Legal: General information about the police’s processing of personal data for the development of AI
The development of AI consists of several stages, including the development, use and continued learning phases:
The presentation of legal considerations will focus on the police’s processing of personal data in the first stage, the development stage. During this stage, we can envision two different situations in which personal data is processed by the police for the development of artificial intelligence, one of which would involve processing data for research purposes. Development can thus take the form of research, which means that ‘research’ and ‘development’ are not necessarily mutually exclusive terms. The report will primarily focus on the processing of personal data for research into the development of artificial intelligence in the PrevBOT project (situation 2 in the table).
We will, however, begin with a general introduction to the legislative landscape that applies to policing, in an attempt to provide some initial clarifications for situation 1 in the table. Firstly, it is important to clarify which regulations apply, i.e. the Police Databases Act or the General Data Protection Regulation. Secondly, since there is talk of using investigative data/criminal case data in the development of the artificial intelligence, the question arises as to whether the law permits such processing beyond the original purpose.
Finding the right regulations
The General Data Protection Regulation (GDPR) is incorporated into Norwegian law through the Personal Data Act, meaning that the regulation applies as Norwegian law. The main rule is that all processing of personal data is regulated by the Personal Data Act. This applies unless the GDPR makes exceptions to its scope of application. The Personal Data Act Section 2 governs the substantive scope of the Act and states that in the event of a conflict, the provisions in the General Data Protection Regulation take precedence over provisions in any other statute that regulates the same matter, cf. Section 2 of the EEA Act.
The police’s processing of personal data is primarily regulated by the Police Databases Act, which implements the Law Enforcement Directive (LED), supplemented by the Police Databases Regulations. The rules set out in the GDPR do not apply in the area covered by the Law Enforcement Directive, cf. the GDPR Article 2(2)(d) and the Law Enforcement Directive Article 1. In other words, the legislator’s intention is that the processing of personal data falls under one or the other regulatory framework.
When considering the police’s processing of personal data for the development of artificial intelligence, the scope of the two acts in question must be considered to determine whether processing falls under the Personal Data Act/GDPR or the Police Databases Act.
In this assessment, we will begin by looking at the exemptions from the scope of the GDPR set out in Article 2(2)(d). The exception states that the GDPR does not apply to the processing of personal data conducted by the police:
‘(…) for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
In the event that the police process personal data for purposes other than those mentioned, the processing will be regulated by the GDPR. It is therefore the purpose of the processing that determines which regulations apply to the police’s processing of personal data.
There is little doubt that the development of tools that use artificial intelligence will help the police carry out their social mission and thus allow them to utilise their resources more effectively to combat crime. However, the exceptions listed in the GDPR Article 2(2)(d) are, according to its wording, directed towards more traditional and typical ‘police tasks’. The European Court of Justice has also ruled that the exception in the GDPR Article 2(2)(d) shall be interpreted ‘strictly’.
In the view of the Data Protection Authority, the exemptions in the GDPR Article 2(2)(d) are aimed at the police’s crime-fighting activities. Given that the exceptions are to be interpreted strictly, it is difficult to construe how the development of artificial intelligence tools could fall within them. The interpretation is also considered to be in line with the definition of ‘police purposes’ set out in the Police Databases Act Section 2(13), which encompasses the police’s activities against crime, including investigation, preventive efforts and the activities of the uniformed service, and the police’s service and assistance functions and keeping of police logs. It is assumed that this definition does not cover technology development as such either, even if the purpose of such development is creating a tool to aid activities against crime.
The systematics of the legislation are also significant to their interpretation. When it comes to the rights of data subjects, the GDPR provides a stronger safeguard than the Police Databases Act. According to general data protection principles, information and access are key rights for the data subject, enshrined in GDPR Articles 13, 14 and 15. These rights are not as strongly safeguarded when personal data is processed for crime-fighting purposes, due to the specific considerations that apply in the area.
Therefore, in the view of the Data Protection Authority, the use of personal data for the development of artificial intelligence in policing will in general be regulated by the GDPR, because such processing is unlikely to fall within the exceptions to the material scope set out in GDPR Article 2(2)(d).
On further processing of personal data for a new purpose
If personal data has been collected by the police for ‘police purposes’ in line with the Police Databases Act, and the police wish to further process the data for the development of artificial intelligence – which is a different purpose to ‘police purposes’ – the question arises as to what conditions must be met to carry out this processing. As illustrated above, this will generally be determined by the rules of the GDPR.
The entity that discloses/makes personal data available must:
- have the authority to disclose the personal data. There may be legal prohibitions that prevent personal data from being disclosed for processing for another purpose. For example, the Police Databases Regulations Chapters 8 and 9 each set out restrictions and conditions for access and disclosure of information, respectively.
- have a legal basis for processing in order to disclose personal data,
- carry out a compatibility assessment of the purposes. Since the personal data was originally collected for police purposes, the question of whether using the data to develop an artificial intelligence tool to help fight crime is a purpose compatible with the original purpose of collection, cf. Article 6(4). According to the provision, an assessment must be carried out that takes into account, among other things, the factors specified in letters (a) to (e). This means that the provision, in certain cases, allows for personal data to be further processed for a new purpose.
The entity that will further process the personal data for a new purpose must have a legal basis for processing. If it is the same data controller that both discloses/makes available and further processes the personal data for a new purpose, then it is that entity that carries out all of the above assessments.