Category: Uncategorized

Those who have copies of torrid homemade videos, beware!

Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.

Sex in the city: Is there a reasonable expectation of privacy when having sex with the lights on?

When I read this post I could not help remembering the discussions within the Privacy module of the post grad learning programme I have recently enrolled in. A particular issue discussed was precisely the legitimate expectation of privacy regarding events which take place in public, such as those analysed in the Peck, Campbell or Von Hannover cases.

In the situation at stake, two office colleagues had sex in the workplace premises, with the lights on, having forgotten to pull the blinds down… and therefore in full view of transients and the customers of the pub located right across the street, who were able to observe the full scene, unnoticed from the inside.

The events were recorded by many (how useful are Smartphones in these situations!) and uploaded to the Internet. Obviously, it did not take long to spread both on social media and on the press and very quickly the couple has inadvertently become a viral sensation. Their sexual performance has been broadly gossiped, commented, assessed and rated. They have been publicly identified since then and details regarding their personal lives have been exposed.

Putting aside other pertinent considerations in regards of what internal proceedings the company should take, I would like to focus on the privacy issues at stake.

Our expectation of privacy does not forcefully depends of the place where the events take place. It is not because something happens in a public space or is visible by the public or from a public place that any reasonable expectation of privacy is automatically excluded. It suffices to think that most of our private life, such as conversations or encounters,  actually happens in public. How unfortunate would it be if that mere fact would ultimately deprive us of any expectation of living our lives discreetly. It would not be remotely reasonable to accept that people abdicate of their privacy expectations once they leave their homes. Specially when considering all the buzz surrounding smart TVs, our privacy is at risk even in our own households.

In this particular case, it was late in the evening and the couple expected to be alone in the office and away from peering eyes. It is unquestionbly a quite different situation than that of having sex in broad day light in a busy street, which would be more appropriately qualified as exhibicionism.

Moreover, the revealing and intimate nature of the activity cannot be ignored, considering that they were undressed and, well, having sex. I would say with some certainty that it is not something that most of us do not mind to be watched, recorded and commented, over and over, on a large-scale. And, in spite of being something that the public finds interesting, there is certainly not any public interest at stake.

Furthermore, despite acting on plain sight, the couple was absolutely unaware that their activities were being observed, let alone filmed. They did not give their consent – nor explicitly, nor implicitly – for their image to be captured. But, more relevant, they were certainly oblivious that those images and recordings would be disseminated at a large-scale. To be put within the public eye and the public attention which ensued were neither expected nor desired.

The moral damages at stake are evident. On a personal level, the couple has been publicly exposed, scorned, humiliated and shamed. Their dignity and self-esteem have been incessantly injured. At least for one of them, being married and with children, this exposure has also far more reaching consequences, affecting the family members concerned.

To say that the lesson to be learnt from this is to turn the lights off next time you intend to have sex is the easiest joke to make. However, such situations should not be socially treated so light-heartedly. Namely because with the advanced technologies available, it is getting easier to photograph and record events humiliating for someone. That is how many of the known cyber bullying situations actually start.  Technologies are evolving so fast that the general awareness and sensitivity are having a hard time keeping track of the issues at stake.

Perahps a very good first step would be for people to start accepting that it is not because they can see something, and are able to easily record it and quickly share it online, that it is legitimate to do so.It is so easy to laugh at someone’s expenses. And the next big joke could be any of us.

 

Season’s greetings

Heidi also wishes Happy Holidays :)

Heidi also wishes Happy Holidays :)

Dear readers,

I wish you all a very Happy Holiday season and a peaceful and prosperous New Year.

The ‘risk-based’ approach to Data Protection, too risky for SMEs?

Balance is hard, very hard.

Balance is hard, very hard.

For those businesses which collect, process and exploit personal data, the draft of Chapter IV of the forthcoming EU General Data Protection Regulation is particularly relevant as it foresees the possible future compliance obligations of data controllers and data processors.

Considering the last position of the Council of the European Union regarding this chapter, a ‘risk-based‘ approach to compliance is a core element of the accountability principle itself.1)See article 22 of the Council’s document.

In fact, the Article 29 Working Party2)The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission. recently issued a statement supporting a ‘risk-based‘ approach in the EU data protection legal framework.

But what is it meant by the concept of a ‘risk-based‘ approach?

It mainly refers to the consideration of any potential adverse effects associated with the processing and implies different levels of accountability obligations of data controllers, depending on the risks involved within each specific processing activity. It is therefore quite different from the ‘one size fits all‘ approach, as initially proposed by the European Commission.

In this context, the respect and protection of the data subjects’ rights (for instance, right of access, of objection, of rectification, of erasure, and rights to transparency, to data portability and to be forgotten) shall be granted throughout the data processing activities, regardless the level of risks involved in these activities.

However, principles as legitimacy, transparency, data minimization, data accuracy, purpose limitation and data integrity and the compliance obligations impending upon controllers shall be proportionate to the nature, scope, context and purposes of the processing.

This ‘risk-based‘ approach is developed throughout Chapter IV, namely regarding provisions related to the data protection by design principle3)See article 23., the obligation for documentation4)See article 28., the obligation of security5)See article 30., the obligation to carry out an impact assessment6)See article 33., and the use of certification and codes of conduct7)See articles 38 and 39..

These accountability obligations, in each phase of the processing, will vary according to the type of processing and the risks to privacy and to other rights and freedoms of individuals.

In this context, the proportionality exercise will have an effect on the requirements of privacy by design8)See article 23., which consists on assessing the potential risks of the data processing and implementing suitable privacy and data protection tools and measures in order to address that risk before initiating these activities.

Besides, the introduction of the ‘risk-based‘ approach is also likely to be relevant in respect of controllers not established in the EU, as they most surely won’t be required to designate a representative in the EU, regarding occasional processing activities which are unlikely to result in a risk for the rights and freedoms of individuals 9)See article 25..

Moreover, a ‘risk-based‘ approach will be implemented as well regarding the security of the processing, as technical and organisational measures, adequate to the likelihood and severity of the risk for the rights and freedoms of individuals, shall be adopted10)See article 30..

In parallel, it has been foreseen that the obligation to report data breaches is restricted to the breaches which are likely to result in an high risk for the rights and freedoms of individuals. In this context, if the compromised data is encrypted, for instance, the data controller won’t be required to report a verified breach.11)See article 31 and 32.

The weighing assessment is expected to be also relevant regarding the data protection impact assessment12)See article 33. required for the processing activities that will likely result in a ‘high risk’ to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.

Another important requirement is the consultation of a Data Protection Authority prior to the processing of personal data when the impact assessment indicates that the processing would result in a high degree of risk in the absence of measures to be taken by the controller to mitigate the risk.13)See article 34.

Of course “nothing is agreed until everything is agreed” and this chapter will be subjected to further revisions. There is, indeed, a vast room for improvement.

For instance, it is questionable if a ‘risk-based‘ approach does make data protection standards stronger, considering the inadequacy of the risk assessment methodology regarding fundamental rights.

In parallel, the definition of ‘high risk‘ is still too broad, including almost all businesses which are operating online. Similarly,  the impact assessment process presents itself as complex, burdensome and costly. At the current state of play, small businesses and start-ups are most likely to be negatively affected by the administrative and financial burden that some of the abovementioned provisions will entail. This is quite ironic, considering that it was precisely that concern that is at the core of the understanding according to which SMEs should be exempted from the obligation to assign a Data Protection Officer.

However, it is important for businesses to try to anticipate how the compliance requirements will be set in the future in order to be prepared for their implementation.

We will see in due time how onerous the regime will be. Whilst we do not know the exact content of the text that will eventually be adopted, it is evident now that substantive accountability obligations will be imposed upon businesses handling personal data.

References   [ + ]

1. See article 22 of the Council’s document.
2. The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission.
3. See article 23.
4. See article 28.
5. See article 30.
6. See article 33.
7. See articles 38 and 39.
8. See article 23.
9. See article 25.
10. See article 30.
11. See article 31 and 32.
12. See article 33.
13. See article 34.

© 2017 The Public Privacy

Theme by Anders NorenUp ↑