With UEFA Euro 2024 and the Paris Olympics taking place this summer there has been a recent focus on the use of mass surveillance at large-scale events. In fact, I recently had an opportunity to join an intriguing panel at Privacy, Law and Business’s Cambridge conference on this very subject. One of the principle and fundamental issues discussed was the question of ‘how to reconcile mass surveillance in the name of national security with the liberal democratic values that we cherish’. The answer I offered centred on one of the ODPA’s regulatory pillars: Balance.
In this situation, the right balance would see governments find a way to least impede upon citizens privacy rights while protecting our liberal democratic way of life, whether that means fighting a global pandemic, or countering terrorism.
As my learned colleague Lawrence West has distilled, it also means respecting our core liberal democratic values, and specifically ‘Pluralism’ and ‘Tolerance’, where ‘Pluralism’ is about ensuring too much power doesn’t collect in the ruling party’s hands, while ‘Tolerance’ is about respecting and protecting divergent viewpoints and behaviours. And at no point in history has the statement been so true that “Information is Power”.
Which leads to the second big question – ‘how do you structure the deployment of mass surveillance systems when the security of democratic states or large-scale events are threatened, while respecting the very values and tenets that those liberal democratic systems represent?’
Recent guidance from the European Data Protection Board (EDPB) provides us valuable insight on this. In May this year, it released guidance on the use of Facial Recognition Technology at airports following a request from France’s Commission Nationale de l’Informatique et des Libertés (CNIL). The principles shared in that guidance, also apply to other mass surveillance scenarios, including large-scale events.
In our reading, the EDPB guidance has the effect of preserving, to the greatest extent possible, individual agency and autonomy.
It favours facial recognition systems allowing an individual to maintain agency and autonomy over their own biometric data, which could reside for example on a person’s phone. From a privacy perspective, such systems are clearly consistent with key data protection principles such as data minimisation, integrity and confidentiality.
On the other hand, facial recognition systems that deny an individual that agency, specifically by using methods where the biometric data is stored centrally by the state as the controller, were neither favoured nor deemed to be GDPR compliant.
While an admitted oversimplification of a complex issue, what it does assure us of is that:
“To preserve and protect the freedom of our liberal democratic way of life, we need not, and should not, compromise the core democratic values upon which those freedoms rest.”
If you want to read more detail on this topic please watch out for our upcoming column in the Guernsey Press!
The Bailiwick of Guernsey's independent supervisory authority which regulates data protection legislation. The ODPA protects people by driving responsible use of personal information through helping organisations get it right, deterring harmful information handling, and taking enforcement action against significant non-compliance
Receive regular information and statistics related to our activities and governance
Sign up nowReceive regular information and statistics related to our activities and governance
Sign up nowThe Office of the Data Protection Authority
+44 (0)1481 742074 info@odpa.gg
Block A, Lefebvre Court, Lefebvre Street, St Peter Port, GY1 2JP
Newsletters sign-up Data Processing Notice Careers Cookies
Website by
&
Indulge
© 2025 The Office of the Data Protection Authority.