Italian Data Regulator Slams EU-Funded AI ProjectsCity of Trento Must Pay Regulators 50,000 Euros
The Italian data protection regulator fined a midsize northern city 50,000 euros for deploying a pilot artificial intelligence public safety project financed by the European Union.
The Alpine city of Trento was a partner in three pilots that planned to AI to process audiovisual data to detect threats.
One of the pilots, dubbed Protector, concluded last April. It was meant to improve the protection of urban places of worship by analyzing data from surveillance cameras and textual data from YouTube and Twitter.
Another, dubbed Marvel, concluded in December. It was designed for use in building a distributed computing framework street-level pattern recognition for inclusion in sensors. The third project, Precrisis, which was meant to continue until May 2025, had yet to receive an AI-based component.
Both Protector and Marvel were trained on public data sets and contained features such as movement and object detection and clustering methodologies to identify anomalies in movements.
"These massive and invasive treatment modalities have entailed significant risks for the rights and freedoms of the data subjects," Garante - the data protection authority - said. "Such forms of surveillance in public spaces can modify the behavior of people and affect even the exercise of democratic freedoms."
Garante also said that the municipality of Trento did not justify the data processing requirements of the AI systems under the country's data protection regulations.
Among the lapses was a failure to run a privacy impact assessment before deploying the project and failure to notify the residents about the placement of the cameras and microphones or how their data was being processed. The Trento municipality also shared the data collected from the project with third parties, such as the researchers, local police, law enforcement agencies from the Belgian city of Antwerp, and the Bulgarian interior ministry.
Trento's research partner on the Marvel project, the Foundation for Research and Technology - Hellas, anonymized the data collected by the AI systems. This included removing user names and URLs, as well as blurring faces and license plates.
Despite the anonymization, Garante said, personal information could be obtained from the voice captured from microphones, as the researchers did not deploy the standard anonymizing practice of replacing speaker voices and semantic interchange. The agency also said blurring faces was inadequate, as the subjects could be identified from their clothing or body morphology.
"Inadequacy of the aforementioned techniques to ensure a full anonymization of the data was well known to the municipality" which, Garante said, nonetheless identified the risk of identification of as "low".
Garante originally intended to fine the city 20 million euros, but it dropped the sum to 50,000 euros after the municipality halted video and audio collection.
The agency's decision comes as Europe is preparing to implement a comprehensive regulation on artificial intelligence. The AI Act bans high-risk AI systems, such as emotion recognition, and facial data scraping from CCTV.
European privacy experts have long argued that the use of facial AI facial recognition in public space - which is currently not banned under the law - erodes privacy.
"The use of AI-powered surveillance will be a violation of the European General Data Protection and other privacy laws. Even with anonymization, AI surveillance can turn a human body into data points," a spokesperson for French digital rights group La Quadrature du Net said.