Chapter 15 - Surveillance Activities Flashcards
What are the main concerns regarding surveillance activities?
-Surveillance is getting easier due to cheaper and more sophisticated equipment, complex analytics software, and the technology used by individuals producing more data.
-Surveillance is of significant public concern, whether by government, law enforcement, employers, or companies gathering data on customers.
-The debate between the need for surveillance, especially in relation to national security, and an individual’s right to privacy is ongoing.
-Surveillance capitalism, where companies profit from behavioural data, has also become a concern.
-During the COVID-19 pandemic, governments adopted privacy-intrusive activities like contact tracing and vaccination passports with little opposition
How does technology facilitate surveillance?
-New technologies generate a wealth of data about individuals, such as detailed information from phone calls, text messages, emails, web surfing, CCTV cameras, biometric data, payment cards, mobile phones, and fitness monitors.
-These technologies lead to the networked interconnection of everyday objects, known as the Internet of Things (IoT).
-Surveillance activities are undertaken daily by public and private sector entities for lawful purposes:
(1) including employee monitoring
(2) social networks analysis
(3) data mining
(4) profiling, aerial surveillance, satellite imaging
(6) telecommunications surveillance, monitoring movements through mobile telecommunications location data
(7) CCTV cameras
(8) geolocation technologies, and biometric surveillance
What are the key types of surveillance data?
-The key types of surveillance data are communications, video surveillance, biometric, and location data.
-Communications data include the content of a communication and metadata, such as traffic data, location data, and subscriber data.
-Video surveillance involves capturing images or footage of individuals, which can be considered biometric data if used to uniquely identify individuals.
-Biometric data include DNA, fingerprints, palms, vein patterns, retina and iris patterns, odour, voice, face, handwriting, keystroke technique, and gait.
-Location data are generated from satellite networks, mobile networks, wireless technologies, and chip cards
How is surveillance regulated for national security or law enforcement purposes?
-Governmental surveillance activities for national security or law enforcement purposes are legislated by member states, subject to limits imposed by national constitutions, EU charters, and international conventions.
- (EDPB) has presented recommendations of European essential guarantees for surveillance measures, which include clear, precise, and accessible rules, necessity and proportionality, independent oversight mechanisms, and effective remedies for individuals.
-GDPR permits EU or member state law to restrict data subject rights for national and public security, the prevention and detection of crime, and the protection of the data subject and the rights and freedoms of others
How is surveillance regulated for private entities?
-Surveillance activities for private entities are considered personal data processing activities and must follow the GDPR and other applicable member state laws, such as employment-related laws.
-For communications and location data, the ePrivacy Directive and its national implementations are relevant.
-The ePrivacy Directive has been under review since 2017 with the aim of harmonising the rules across the European Union with a new ePrivacy Regulation
What are the main categories of communications data?
The main categories of communications data are:
- Content of a communication: The conversation between parties in a telephone call, words in an SMS, or the subject line, main body, and attachments of an email.
- Metadata: Data about data, including traffic data (type, format, time, duration, origin and destination, routing, protocol used, and network), location data (latitude, longitude, altitude, direction of travel, accuracy, Cell ID, and time), and subscriber data (name, contact details, and payment information)
What is the significance of the CJEU judgment on the Data Retention Directive?
-CJEU judgment in 2014 rendered the Data Retention Directive invalid for disproportionately infringing individuals’ privacy rights as guaranteed by the Charter.
-The repeal led to changes in member state laws and legal uncertainty on whether member states can require private entities to bulk store communications data.
-The CJEU has clarified that EU law precludes national legislation requiring general and indiscriminate transmission or retention of traffic and location data for combating crime or safeguarding national security.
-However, exceptions exist for genuine and present or foreseeable serious threats to national security, targeted retention, expedited retention, and retention of IP addresses
What are the requirements for the lawfulness of video surveillance processing?
-The lawfulness of video surveillance processing is typically legitimised based on the legitimate interests pursued by the data controller or a third party.
-In specific cases, using CCTV might be necessary to perform a task carried out in the public interest or when exercising official authority.
-Member states can introduce specific national legislation related to the use of video surveillance.
-When relying on legitimate interest, a balancing exercise must be carried out to verify that the CCTV’s use does not override the rights and freedoms of the individuals whose personal data may be captured
What is a legitimate interest assessment for video surveillance?
-To rely on legitimate interest as a legal basis, the data controller needs to demonstrate an interest exists and weigh it against the rights and freedoms of the data subjects by arguing the necessity of processing and balancing the interests.
-The purpose of protecting property against burglary, theft, or vandalism can constitute a legitimate interest for video surveillance.
-The controller should consider less-intrusive solutions before using CCTV and assess whether the monitoring affects the interests of data subjects and causes negative consequences to their rights
What are the requirements for conducting a Data Protection Impact Assessment (DPIA) for video surveillance?
A DPIA must be completed if:
- The video surveillance is considered high risk.
- It involves the systematic monitoring of a publicly accessible area on a large scale.
- The data controller intends to process special categories of data on a large scale.
- Video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA
What is the significance of the ECtHR case Antovic and Mirkovic v. Montenegro?
-In the case of Antovic and Mirkovic v. Montenegro, a university installed CCTV cameras in lecture theatres to protect property.
-The images included lecturers, two of whom claimed this infringed on their right to a private life under the ECHR.
-The court ruled in favour of the lecturers, highlighting the difficulties in carrying out the proportionality test and the need for consideration of all aspects of proportionality and privacy-by-design measures
What are the key aspects of data protection by design and default for video surveillance?
-Before initiating video surveillance, a data controller should consider and implement appropriate technical and organisational privacy-by-design measures, including:
- Operational and monitoring arrangements: Types of cameras, positioning, zooming functionality, image quality, blurring or deleting irrelevant images, and actions based on CCTV data.
- Retention of CCTV footage: Retain footage only if necessary for the purpose and for as long as required.
- Disclosure of CCTV footage to third parties.
- Surveillance of areas with high expectations of privacy.
- Privacy requirements for procurement
What are the data subject rights related to CCTV?
-For overt video surveillance, the data controller must comply with the transparency requirements of the GDPR.
-Individuals must be provided with information to make them aware CCTV is in operation and of the areas being monitored.
-The information should be visible and placed within a reasonable distance of the monitored area, provided in a layered approach.
-The personal data captured through video surveillance are subject to the Article 15 right of access by the data subject
What are biometric data and their uses?
-Biometric data are personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, allowing or confirming the unique identification of that person.
-Examples include DNA, fingerprints, palms, vein patterns, retina and iris patterns, odour, voice, face, handwriting, keystroke technique, and gait.
-Biometric systems are used for identification (e.g., facial recognition on social media) and authentication (e.g., fingerprint to access a mobile device)
What are location-based services (LBS) and their sources of location data?
-LBS utilise information about location to deliver various applications and services, including social networking, gaming, entertainment, advertising, marketing, navigation, commerce, payment, tracking goods and people, security, and emergency response services.
-The main sources of location data are satellite networks (e.g., GPS), mobile networks (e.g., Cell ID), wireless technologies (e.g., Bluetooth, Wi-Fi, NFC, RFID), and chip cards (e.g., payment cards, access cards)
What are the requirements for contact tracing apps during the COVID-19 pandemic?
-The EDPB published guidelines on contact tracing apps, summarised as follows:
- Use of contact tracing apps should be strictly voluntary, and the apps should stop collecting information once it is no longer necessary for controlling the pandemic.
2.Contact tracing must be technically done in a manner that does not utilise location data, merely proximities with other devices.
- DPIAs must be conducted prior to the deployment of such apps
