Chapter 3B: Surveillance activities Flashcards
What does Article 23 GDPR say about legal surveillance?
Permits EU or member state law to restrict rights granted - surveillance must respect the essence of fundamental rights and freedoms and be necessary and proportionate measure in democratic society.
What is surveillance?
Observation of an individual or group of individuals - may be covert or carried out openly, conducted in real time or by access to stored materials
Examples of electronic surveillance
Social network analysis, data mining, profiling, aerial surveillance, satellite imaging, telecomms surveillance, CCTV, biometrics, geolocation tech
Public surveillance must be conducted in a manner to respect individual rights enshrined in…
The Charter of Fundamental rights, specifically the right to a private and family life (active 7) and protection of personal data (Article8)
What does the LEDP Directive say about public surveillance?
(Recital 66) Although the processing of personal data must be lawful, fair and transparent, this should not prevent law enforcement authorities from carrying out activities (e.g., covert investigations and video surveillance) to:
• Prevent, investigate, detect and prosecute criminal
offences
• Safeguard against and prevent threats to public
security (key requirements: lawfulness, necessity,
proportionality and regard for legitimate
interests of the natural person)
Laws that fail to appropriately take into account the rights and freedoms of data subjects re: surveillance may…
Be struck down by the CJEU.
Surveillance by private entities must…
Be based on legitimate purposes
In addition to the GDPR, national laws may concern confidentiality, privacy, data protection and other civil rights such as employment law
What is communications data made up of?
Content data and metadata
What is ‘content data’ re communications data?
The content of a communication (actual messages, attachments).
This is protected by a right to freedom of expression, recognised by laws around the world.
What is ‘metadata’?
Data about data - information generated or processed as a consequence of a communication’s transmission
It fails to provide context to content and falls within the GDPR’s definition of personal data because it can be used to identify someone
Examples of meta data…
Traffic data (for telephone calls)
Location data, cell ID, device location, time of call
The ePrivacy directive covers what comms data?
Location data
Content data
(must not be disclosed unless there’s consent from all users - member states can introduce some exemptions for limited purposes)
Traffic data
What are the requirements for collecting location data under ePrivacy Directive?
For collection of individuals’ precise location-based data, opt-in consent is generally required (with the exception of carriers who need the data to provide the service)
What are the requirements for surveillance of content data under ePrivacy Directive?
The confidentiality of the content of communications must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all
users
Member states can introduce some exemptions if
necessary for very limited purposes
What are the requirements for surveillance of traffic data under ePrivacy Directive?
Access to traffic data is limited
Telecommunications carriers can process traffic data for the purpose of conveying communications and possibly for some limited marketing activities with the user’s consent
ePrivacy rules do not apply to…
Private networks (e.g. corporate intranets)
There are still monitoring considerations.
For CCTV or other modes of video surveillance, the following should be considered…
Lawfulness of processing (prior to carrying out surveillance)
A DPIA is required if the surveillance could be high risk, involve systematic monitoring or publicly accessible area on a large scale
Prior checking (some countries, CCTV triggers requirement to notify the regulator / seek authorisation in some cases)
System should be proportionate to the purpose (e.g. remote control, sound recording, facial recognition may not be necessary)
Information provision - for overt video surveillance, controllers must comply with the transparency requirement of the GDPR where the controller may not have a direct relationship with the DSs (public spaces)
Individual rights - under the GDPR, rights such as access still apply
Measures to protect personal data of these individuals including staff training, CCTV policy, and regular compliance reviews
Location data is referred to as an identifier in the GDPR’s definition of
personal data. True or false?
True.
If location data can be used alone or in combination with
other information to identify someone, then it should be considered
personal data.
Google has identified three main areas of location data that it uses to
deliver its services:
- Implicit location information, such as search terms
- Internet traffic information, such as IP addresses
- Device-based location services, such as Google Maps
