Chapter 3B: Surveillance activities Flashcards
What does Article 23 GDPR say about legal surveillance?
Permits EU or member state law to restrict rights granted - surveillance must respect the essence of fundamental rights and freedoms and be necessary and proportionate measure in democratic society.
What is surveillance?
Observation of an individual or group of individuals - may be covert or carried out openly, conducted in real time or by access to stored materials
Examples of electronic surveillance
Social network analysis, data mining, profiling, aerial surveillance, satellite imaging, telecomms surveillance, CCTV, biometrics, geolocation tech
Public surveillance must be conducted in a manner to respect individual rights enshrined in…
The Charter of Fundamental rights, specifically the right to a private and family life (active 7) and protection of personal data (Article8)
What does the LEDP Directive say about public surveillance?
(Recital 66) Although the processing of personal data must be lawful, fair and transparent, this should not prevent law enforcement authorities from carrying out activities (e.g., covert investigations and video surveillance) to:
• Prevent, investigate, detect and prosecute criminal
offences
• Safeguard against and prevent threats to public
security (key requirements: lawfulness, necessity,
proportionality and regard for legitimate
interests of the natural person)
Laws that fail to appropriately take into account the rights and freedoms of data subjects re: surveillance may…
Be struck down by the CJEU.
Surveillance by private entities must…
Be based on legitimate purposes
In addition to the GDPR, national laws may concern confidentiality, privacy, data protection and other civil rights such as employment law
What is communications data made up of?
Content data and metadata
What is ‘content data’ re communications data?
The content of a communication (actual messages, attachments).
This is protected by a right to freedom of expression, recognised by laws around the world.
What is ‘metadata’?
Data about data - information generated or processed as a consequence of a communication’s transmission
It fails to provide context to content and falls within the GDPR’s definition of personal data because it can be used to identify someone
Examples of meta data…
Traffic data (for telephone calls)
Location data, cell ID, device location, time of call
The ePrivacy directive covers what comms data?
Location data
Content data
(must not be disclosed unless there’s consent from all users - member states can introduce some exemptions for limited purposes)
Traffic data
What are the requirements for collecting location data under ePrivacy Directive?
For collection of individuals’ precise location-based data, opt-in consent is generally required (with the exception of carriers who need the data to provide the service)
What are the requirements for surveillance of content data under ePrivacy Directive?
The confidentiality of the content of communications must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all
users
Member states can introduce some exemptions if
necessary for very limited purposes
What are the requirements for surveillance of traffic data under ePrivacy Directive?
Access to traffic data is limited
Telecommunications carriers can process traffic data for the purpose of conveying communications and possibly for some limited marketing activities with the user’s consent