessment.
Second, the Italian DPA opened another investigation into a system that uses infrared glasses, which the Municipality of Arezzo intends to deploy from December 2022. The purpose of such a system would be detect offences from the number plate and to verify that the driver’s licence is valid.
The Garante fears that using video devices in such a way will indirectly give the impression that workers’ activity is being monitored remotely. The DPA asked the Arezzo Municipality to provide a copy of the information that will be given to those who are subject to the system, and to the agents who will wear the devices. It also requires that an impact assessment on the data processing be conducted.
These two investigations show that Italy and in particular the Italian DPA are at the forefront of regulation concerning the use of smart video devices and facial recognition. As we have noted in previous articles, the Italian DPA has been very active in setting limits on the use of facial recognition in public places.
As a matter of fact, the Garante recently fined Clearview AI 20 Million euros for having contravened the GDPR due to an unlawful processing of data. It also determined that the Italian police force’s projected use of the SARI Real Time system, which was intended to identify people’s faces in public places in real time, for the purpose of preventing and repressing crime, would be unlawful, if implemented. The Garante has also issued an Opinion on the use of facial recognition systems in the Municipality of Como, which was deemed unlawful.
These two investigations therefore represent the logical continuation of the action undertaken by the Italian DPA several years ago towards strict control of smart video and facial recognition systems, which pose risks to Italian citizens’ privacy and fundamental rights.