Mass surveillance in a democratic society

Published: 8 July 2024

In this blog, first published in the Guernsey Press on 8 July 2024, Bailiwick Data Protection Commissioner Brent Homan and ODPA Business Intelligence Officer Lawrence West discuss whether mass surveillance can be compatible with democratic and liberal values.

This is quite the summer for large scale sporting spectacles in Europe and the UK. With UEFA Euro 2024 in the nail-biting knockout phase, the Paris Olympics just on the horizon, and Wimbledon getting underway, close to 20 million fans will pack stadiums and venues in Germany, France and the UK. And those fans need to get to those places, which means that airports, ports and train stations will experience a massive stream of humanity.

And while such events represent cause for celebration, drama and controversy, they also attract an element of risk through the spectre of civil disruption and worse, the potential for terrorist attacks. And this is why visitors to events can find themselves subject to forms of mass surveillance towards preserving individual safety and national security.

Gulp. Mass surveillance.

To anyone that has grown up in a liberal democratic country or has previously lived under an authoritarian government, that term can, and should, evoke an uncomfortable emotional response. Mass surveillance is a phrase that we associate with totalitarian regimes and George Orwell’s prophetic warnings of Big Brother.

And data-protection authorities have a natural allergic reaction to any suggestion of individuals’ personal information being indiscriminately harvested. Yet as a liberal democratic society we are also very much attuned to today’s national security and terrorist threats, having seen such tragedies unfold with disturbing frequency.

So how does one reconcile this ideological friction? By answering the following question:

“How do we ultimately preserve our liberal values of freedom and prosperity while ensuring the safety and security of our borders and people? “

And the answer is by achieving the right balance such that governments find a way to least impede upon citizens privacy rights while protecting our liberal democratic way of life, whether that means fighting a global pandemic, or countering terrorism.

And it also means respecting our core liberal democratic values. Let’s take ‘Pluralism’, and ‘Tolerance’ for example. ‘Pluralism’ is all about ensuring too much power doesn’t collect in the governing party’s hands, while ‘Tolerance’ is about respecting and protecting divergent viewpoints and behaviours.

Now clearly those values support one another, but the right to privacy also plays a fundamental role in preserving both of them.

In fact, at no point in history has the statement been so true that “Information is Power”. And to that end, there is an inherent danger to a democracy if too much information is enticingly placed in the hands of rulers.

So given the potential for mass surveillance to overly “amass” power in the hands of government, how do you structure its deployment when the security of democratic states or large-scale events are threatened, while respecting the very values and tenets that those liberal democratic systems represent?

Recent guidance from the European Data Protection Board (EDPB) can help. The EDPB comprises representatives from the 27 EU Member States’ data protection authorities and provides guidance so that the General Data Protection Regulation (GDPR) is consistently applied in all EU countries.

In May this year, it released guidance on the use of Facial Recognition Technology at airports following a request from France’s Data Protection Authority. The principles shared in that guidance, also apply to other mass surveillance scenarios, including large-scale events.

In our reading, the EDPB guidance has the effect of preserving, to the greatest extent possible, individual agency and autonomy.

It favours facial recognition systems allowing an individual to maintain agency and autonomy over their own biometric data, which could reside for example on a person’s phone. From a privacy perspective, such systems are clearly consistent with key data protection principles such as data minimisation, integrity and confidentiality.

On the other hand, facial recognition systems that deny an individual that agency, specifically by using methods where the biometric data is stored centrally by the state as the controller, were neither favoured nor deemed to be GDPR compliant.

Now that is an admittedly simplistic reduction of a complex issue, and the challenge is always in the implementation of a technological process, but it does assure us of this:

“To preserve and protect the freedom of our liberal democratic way of life, we need not, and should not, compromise the core democratic values upon which those freedoms rest”

So this summer let’s embrace and celebrate those freedoms as we exuberantly cheer on our athletes on the world stage. That is certainly what we will be doing at the ODPA whether the action is taking place on the courts of Wimbledon, the soccer pitches in Germany or the games in Paris!