The Digitalization Agency processes superfluous personal data in administration of digital driving licenses
The Digitalization Agency has been criticized by the Data Protection Authority for processing too much personal data in the administration of the digital driving license. They store information on all citizens with a valid Danish driving license, nearly 4 million people, although only about 1.7 million have the digital driving license app.
Datatilsynet fant (ikke overraskende) at behandlingen av personopplysninger om over 2 millioner borgere som ikke har sluttet seg til den digitale førerkortordningen, var i strid med prinsippet om dataminimering, som krever at man bare behandler nødvendige opplysninger. Datatilsynet understreker viktigheten av å unngå unødvendig opphopning av personopplysninger og fastslår at Digitaliseringsstyrelsen fremover kun kan behandle opplysninger om de som faktisk har valgt den digitale løsningen.
The Data Protection Authority found (unsurprisingly) that the processing of personal data of over 2 million citizens who have not joined the digital driving license scheme was in violation of the data minimization principle, which requires that personal data is only processed as necessary. The Data Protection Authority emphasizes the importance of avoiding unnecessary accumulation of personal data and states that going forward, the Digitalization Agency can only process information about those who have actually chosen the digital solution.
Despite the Digitalization Agency's argument about limitations in the existing system as a reason for storing all the information, the Data Protection Authority believes this does not justify processing unnecessary information about over 2 million citizens.
Municipality's legal basis for AI solution to identify citizens in need of maintenance training and rehabilitative efforts
The Data Protection Authority has evaluated the Copenhagen Municipality's legal basis for developing and operating an AI solution to identify citizens in need of maintenance training and rehabilitative measures. The municipality aims to use AI to support case workers by identifying citizens with such needs based on historical data.
The Data Protection Authority agrees that the general development, operation, and training of such an AI solution are in line with the General Data Protection Regulation (GDPR), but emphasizes the need for a supplementary national legal basis. The requirements for this basis will vary depending on whether it relates to the development, training, or operation of the AI solution.
Processing personal data for the development and training of an AI solution can more easily comply with the legal framework compared to the operation of such a solution, pursuant to the Danish Data Protection Authority. In the operational phase, there is a demand for a clearer legal basis due to the large amount of sensitive information processed by AI solutions.
I have included this case because it's important to see that the development, training, and operation of a system are different treatments – and they cannot always be justified under the same provision.
The cases are mentioned here: