The Belgium Data Protection Authority (DPA) has ordered the municipality of Antwerp to erase sound recordings made illegally using dozens of sound sensors.
In 2022, the city of Antwerp installed 30 sound sensors in the student district. The goal was to use technology to map and remedy noise pollution in the area.
The sensors recorded environmental sounds 24/7. The sound files were saved as raw audio clips of approximately 10 seconds each.
When the recorded sounds exceeded a certain noise level between 7 p.m. and 7 a.m., the sensors created a voice print or MEL-spectrogram: a visual representation of a specific sound. The voice prints were then used to train an AI model to identify and classify different types of sounds.
By the end of the year, the Gegevensbeschermingsautoriteit (GBA) ordered the city of Antwerp to temporarily suspend the project.
Inspectors had determined that the municipality didn’t have a valid legal basis for the project. According to the General Data Protection Regulation (GDPR), voice prints are considered sensitive information. European privacy laws therefore prohibit the processing of this kind of data.
The DPA also noted shortcomings in terms of transparency. The city of Antwerp promised not to record any conversations. However, analysis of the audio files showed that conversations were indeed recorded.
In addition, the privacy regulator noticed that voice prints were stored unencrypted in Google Cloud, whose parent company is located in the United States. This was done knowingly and without implementing appropriate risk mitigation measures.
Lastly, the DPA pointed out that the city of Antwerp didn’t take the advice of the city’s data protection officer (DPO) – who had pointed out several potential problems – too seriously. If his comments had been taken into account, measures could have been taken to mitigate the risks that had been identified.
Because of these violations, the GBA has decided to reprimand the city of Antwerp. Furthermore, the municipality has to delete all voice prints and sound recordings containing voices.
“Data protection and innovation are not mutually exclusive,” says Hielke Hijmans, Chairman of the GBA’s Litigation Chamber. “However, such technological projects need to be properly regulated by taking into account the potential risks to individuals and taking measures to mitigate these risks. This is why we stress the importance of conducting a thorough data protection impact assessment (DPIA) and involving the data protection officer.”
Your email address will not be published. Required fields are markedmarked