The Public Privacy

Tag: Consent (page 1 of 2)

Bits and pieces of issues regarding the happy sharing of your children’s lives on Facebook

February 1, 2016 / / 1 Comment
It's just a picture of them playing, they don't mind. Like!

It’s just a picture of them playing, they don’t mind. Like!

Similarly to what is happening in other EU Member States’ courts, Portuguese courts have been struggling with the application of traditional legal concepts to the online context. Just recently, in a decision which I addressed here, it considered that those having in their possession of a video containing intimate images of an ex-partner are under the obligation to properly guard it and the omission to practice adequate safeguard are condemned as a relevant omission.

Thus said, there is one particular decision which was issued by a Portuguese appealing court last year that I failed to timely address and which concerns the very specific rights of image of children in the online context. Considering the amount of pictures that appear on my Facebook wall every time I log in on my account and the concerns expressed by the upcoming GDPR in regards of the collection and processing of data referring to minors of sixteen, I would like to address it today.

The court at stake confirmed the decision of the court of first instance, issued within a process of regulating the parental responsibilities of each progenitor, which forbid a separated couple to divulge on social media platforms pictures or information identifying their twelve years old daughter. It severely stated that children are not things or objects belonging to their parents.

One would expected that a court decision would not be necessary to achieve the conclusion according to which children have the right to have their privacy and image respected and safeguarded even from acts practised by their parents. In fact, one would hope that, in the online context, and considering their specific vulnerability and the particular dangers facilitated by medium of the Internet, their protection would be ensured primarily by their parents.

Ironically, the link to the news referring to this court decision was greatly shared among my Facebook friends, most of them with children of their own. The same ones who actually happily share pictures of their own kids. And who haven’t decreased the sharing of information involving their children since then.

It is funny how some people get offended or upset when someone posts online a picture in which they are not particularly favoured or of which they are embarrassed and are quick to require its removal, and do not wonder if it is ethical to publish a picture of information about someone who is not able to give his/her consent. Shouldn’t we worry what type of information would children – our own, our friend’s, our little cousin or nephew – want to see about themselves online in the future?

Every time I log in my Facebook account, there is an array of pictures of birthday parties, afternoons by the sea, first days at school, promenades in the park, playtimes in the swimming pool, displays of leisure activities, such as playing musical instruments or practising a sportive activity… In a particular case, it has been divulged that the child had a serious illness, which fortunately has been overcome ever since but which received full Facebook graphic and descriptive coverage at the time of the ongoing development.

I have seen pictures where my friends’ children appear almost naked or in unflattering poses, or where it is clearly identifiable where they go to school or spend holidays. Many identify their children by their name, age, school they attend, extracurricular activities… In any case, their parenthood is quite well established. I always think that, in the long run, it would permit the building of an extended and detailed profile for anybody which has access to such data. And, if you had read any of my other posts, you know by now that I am not exactly referring to the Facebook friends.

More worryingly, these details about the children’s lives are often displayed on the parents’ online profiles, perhaps due to simple distraction or unawareness, without any privacy settings being implemented. Consequently, anybody having a Facebook account can look for the intended person and have access to all the information contained on that profile.

I do not want to sound like a killjoy, a prude or a moralist. I get it, seriously, I do. A child is the biggest love and it is only human to want to proudly share his growth, development and achievement with relatives and friends. It has always been done and now it is almost effortless and immediate, at the distance of a click. In this regard, by forbidding the sharing of any picture or any information regarding children, the abovementioned decision seems excessive and unrealistic.

Nevertheless, one should not forget that some good sense and responsibility is particularly required in the online context, considering how easy it actually is to lose control of the purposes given to the published information besides the initial ones. As many seem to forget, once uploaded on an online platform, it is no longer within our reach, as they can be easily copied or downloaded by others.

Thus said, while it is certainly impossible to secure anonymity online, the amount of information that is published should be controlled for security, privacy and data protection purposes.

Anyway, this common practice of parents sharing online pictures and information regarding their children makes me wonder how companies such as Facebook, and other platforms focusing on user generated content, who process data at the direction of the user and, consequently, who unintentionally have to collect and process personal data regarding children below the age of sixteen, may be asked to comply with the new requirements of the GDPR in that regard.

If it is to be lawful if and to the extent that consent is given or authorised by the holder of parental responsibility, and if, as the Portuguese court have understood it, parents are not entitled to dispose of their children’s image on social media, a funny conundrum is generated. If the parents cannot publish such information, they will not be able to authorize it either and, consequently, children/teenagers won’t be able to rely on their parents’ authorization to use social media.

Those who have copies of torrid homemade videos, beware!

December 20, 2015 / / 0 Comments
Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.

A spy in your living room: ‘Tu quoque mi’ TV?

February 21, 2015 / / 0 Comments
How smart are you?

How smart are you?

So, it seems that the room we have for our privacy to bloom is getting smaller and smaller. We already knew that being at home did not automatically imply seclusion. Still, nosy neighbours were, for quite a long time, the only enemies of home privacy.

However, thicker walls and darker window blinds no longer protect us from external snooping as, nowadays, the enemy seems to hide in our living room or even bedroom.

Indeed, it seems that when we bought our super duper and very expensive Smart TV, we actually may have brought to our home a very sneaky and effective – although apparently innocent – spy.

As you may (or may not) already know, TV with Internet connectivity allow for the collection of its users’ data, including voice recognition and viewing habits. A few days ago many people would praise those capabilities, as the voice recognition feature is applied to our convenience, i.e., to improve the TV’s response to our voice commands and the collection of data is intended to provide a customized and more comfortable experience. Currently, I seriously doubt that most of us do look at our TV screens the same way.

To start with, there was the realization that usage information, such as our favourite programs and online behaviour, and other not intended/expected to be collected information, are in fact collected by LG Smart TV in order to present targeting ads. And this happens even if the user actually switches off the option of having his data collected to that end. Worse, the data collected even respected external USB hard drive.

More recently, the Samsung Smart TV was also put in the spotlight due to its privacy policy. Someone having attentively read the Samsung Smart TV’s user manual, shared the following excerpt online:

To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. (…)

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

And people seemed to have abruptly waken up to the realization that this voice recognition feature is not only directed to specific commands in order to allow for a better interaction between an user and the device, as it also may actually involve the capture and recording of personal and sensitive information, considering the conversation taking place nearby. No need to be a techie to know that this does not amount to performance improvement. This is eavesdropping. And to make it worse, the data is transferred to a third-party.

In the aftermath, Samsung has clarified that it did not retain voice data nor sell the audio being collected. It further explained that a microphone icon is visible on the screen when voice activation was turned on and, consequently, no unexpected recording takes place.

Of course you can now be more careful about what you say around your TV. But as users can activate or deactivate this voice recognition feature, my guess is that most will actually prefer to use the old remote control and to keep the TV as dumb as possible. I mean, just the idea of the possibility of private conversations taking place in front of your TV screen being involuntarily recorded is enough motivation.

Also, it should be pointed out that, considering the personal data at stake (relating to an identified or identifiable person) involved, there are very relevant data protection concerns regarding these situations. Can it simply be accepted that the user has consented to the Terms and Conditions on the TV acquired? Were these very significant terms made clear at any point? It is quite certain that there users could not have foreseen, at the time of the purchase, that such deep and extended collection would actually take place. And if so, such consent cannot be considered to have been freely given. It suffices to think that the features used for the collection of data are what make the TV smart in the first place and, therefore, the main reason for buying the product. Moreover, is this collection strictly necessary to the pretended service to be provided? When the data at stake involves data from other devices or other wording than the voice commands, the answer cannot be positive. And the transmission of personal data to third parties only makes all this worse as it is not specified under what conditions data is transmitted to a third party or who that third party actually is. Adding to this, if we consider that these settings mostly come by default, they are certainly not privacy-friendly and amount to stealthily monitoring. Last but not the least, it still remains to be seen if the proper data anonymisation/pseudinonymisation techniques are effectively put in place.

Nevertheless, these situations brought back into the spotlight the risks to privacy associated with personal devices in the Internet of Things era. As smart devices are more and more present in our households, we are smoothly loosing privacy or, at least, our privacy faces greater risks. In fact, it is quite difficult to live nowadays without these technologies which undoubtedly make our lives so much more comfortable and easier. It is time for people to realize that all this convenience comes with a cost. And an high one.

Sex in the city: Is there a reasonable expectation of privacy when having sex with the lights on?

February 15, 2015 / / 0 Comments

When I read this post I could not help remembering the discussions within the Privacy module of the post grad learning programme I have recently enrolled in. A particular issue discussed was precisely the legitimate expectation of privacy regarding events which take place in public, such as those analysed in the Peck, Campbell or Von Hannover cases.

In the situation at stake, two office colleagues had sex in the workplace premises, with the lights on, having forgotten to pull the blinds down… and therefore in full view of transients and the customers of the pub located right across the street, who were able to observe the full scene, unnoticed from the inside.

The events were recorded by many (how useful are Smartphones in these situations!) and uploaded to the Internet. Obviously, it did not take long to spread both on social media and on the press and very quickly the couple has inadvertently become a viral sensation. Their sexual performance has been broadly gossiped, commented, assessed and rated. They have been publicly identified since then and details regarding their personal lives have been exposed.

Putting aside other pertinent considerations in regards of what internal proceedings the company should take, I would like to focus on the privacy issues at stake.

Our expectation of privacy does not forcefully depends of the place where the events take place. It is not because something happens in a public space or is visible by the public or from a public place that any reasonable expectation of privacy is automatically excluded. It suffices to think that most of our private life, such as conversations or encounters,  actually happens in public. How unfortunate would it be if that mere fact would ultimately deprive us of any expectation of living our lives discreetly. It would not be remotely reasonable to accept that people abdicate of their privacy expectations once they leave their homes. Specially when considering all the buzz surrounding smart TVs, our privacy is at risk even in our own households.

In this particular case, it was late in the evening and the couple expected to be alone in the office and away from peering eyes. It is unquestionbly a quite different situation than that of having sex in broad day light in a busy street, which would be more appropriately qualified as exhibicionism.

Moreover, the revealing and intimate nature of the activity cannot be ignored, considering that they were undressed and, well, having sex. I would say with some certainty that it is not something that most of us do not mind to be watched, recorded and commented, over and over, on a large-scale. And, in spite of being something that the public finds interesting, there is certainly not any public interest at stake.

Furthermore, despite acting on plain sight, the couple was absolutely unaware that their activities were being observed, let alone filmed. They did not give their consent – nor explicitly, nor implicitly – for their image to be captured. But, more relevant, they were certainly oblivious that those images and recordings would be disseminated at a large-scale. To be put within the public eye and the public attention which ensued were neither expected nor desired.

The moral damages at stake are evident. On a personal level, the couple has been publicly exposed, scorned, humiliated and shamed. Their dignity and self-esteem have been incessantly injured. At least for one of them, being married and with children, this exposure has also far more reaching consequences, affecting the family members concerned.

To say that the lesson to be learnt from this is to turn the lights off next time you intend to have sex is the easiest joke to make. However, such situations should not be socially treated so light-heartedly. Namely because with the advanced technologies available, it is getting easier to photograph and record events humiliating for someone. That is how many of the known cyber bullying situations actually start.  Technologies are evolving so fast that the general awareness and sensitivity are having a hard time keeping track of the issues at stake.

Perahps a very good first step would be for people to start accepting that it is not because they can see something, and are able to easily record it and quickly share it online, that it is legitimate to do so.It is so easy to laugh at someone’s expenses. And the next big joke could be any of us.

 

Monitoring of employees in the workplace: the very private parts of a job in the EU private sector

January 27, 2015 / / 0 Comments
Let us all see what you are doing.

Let us all see what you are doing.[1]Copyright by MrChrome under the CC-BY-3.0

Whilst not all employers in the U.S.A. monitor their employees’ communications and activities, the majority do so, namely to evaluate their professional performance, to protect trade secrets, to prevent information security breaches or to avoid or reduce their liability in lawsuits.

So, incoming and outgoing email correspondence, telephone calls, websites visited and documents saved on the computer may be only some of the data accessed in this context.

This surveillance of employees’ electronic communications and activities over employer-provided facilities are generally deemed unlawful under the European Union law. Member States legal systems usually include constitutional laws, telecommunications laws, labour laws and criminal laws which are intended to be dissuasive.

Currently, there is no specific EU legislation regarding the privacy and protection of workers’ personal data at work.

Nevertheless, Article 31(1) of the Charter of Fundamental Rights of the European Union, whose application is mandatory whenever Member States apply EU law, states: “Every worker has the right to working conditions which respect his or her (…) dignity”.

In parallel, there are two EU Directives which can be applicable in these professional contexts. Although they do not specifically deal with any aspect of employment relationships nor address employee monitoring, they establish some privacy principles which are applicable regarding surveillance at workplace. These provisions are then furthered by Member States through their national legislation.

Firstly, we have the 95/46/EC Directive which relates to the protection of individuals with regard to the processing of personal data. Under this framework, data subjects are provided control over the collection, transmission, and use of their personal information. In fact, this instrument foresees that data subjects have the right to be notified of collection of personal information.

In this context, employers have to ensure that their surveillance is legitimate and restricted and must be transparent regarding any surveillance conducted. Any monitoring of the employees communications and activities, namely regarding the use of e-mail, the internet or phones, without their employee’s knowledge or consent, is unlawful.

Secondly, the 2002/58/EC Directive relates to the processing of personal data and the protection of privacy in the electronic communications sector. The interception of  communications over private networks, including e-mails, instant messengers, and phone calls, and generally private communications, are not covered as the instrument only refers to publicly available electronic communications services in public communication networks.

The European Convention for the Protection of Human Rights and Fundamental Freedoms (hereafter ‘ECHR’), in its article 8, reads as follows: “Everyone has the right to respect for his private and family life, his home, and his correspondence”.

Whilst the right to privacy at work has not yet be considered by the Court of Justice of the European Union, the European Court of Human Rights (hereafter ‘ECtHR’) has already ruled that the right to privacy right is not restricted to the household and extends to the workplace environment.

In fact, in Köpke v Germany, the Court stated as follows: “(…) that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises(…)”.

In the Niemietz v. Germany case, the ECtHR included business relations, e-mails, and any other form of electronic communication in the concept of ‘private life and correspondence’, no distinction being made between private or professional correspondence.

In Halford v. UK Gov., the ECtHR held that the employer’s surveillance of the employee’s calls at work unjustifiably interfered with the employee’s right to privacy and correspondence. Communications via e-mail, fax, wireless, and any technological means is covered by the concept of correspondence.

Moreover, in the ruling Copland v United Kingdom, the ECtHR concluded that the fact that the calls or the e-mail usage occur in the office and, at least in theory, are business related, was irrelevant. Business correspondence and telephone calls may contain personal information, which is protected by human rights and by data protection law.

It also found that, even if the telephone monitoring was limited to “the date and length of telephone conversations” and “the numbers dialled,” and do not involve the content of the communications, it still violates article 8 of the ECHR.

The Court stated as well that article 8 is infringed where the monitoring is not previously communicated to the employees, as they have, in consequence, a “reasonable expectation” that they will not be.

However, a worker’s right to privacy at work is not absolute.

In Benediktsdóttir v. Iceland, the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

In this context, although not legally binding, the Article 29 Working Party (hereafter WP29) opinions provide important guidance. In fact, national data protection authorities take them into account when applying and enforcing national laws.

The WP29 issued an opinion on the processing of personal data in the employment context in 2001, concluding that “[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data.” Therefore, monitoring must be proportionate, not excessive for the intended purposes, and carried out in the least intrusive way possible. Furthermore, it stated that, under the Data Protection Directive, employers may process data concerning their employees only with “unambiguous consent” or if the processing is “necessary.”

In 2002, the WP29 issue a Working Document on the surveillance of electronic communications in the workplace, in which was argued that the employee’s right to privacy should be balanced with the legitimate rights and interests of the employer, such specific and important business need, as efficiency or the right to protect the employer from harm caused by employees’ actions. Therefore, the monitoring activities should be necessary, proportionate and transparent.

In the WP29’s viewpoint, any monitoring of electronic communications should be exceptional, namely when necessary to obtain to obtain proof of certain actions of the worker; detect unlawful activity; detect viruses; or guarantee the security of its systems. Therefore, concealed or intrusive monitoring is generally unlawful.

In 2005, in its annual report, the WP29 has affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified.

The WP29 stressed, in another Opinion, in 2006, that all online communications in the workplace are subjected to confidentiality protection, including those sent from workplace equipment for private as well as professional purposes. It suggested seven principles to ensure a proper monitoring: necessity regarding a specified purpose; a specified, explicit and legitimate purpose; prior notice to employees about the monitoring; the monitoring should be aimed to safeguard employer’s legitimate interests; personal data processed in connection with any monitoring must be adequate, relevant, and not excessive with regard to the purpose for which they are processed; data must be accurate and not retained for longer than necessary; and appropriate technical and organisational measures shall be implement regarding security.

The requirements at stake may vary according to the monitoring technologies used as some will require stricter standards according to the extent of interference with private life. For instance, in Uzun v. Germany, the ECtHR concluded that the monitoring via GPS is not as intrusive telephone tapping.

Considering that the data collected by the employer may constitute sensitive data, it can only be processed in the cases foreseen in Article 7 of the Directive 95/46. In this context, considering the disparity in the contractual positions at stake the employee’s consent may not deemed to legitimize the processing.

In this context, it is quite advisable for private employers established in the EU to set up clear and acknowledged internal policies or guidelines regarding the use of Internet and electronic equipment in the workplace, for instance as part of the work contract.

This legal and jurisdictional context highlights the challenge that companies and other organizations face when doing business in the European Union, especially those which also operate under U.S.A. law.

References

References
1 Copyright by MrChrome under the CC-BY-3.0

Game of drones or the not so playful side of the use of RPAS for recreational purposes

December 28, 2014 / / 0 Comments
I am watching you.

I am watching you.[1]Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic

If one of the gifts you have found underneath the Christmas tree was a drone [2]The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: … Continue reading, and it happens to have some camera installed on it, you should prepare yourself to embrace your new status of a data controller and face a new set of obligations regarding privacy and safety.

Indeed, whilst drones can be a lot of fun, there are serious considerations at stake which should not be ignored. In fact, the extensive range of their potential applications[3]Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and … Continue reading, the proliferation of UAVs with a camera, the collection of data and the subsequent use of such data, namely by private individuals for personal and recreational purposes raise concerns about the impact of these technologies on the safety, security, privacy and the protection of personal data.

As a matter of fact, a drone in itself does not imply the collecting and the processing of any personal data until you attach a camera to it. However, drones are increasingly equipped with high definition optical cameras and therefore are able to capture and record images of the public space. And while there are no apparent privacy concerns regarding the recording of landscapes, having a drone filming through the sky over your neighbourhood might lead to a very different conclusion. Drones have a high potential for collateral or direct intrusion regarding privacy, considering the height at which they operate, allowing to monitor a vast area and to capture large numbers of people or specific individuals. Despite individuals may not always be directly identifiable, their identification may still be possible through the context in which the image is captured or the footage is recorded.

It must be noted that people might not even be aware that they are being filmed or by whom and, as a result, cannot take any steps to avoid being captured if such activity is not made public. People ought not to know that the device is equipped with optical imaging and has recording capabilities. Moreover, because the amateur usage of a drone may not be visible, there is a high risk of being directed to covert and voyeuristic recording of their neighbours’ lives, homes and back gardens. How would you feel if a drone was constantly looming near your windows or in your backyard? Indeed, there is no guarantee regarding the legitimacy of the end to be achieved with the use of drones. None withstanding the fact that a drone may actually pose a threat to people’s personal safety, belongings and property, considering that it may fall, its increasing popularity as a hobby outlines the issue of discriminatory targeting, as certain individuals, such as children, young people and women, are particularly vulnerable to an insidious use of RPAS. This is particularly relevant considering that the images or footage is usually intended to be made publicly available, usually on platforms such as Youtube.

Furthermore, the recording may interfere with the privacy of individuals as their whereabouts, home or workplace addresses, doings and relationships are registered. In this context, the use of drones for hobbying purposes may have a chilling effect on the use of the public space, leading individuals to adjust their behaviour as they fear their activities are being monitored.

Thus considering, the use of this type of aerial technologies is covered by Article 7 and Article 8 of the EU Charter of Fundamental Rights which respectively establish the respect for private life and protection of personal data. Taking into account the abstract nature of the concept of privacy, the main difficulty will be to define when there is a violation at stake.

In addition, there are obviously data protection implications at stake where the drone is capturing personal data. EU data protection rules generally govern the collection, processing and retention of personal data. The EU Directive 95/46/CE and the proposed General Data Protection Regulation are applicable to the collection, processing and retention of personal data, except where personal data is collected in the course of a purely personal or household activity. Hence, the recreational use of drones is a ‘grey area’ and stands almost unregulated due to this household exemption.

Nevertheless, due to the risks at stake, both to privacy and to data protection, the extent to which the ‘household‘ exemption applies in the context of a personal and private use must be questioned.

In a recent ruling, the CJEU concluded that the partial monitoring of the public space carried out by CCTV is subjected to the EU Directive 95/46, even if the camera capturing the images is “directed outwards from the private setting of the person processing the data”. As already analysed here, the CJEU considered that the processing of personal data involved did not fall within the ‘household exemption’ to data protection laws because the camera was capable of identifying individuals walking on a public footpath.

As the RPAS operations may be quite similar to CCTV, but more intrusive, because they are mobile, cover a larger territory, collect a vaster amount of information, it is not a surprise that they may and should be subjected to the same legal obligations. Subsequent to this ruling, these technologies should be considered as potentially privacy-invasive. Consequently, private operators of drones in public spaces should be ready to comply with data protection rules.

Of course, the footage needs to contain images of natural persons that are clear enough to lead to identification. Moreover, and in my opinion, it is not workable to consider, in order for the household exemption to be applied, the images collateral and incidentally captured. Otherwise, selfies unwillingly or unknowingly including someone in the background could not be freely displayed on Facebook without complying with data protection rules. The footage must constitute a serious and systematic surveillance on individuals and their activities.

Therefore, information about the activities being undertaken and about the data processing (such as the identity of the data controller, the purposes of processing, the type of data, the duration of processing and the rights of data subjects), where it does not involve disproportionate efforts, shall be given to individuals (principle of transparency). Moreover, efforts should be made in order to minimize the amount of data obtained (data minimization). Moreover, the controller might need to ensure that the personal data collected by the drone camera is anonymised, is only used for the original purpose for which it was collected (purpose limitation), will be stored adequate and securely and will not be retained for longer than what is necessarily required.

In this context, individuals having their image captured and their activities recorded by the camera of a drone should be given guarantees regarding consent, proportionality and the exercise of their rights to access, correction and erasure.

Thus said, depending on where you are geographically located in the EU, there are obviously different rules regarding the legal aspects related to the use of drones. It is therefore important for individuals intending to operate a drone to get informed and educated about the appropriate use of these devices and the safety, privacy and data protection issues at stake in order to avoid unexpected liability.

References

References
1 Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic
2 The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace.
3 Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids.

CCTV: household security or how to be a data controller at home

December 20, 2014 / / 0 Comments
CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.[1]Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References

References
1 Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

The not so privacy orientated new privacy policy of Facebook

December 18, 2014 / / 0 Comments
Am I really in charge?

Am I really in charge?

Following all the criticism regarding the complexity of its terms of service and privacy policy, and allegedly in order to get more people actually reading and understanding the terms which must be agreed on for the use of the service, Facebook has announced, last month, an update (yes, again) of this privacy policy. But this time it is a visually clearer, shorter, linguistically simplified and more understandable version. If you have a Facebook user account, you certainly have already received a notification regarding this update, which will enter into force on the 1st January 2015.

In a section entitled ‘Privacy Basics’, users are told how to control what is to be shown to others, how they might interact with others and what may be shown in their news feed, how to control the visibility of their profile, and how to deactivate or delete their account. This new policy even includes a childlike assistant to guide users through these explanations.

On the terminological side, ‘public information’, which was previously defined as “the information you choose to make public, as well as information that is always publicly available“, is now defined as “any information you share with a public audience, as well as information in your Public Profile, or content you share on a Facebook Page or another public forum”.

However, not much changes, actually. Indeed, this more user friendly appearance does not really give users more control over their data. In fact, it does not give much. Users might control their data regarding others but Facebook and its commercial partners are certainly not included in the concept of ‘others’. The reading of the data policy regarding the type of data which is collected and the use of such data is quite self explanatory in this regard.

To be sure, the users’ settings haven’t been changed. Nevertheless, on a positive note, the user gets now to better understand how Facebook tracks its users. For instance, it is specified that Facebook may collect location information from users on its mobile apps through GPS, Bluetooth or WiFi networks.

In this regard, although users can decline or opt out of sharing information with third party applications or for targeted advertising purposes, which are based on their browsing habits off of the network, they have no control regarding the information that is collected and shared. To be true, no changes were made regarding how much data Facebook collects from its users.

In fact, Facebook has entire access to all the information made available about their users, both provided by users themselves while updating their profiles and by their friends. Moreover, Facebook can use this information namely to provide and develop its Services (yes, with a capital letter) and to promote and evaluate successful advertising. Unless entirely unconnected from the platform, as it does not suffice to close the tab, Facebook is therefore able to access all information provided in websites or applications which use its Services, gathering data on websites visited by its users and their behaviour on those websites. It will be, for instance, the case of Instagram or Whatsapp.

Likewise, as Facebook now accepts payments to be made on the platform, it can use information people share regarding their purchases and financial transactions to better target advertisements. For example, according to the update, the company collects information on each purchase, including payment information such as credit or debit card data, account authentication information, billing, shipping, and contact details. In addition, users are not given the option to control what information is being used for advertising purposes.

Furthermore, users can customize their ads preferences in order to make the advertisements which are shown to them more relevant. Therefore, a user will be able to decide whether or not to see advertisements based on a peculiar interest. While most users may appreciate this new option, the main beneficiary is ultimately Facebook itself as it allows advertisers to differentiate among successful and irrelevant ads. However, it must be noted that users will still not be able to control the data collection resulting from targeted advertising, but only to control how much targeted advertising is presented to them.

What is more, Facebook continues to get location information in order to allegedly present more relevant information regarding, for instance, friends or restaurants nearby. As you may know already, if you at some point read the previous version of the terms of service, advertisements were usually presented based on the location listed in a user’s profile. Facebook now proposes to enable advertisers to target users based on their actual location.

Thus said, Facebook has always been associated with issues regarding its privacy policy and terms of service, which were always deemed to be too complex for the common user. However, I believe that this complexity was not the main cause why most of its users are not aware of the use purposes of their data. My experience tells me that, disregarding how simple they are, and contrary to their best interests, not many people will actually read any terms and conditions of any service. Similarly, these updates on the terms and conditions will certainly not be read by many. And for those who will, it will surely not make them turn away from the social platform.

Facebook is already a very relevant part of its users’ lives, businesses and online interactions. Perhaps most users have accepted that, beyond being a space where friends and family can interact, it is primarily a business intended to deliver effective advertisements by using the information provided by its users. Or perhaps people just don’t care.

Nevertheless, it must be noted that the consent given by users do little in regards of their privacy. Individual consent is rarely exercised as a meaningful choice. And by ‘meaningful’ I mean with awareness and understanding of the implications and consequences of their consent.

Either way, the outcome is as follows: while people continue to use Facebook to interact with their family and friends, Facebook is not the product. Users are.

Older posts

© 2023 The Public Privacy

Theme by Anders NorenUp ↑