Chapter 15 (Surveillance Activities)

Question 1

From a technical perspective, surveillance focuses on what 4 types of data?

Answer 1

1. Communications
2. Video
3. Biometric
4. Location

Question 2

Surveillance involves the observation of an individual or group of individuals and may be carried out by what 2 types of entities?

Answer 2

1. Public and state agencies for national security or law enforcement purposes
2. Private entities for their purposes, subject to EU and member state laws governing confidentiality, privacy, data protection, and other civil rights such as those provided by employment law

Question 3

Public and state agencies that carry out surveillance for national security or law enforcement must conduct it in a manner that respects individuals’ rights as laid out in what 2 documents?

Answer 3

1. The Charter of Fundamental Rights: Article 7, rights to a private and family life & Article 8, protection of personal data
2. The European Convention of Human Rights (ECHR): Article 8, respect for private and family life

Question 4

What 2 courts assess whether member states’ national laws are in line with the Charter of Fundamental Rights and other EU law?

Answer 4

1. Court of Justice for the European Union (CJEU)
2. European Court of Human Rights (ECtHR)

Question 5

According to the EDPB, when making limitations on the right to privacy and data protection for the purposes of surveillance what 4 requirements should be met?

Answer 5

1. Processing should be based on clear, precise, and accessible rules
2. Necessity and proportionality with regard to the legit objectives pursued need to to be demonstrated
3. An independent oversight mechanism should exist
4. Effective remedies need to be available to the individual

Question 6

What is metadata?

Answer 6

Referred to as data about data and is info that is generated or processed as a consequence of a communication’s transmission and provides context to the communication.

Question 7

What are 3 examples of metadata?

Answer 7

1. Traffic data
2. Location data
3. Subscriber data

Question 8

What is traffic metadata?

Answer 8

Includes info about the type, format, time, duration, origin and destination, routing, protocol uses, and the originating and terminating network of a communication.

Question 9

What does location metadata refer to?

Answer 9

1. Latitude, longitude, and altitude of the user’s equipment
2. Direction of travel
3. Level of accuracy of the location info
4. ID of the network cell on which the user device is located at a certain time
5. Time and location info was recorded

Question 10

What is subscriber metadata?

Answer 10

Generally constitutes the name, contact details, and payment info.

Question 11

What 5 things does metadata reveal?

Answer 11

1. The who (parties involved)
2. The where (the location of parties)
3. The when (the time and duration)
4. The what (the type, such as an e-mail or phone call)
5. The how (the device used, such as a mobile phone or tablet)

Question 12

The CJEU has clarified EU law precludes national legislation requiring what in the context of data retention?

Answer 12

General and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime or safeguarding national security.

Question 13

Although the CJEU precludes national legislation requiring general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime or safeguarding national security, it does allow exceptions in what 4 circumstances?

Answer 13

1. If a member state is facing a genuine and present or foreseeable serious threat to national security
2. Targeted retention
3. Expedited retention (storing data longer than normal retention periods allow)
4. Retention of IP address

Question 14

How did the ECtHR rule on the topic of bulk interception of communications data in the case of Big Brother Watch v. the UK?

Answer 14

Found that the UK surveillance regime did violate Article 8 of the Convention, but it still recognizes the national authorities enjoy a wide margin of appreciation in choosing how best to achieve the legitimate aim of protecting national security, and bulk interception regimes don’t fall outside this margin.

Question 15

In Big Brother Watch v. the UK the ECtHR emphasized that to stay within the margin of appreciation surveillance regimes must include what?

Answer 15

End-to-end safeguards that ensure necessity and proportionality of the surveillance measures are assessed at each stage of the surveillance process.

Question 16

How does the GDPR define biometric data?

Answer 16

Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data)

Question 17

Is it likely that a data controller will be able to rely on an individual’s consent as the legal basis for the use of CCTV?

Answer 17

It is unlikely the lawfulness will typically be legitimized based on legit interests pursued by the data controller or third party.

Question 18

Can the purposes of protecting property against burglary, theft, or vandalism constitute a legit interest for video surveillance?

Answer 18

Yes as long as these issues are real and existing (i.e. the possibility of theft won’t be enough).

Question 19

In Antovic & Mirkovic v. Montenegro, a university installed CCTV camera in lecture theaters to protect property as there had been incidents of damage and loss at the university. Cameras caught images of lecturers who claimed infringement of their rights to a private life. How did the ECtHR rule?

Answer 19

1. Majority: ruled in favor of the lecturers
2. Dissent: highlighted the difficulties there may be in figuring out the proportionality test and the need for consideration of all aspects of proportionality and additional privacy-by-design measures

Question 20

In Lopez Ribalda and Others v. Spain what were the facts?

Answer 20

A Spanish supermarket chain installed visible and covert video cameras in one of their sites to investigate economic losses it had accrued.

Employees were informed about the visible cameras, but not the covert ones pointed at cashier tills. Employees dismissed when video footage showed them stealing, filed the action saying their privacy rights had been violated.

Question 21

What did the court conclude in Lopez Ribalda and Others v. Spain?

Answer 21

Held that even though not informing employees about the hidden cameras was an infringement of the Spanish Data Protection Act, it was possible significant public or private interest could justify for the lack of prior info and informing us just one criteria to be considered.

Held Spain hadn’t overstepped its margin of appreciation and there had been no violation of Article 8 of the Convention.

Question 22

In the context of surveillance and monitoring, a DPIA will have to be completed if one of what 4 circumstances exist?

Answer 22

1. The video surveillance is considered to be high risk
2. It involves the systematic monitoring of a publicly accessible area on a large scale
3. Data controller intends to process special categories of data on a large scale
4. If video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA (Article 35 of the GDPR)

Question 23

Before initiating the use of video surveillance, a data controller should consider what 6 key aspects when implement appropriate technical privacy-by-design measures?

Answer 23

1. Operational and monitoring arrangements (e.g. types of cameras, camera positions, quality of images, ability to blur, etc.)
2. Retention of CCTV footage
3. The need to disclose CCTV footage to third parties, such as the police
4. Whether CCTV footages will be combined with other info, for example to ID individuals
5. The surveillance areas where people have high expectations of privacy (like bathrooms and changing areas)
6. Privacy requirements for procurement

Question 24

Before initiating the use of video surveillance, a data controller should consider what 3 key aspects when implement appropriate organizational privacy-by-design measures?

Answer 24

1. Staff training
2. CCTV policy
3. Regular reviews to ensure compliance

Question 25

What are 11 examples of biometric data?

Answer 25

1. DNA
2. Fingerprints
3. Palms
4. Vein patterns
5. Retina and iris patterns
6. Odor
7. Voice
8. Face
9. Handwriting
10. Keystroke technique
11. Gait

Question 26

What are the 2 main uses of biometrics today?

Answer 26

1. Identification
2. Authentication

Question 27

Location based services (LBS) utilize info about location to deliver, in various context a wide array of applications and services. Give 9 examples of such applications and services.

Answer 27

1. Social networking and gaming
2. Entertainment
3. Advertising and marketing
4. Navigation
5. Commerce
6. Payment
7. Tracking goods and people
8. Security
9. Emergency response services

Question 28

Usually LBS rely on the technical ability to localize a portable device. Give 5 examples of potable devices LBS rely upon.

Answer 28

1. Mobile phone
2. GPS receiver
3. SatNav device
4. Radio frequency identification (RFID) tag
5. Chip in a credit card

Question 29

The main types of location data used for LBS come from one or more of what 3 technologies and services?

Answer 29

1. Satellite network-generated data (e.g. GPS)
2. Cell-based mobile network generated data (e.g. the Cell ID)
3. Chip-card generated data (e.g. day generated from use of payment card or access cards)

Question 30

In 2020 the EDPB published a dedicated guideline on contact tracing with an annex listing the requirements for such apps. What are the 3 main requirements?

Answer 30

1. Use of contact tracing apps should be strictly voluntary, and the apps should stop collecting info once it is no longer necessary for controlling the pandemic
2. Contact tracing must be technically done in a manner that doesn’t utilize location data merely proximities with other devices
3. DPIAs must be conducted prior to the deployment of such apps