Buenos Aires Face Recognition System Declared Unconstitutional

The Administrative and Tax Litigation First Instance Court No. 4 in the City of Buenos Aires allowed the action filed by the Observatorio de Derecho Informático Argentino against the Fugitives Face Recognition System (FFRS) on the grounds that it had been implemented without complying with the legal provisions that protect the rights of the inhabitants in the City of Buenos Aires. Likewise, the court stated that the functioning of the FFRS is subject to the constitution and due operation of the control agencies.

According to the information in the judicial file, the FFRS “compares the biometric features of two faces. To do so, the system must learn when two images belong to the same person and when not. The way to achieve this is using a database of faces and constantly loading information without taking into account against which biometric database it will contrast it. On the contrary, that base is the "memory" to improve the way the Artificial Intelligence functions, and it does not differentiate the database of the National Consultancy of Contumacy and Captures, but rather stores all the faces that pass in front of the camera". As a result of this, the FFRS "had irregularities, like producing false positives."

Among the various arguments used by the court to declare the FFRS unconstitutional, those related to the protection of the private sphere and the protection of personal data stand out, specifically when it comes to the lack of compliance with the Protection of Personal Data Law No. 25326, the Protection of Personal Data in the Public Sector Law No. 1845 of the City of Buenos Aires, and the Convention 108 on Automated Processing of Personal Data.

In particular, the court highlighted that the government of the City of Buenos Aires needs to carry out a Data Protection Impact Assessment, stating that it has been “a good practice, internationally recognized for a long time, and aiming to reinforce the principles on personal data protection while leading the controller towards compliance, especially when the complexity of the project or activity under analysis requires a more detailed examination”[1] .

Likewise, the court highlighted that the Data Protection Impact Assessment is a valuable process for the entity carrying it out since, on the one hand, it allows public agencies to build trust and, on the other, private companies may use it to avoid potential reputational costs and build consumer loyalty. Finally, the court points out that the Impact Assessment has the benefit of not being a complex and unjustifiable process.

Considering this, the court also suggests using the Data Protection Impact Assessment Guidelines as a preventive mechanism to minimize potential damage to privacy, as a risk containment plan. The court emphasized as well that the Impact Assessment is the most accurate and fundamental tool to address the effects that implementing the FFRS may have on the human rights of those who, in this case, walk the City of Buenos Aires.