Mr. David Murphy:

I thank the committee for the invitation to contribute to its deliberations on the general scheme of Garda Síochána (recording devices) (amendment) Bill. I am one of the deputy commissioners of the DPC and have responsibility for our function of supervision of the public sector. As the Cathaoirleach noted, I am accompanies by Mr. Carroll, who is an assistant commissioner from the DPC's supervision team and who has responsibility for matters pertaining to law enforcement.

This proposed Bill will provide the legal basis for the processing of personal data by An Garda Síochána for the purpose of biometric identification by way of facial recognition. The DPC acknowledges the potential for facial recognition technology to benefit the work of An Garda Síochána. However, as the use of this technology presents serious risks to an individual's right to data protection, the legislation must implement the necessary restrictions, limitations and safeguards to ensure that any deployment of facial recognition technology by An Garda Síochána is strictly necessary and proportionate and respects the requirements of data protection law and the fundamental rights of individuals.

EU Directive 2016/680, the law enforcement directive, sets out that legislation should be clear and precise, its application should be foreseeable to those subject to it and it should specify the objectives of data processing, the personal data to be processed and the purposes of the processing. The statutory code of practice envisaged in the general scheme will be an essential element in meeting these requirements of EU law by setting out the specific details of how biometric identification and facial recognition technology may be used by An Garda Síochána.

Head 4 specifically links compliance with the code of practice to the strict necessity for proportionality in the use of biometric identification, highlighting its importance in this context. Head 4 further provides that An Garda Síochána can use any image or video to which it lawfully has access. This currently offers little clarity as to what is intended. A concern is that large existing public databases of facial images could be brought within the scope of biometric identification without specific safeguards to prevent this. The inclusion of such databases would represent a serious and disproportionate intrusion on the rights and freedoms of affected persons. Facial recognition technology does not provide definitive results but relies on probability through comparison of facial images with an inherent underlying margin of error and risk of in-built bias. These factors can significantly impact on the reliability and accuracy of the technology and indicate a high level of risk for affected data subjects. Consequently, it will be necessary for a data protection impact assessment to be carried out prior to the introduction of the technology. The DPC recommends publication of such an impact assessment in the interests of transparency.

Biometric identification also constitutes a form of automated individual decision-making permitted under the directive only subject to the right to obtain human intervention. The general scheme provides that the results of biometric identification must be verified by a member of Garda personnel. The efficacy of this safeguard will depend on the expertise of relevant Garda personnel in the operation of the system and their ability to effectively challenge its results. The code of practice should provide detail on this key safeguard, as well as on all oversight mechanisms governing the use of biometric identification.

I hope these comments will be of assistance to the committee and I am happy to answer any questions members may have and speak about any of the issues raised in my written submission.