BKA on software tests with millions of police photos: The GDPR allows this
Can the Federal Criminal Police Office (Bundeskriminalamt) use millions of police photos to test facial recognition software? The legal situation is unclear.
View into a data center of the Federal Criminal Police Office.
(Image: BKA)
Modern facial recognition is critical for the Federal Criminal Police Office (Bundeskriminalamt, BKA) to prosecute crimes and ward off dangers. It is equally important to avoid classification errors, writes a BKA spokesperson in a statement to heise online. Because publications such as those from the US NIST in 2014 suggested that there were even more powerful algorithms than those used by the police authority at the time, the BKA set up a project group in 2016 to explore alternatives. In the process, the BKA extracted 4.8 million facial images from the INPOL-Z information system and used them for software tests together with the Fraunhofer Institute for Computer Graphics Research (Fraunhofer IGD).
The process was documented by inquiries from the spokesperson of the Chaos Computer Club on the platform "Frag den Staat", as reported last week by BR. It became clear that there are different, or at least differentiated, views on the legal basis of such software tests. The BKA has now emphasized to heise online that these tests are permitted under the General Data Protection Regulation (GDPR), especially considering the great importance of facial recognition for law enforcement and security, to avoid mapping errors and, in particular, to ensure the security and reliability of data processing. Specifically, the BKA refers to Art. 6 Para. 1 lit. c and Art. 9 Para. 2 lit. g of the GDPR, with Section 64 of the Federal Data Protection Act (BDSG).
"Unsatisfactory legal situation"
Wenke Kant, spokesperson for the Federal Commissioner for Data Protection, also refers to Article 6 of the GDPR in a statement to heise online. Police authorities are allowed to test on this basis. "At the same time, the facial recognition software used must be regularly evaluated and tested to prevent errors, discrimination, risks of misuse and IT security risks." The legal situation for this is unsatisfactory. The data protection officer has therefore called for a specific legal basis to be created.
Kant explains that by testing the facial recognition software, the BKA has taken precautions to ensure that the software used does not lead to false results. This was also required under data protection law in the interests of the accuracy and security of data processing. The choice of an incorrect legal basis does not necessarily mean that the data processing is unlawful.
Section 49 sentence 2 of the BDSG should be considered in this discussion, explains Kant. According to this, data that has been collected for police purposes may also be processed for other purposes if a legal provision provides for this. Another "legal provision" could also be the GDPR. The BKA also assured the Federal Data Protection Commissioner that it had never transmitted facial images or other personal data to Fraunhofer IGD.
(anw)
