Intrusive AI: The municipality of Trento must pay a fine of 50,000 euros for misusing artificial intelligence and violating citizens’ privacy. The case is emblematic and well represents the risks that the misuse of AI can generate on the population and its security. The Italian Data Protection Authority has negatively assessed the way in which the Marvel and Protector research projects in which the Municipality of Trento participates handle citizens’ personal data.

Marvel: Multimodal Extreme Scale Data Analytics for Smart Cities Environments is an EU-funded Cordis project for audio-visual scene recognition and event detection in a smart city context. The project involves the collection, analysis, and extraction of data from streaming multimodal audio-visual material through the use of AI. It also collects anonymised data from footage recorded by video surveillance cameras and audio obtained from microphones placed ad hoc in the city streets. This data is analysed using AI to detect public safety risk events automatically.

The second stage

Protector: PROTECTing places of worship is instead the project of the ISFP programme to ‘intensify the security of places of worship’ with the help of technological tools to analyse ‘heterogeneous data sources’ such as surveillance cameras, websites, and social networks with the support of artificial intelligence. It collects data from video surveillance footage (without audio) and analyses hate messages and comments on social networks to extract any information of interest to the police. The Protector ended on 30 April 2023, focused mainly on places of worship, and linked to the Belgian police and the Bulgarian Ministry of the Interior, and included the collection and analysis, using automated analysis techniques, of hate messages posted on the former Twitter platform (now ‘X’) and comments posted on the YouTube platform.

The Municipality of Trento, the Garante wrote in the communiqué, ‘has failed to prove the existence of any legal framework capable of justifying the processing of personal data’ (among other things, shared with third parties), thus violating the rights and freedoms of individuals. There is also unlawful processing of personal data, insufficient anonymisation techniques, lack of transparency in the information on data processing, and no evidence of having carried out an impact assessment.

Italian Big Bros

The Garante launched the investigation after learning of the initiative from the local press and immediately asked the municipality for the legal basis of ‘Big Brother’ in the Trentino style and how very sensitive data was processed. The municipality vainly opposed the partnership with the EU Commission, the purpose of prosecuting crimes (here it was more a matter of ‘preventing them’) and the (minimal) signs installed in the city to inform passers-by. For the Authority, on the other hand, not even an adequate (and mandatory) data protection impact assessment was carried out, also in view of the possible consequences for the parties concerned arising from the ‘processing of particularly sensitive information such as the content of conversations, data relating to crimes and data relating to religious beliefs’. Hence, the penalty, in any case, is reduced to 1/40 of the maximum, which would be 20 million for the pre-police.