Surveillance for commercial purposes in physical space - how does the GDPR protect the individual's right to privacy? - Master's Thesis LL.M. Law ...

Page created by Mark May
 
CONTINUE READING
Surveillance for commercial purposes in physical space – how does the
            GDPR protect the individual’s right to privacy?

                   Master’s Thesis LL.M. Law and Technology
                                   Sofia Pensar
Surveillance for commercial purposes in physical space – how does the
            GDPR protect the individual’s right to privacy?

               Master’s Thesis LL.M. Law and Technology 2016-2017
                                 Author: Sofia Pensar
                                     ANR: U437777
                                  Tilburg Law School
               Tilburg Institute of Law, Technology and Society (TILT)

                      Supervisor: PhD researcher Maša Galic
                         Second reader: Dr. Linnet Taylor

                                    13 July 2017

                                                                         2
1.   INTRODUCTION                                                         5
1.1 BACKGROUND                                                            5
1.2 CENTRAL RESEARCH QUESTION AND SUB-QUESTIONS                           6
1.3 LIMITATIONS                                                           7
1.4 SIGNIFICANCE                                                          7
1.5 METHODOLOGY                                                           8
1.6 OVERVIEW OF CHAPTERS                                                  8

2.   DIFFERENT TRACKING METHODS                                           9
2.1 INTRODUCTION                                                          9
2.2 MOBILE DEVICE TRACKING                                                9
2.2.1 WI-FI TRACKING                                                     10
2.2.2 BLUETOOTH TRACKING                                                 11
2.2.3 USE OF THE COLLECTED DATA                                          11
2.3 BEACONS                                                              13
2.3.1 USE OF THE COLLECTED DATA                                          14
2.4 INTELLIGENT VIDEO ANALYTICS                                          14
2.4.1 HOW IS THE COLLECTED DATA USED?                                    15
2.4 CONCLUSION                                                           15

3.   THE CONCEPTS OF PRIVACY AND DATA PROTECTION                         16
3.1 INTRODUCTION                                                         16
3.2. PRIVACY AND DATA PROTECTION– SIDE BY SIDE                           16
3.3 PRIVACY – THE COMPLEXITY                                             18
3.3.1 THE INDIVIDUAL AND THE COLLECTIVE                                  19
3.3.2 TWO DIFFERENT UNDERSTANDINGS OF PRIVACY                            19
3.3.3 EIGHT DIFFERENT TYPES OF PRIVACY                                   20
3.3.4 LEGAL FRAMEWORK                                                    20
3.4 DATA PROTECTION                                                      23
3.4.1 CONVENTION 108                                                     24
3.4.2 GENERAL DATA PROTECTION REGULATION                                 25
3.5 PRIVACY AND DATA PROTECTION IN RELATION TO THE PRIVATE SECTOR        27
3.6 CONCLUSION                                                           28

4. TRACKING PEOPLE FOR COMMERCIAL PURPOSES IN PHYSICAL SPACE IN LIGHT OF
THE GENERAL DATA PROTECTION REGULATION                                   30
4.1 INTRODUCTION                                                         30
4.2 PRINCIPLES IN THE GDPR RELATING TO PROCESSING OF PERSONAL DATA       30
4.2.1 TRANSPARENCY                                                       31
4.2.2 PURPOSE LIMITATION                                                 32
4.2.3. DATA MINIMISATION AND STORAGE LIMITATION                          32
4.2.4 INTEGRITY AND CONFIDENTIALITY                                      33
4.2.5 ACCOUNTABILITY                                                     33
4.3 LAWFULNESS OF PROCESSING                                             34
4.3.1 CONSENT                                                            34
4.3.2 LEGITIMATE INTEREST OF THE DATA CONTROLLER                         35
4.4 GDPR APPLIED TO THE TRACKING TECHNOLOGIES                            35
4.4.1 MOBILE DEVICE TRACKING                                             35
4.4.2 BEACONS                                                            38
4.4.3 VIDEO CONTENT ANALYTICS                                            38
                                                                          3
5. DISCUSSION AND CONCLUSION   41

TABLE OF LEGISLATION           45

BIBLIOGRAPHY                   45

                               4
1. Introduction

    1.1 Background

Surveillance technologies have been used for different aspects of security and law enforcement
purposes for several decades, from preventing shoplifting and physical assaults to tracking
suspected terrorists. This is a part of modern society that citizens have become aware of and used
to, and which has been scrutinised and analysed over a long period of time. Similarly, in the online
environment, there is increasing awareness that internet users are being tracked, in this area mostly
by private parties for commercial purposes. However, there seems to be a somewhat weaker
societal awareness of the corresponding methods that are increasingly being used for consumer
behaviour tracking and other commercial purposes in the physical environment. Some years ago, in
2012, mannequins with built-in facial recognition software with capabilities of analysing age, sex,
race and dwelling time of customers so that companies could use these data for targeted marketing
strategies stirred quite some attention in the media.1 A lot of commentators found the mannequins
“creepy” or “privacy intruding”, and discussed that people experienced this as particularly
uncomfortable because they were being monitored by a ‘quasi-human’ with cameras installed in
their eyes.2 In fact, the same kind of data (and considerably more of such data) on persons that these
particular mannequins were processing, is being collected constantly by private parties in the
physical environment for the same kind of reasons, but done in less distinguishable and visible
ways. Methods applied range from CCTV and sound sensors, often combined with content analytics
and facial recognition to various forms of mobile device tracking (e.g. via GPS). Another example
of surveillance technology also used for commercial purposes is the camera drone. So, whether we
are browsing the internet or browsing our local mall, our behaviour is (often) being tracked. In a
European context, the forthcoming General Data Protection Regulation3 (hereafter, GDPR) will be

1
  Liat Clark, ‘Mannequins Are Spying On Shoppers For Market Analysis’ (WIRED UK, 23 Nov 2012)
http://www.wired.co.uk/article/mannequin-spies-on-customers accessed 1 Dec 2016.
2
  Kashmir Hill, ‘Why Do Mannequins That Spy On Us Creep Us Out?’ (Forbes, 28 Nov 2012)
http://www.forbes.com/sites/kashmirhill/2012/11/28/why-do-mannequins-that-spy-on-us-creep-us-out/#ad713d0386f6
accessed 1 December 2016.
3
  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC.
                                                                                                                      5
the principal instrument that commercial actors need to comply with when processing personal data,
and consequently of principal interest for questions related to surveillance for commercial purposes.

1.2 Central research question and sub-questions

The objective of this thesis is to provide an account for the practices of surveillance for commercial
purposes in the physical environment, the legal grounds and problems thereof. Given the
background provided above, the central research question can be formulated as:

In view of expanding surveillance of people’s behaviour for commercial purposes in physical
space, how well does the forthcoming EU General Data Protection Regulation protect the
individual’s right to privacy?

To facilitate the answer to this question, the thesis will deal with the following sub-questions:
    -   How does consumer tracking in the physical space work? What methods are used and what
        are the results of the surveillance – i.e. how is the collected data used?

The technologies that are analysed are limited to three: the tracking of mobile devices through their
Wi-Fi and Bluetooth capabilities, the use of beacons, and intelligent video content analytics, or
VCA. This is done while acknowledging that of course also other technologies for the same basic
purposes exist, and more are likely to be developed. This is however not the main focus of this
thesis, but these questions strive to provide a somewhat general background that these technologies
in fact are used today and thus it is at least part of what the legislator currently needs to take into
account.
The second set of sub-questions is

    -   What do the notions privacy and data protection entail? What are the similarities and
        differences between them?

This section is included to provide a more comprehensive basis for understanding the context and
challenges of the upcoming GDPR. As these concepts are incredibly complex, it should be
emphasized that this constitutes just a small scratching of the surface of these notions. As such, this
constitutes quite a theoretical and abstract part of this paper.

The last substantive chapter shifts the focus to zoom in on the GDPR. It does this through using the
following set of sub-questions:
                                                                                                          6
-   How does the General Data Protection deal with the tracking of people in physical space?
   -   How well does the GDPR safeguard the interests protected by privacy and data protection
       when it comes to surveillance for commercial purposes in physical space?

1.3 Limitations

The thesis will only examine and analyse surveillance for commercial purposes in the physical
setting. This means that the practices of surveillance and tracking in the online environment when a
person is using her computer in her home (or other protected places) will fall outside the scope of
this analysis. Further, the thesis will not discuss the differences between private and public space.
The territorial scope of the analysis is the European Union, not particular member states, unless
where necessary for exemplifying reasons. Furthermore, the thesis will not extend to surveillance
for other purposes than commercial, even if examples from this area can be used for clarification or
comparison purposes.

1.4 Significance

As the practices and methods of surveillance become more refined and consequently will result in
greater impact on individuals, it will generate a need for more legal evaluation. While there is
already legal research that has been dealing with this particular topic, the perspective of the
forthcoming European GDPR is nonetheless research that is due and important. Both the
introduction of the GDPR and increasing surveillance for commercial purposes are factors that are
likely to impact the lives European citizens in significant ways in the near future, so the addressing
of this combination is of special interest. Another aspect is that by using methods that formerly
were for reasons of security and crime prevention for financial gain, the boundaries of legitimate
purpose for processing personal data might become modified. An example is facial recognition
software that by its nature is processing sensitive data and is considered to be very privacy
intruding. When this is used by law enforcement for purposes of preventing, investigating, detecting
or prosecuting criminal offences, the balancing act, can in many cases (although admittedly not
always) be seen as quite straightforward. But when such a privacy infringement is done not in the
name of the law, but in the name of “serving customers better”, the balancing act will of a
completely different nature. Furthermore, this thesis can also be viewed as a contribution to a larger
perspective of the increasing power of private actors over individuals. Surveillance performed by
                                                                                                         7
the state is, and rightfully so, subject to a lot of scrutiny and debate. In the context of private
surveillance practices, the possibilities for similar examinations are small and the control
mechanisms few and far between. Therefore, it can be of use to pay extra attention to private actors
employing methods of surveillance.

1.5 Methodology

In this thesis, I will employ the traditional legal method. Accordingly, my sources will be existing
legislation, literature and case law. As stated in the research question itself, the key focus will be on
the forthcoming Regulation. Therefore, materials analysing this instrument will be duly employed.
Since a comparison with the current Data Protection Directive is made, literature relating to this is
also used. For the parts that will deal with the legitimacy of the commercial purpose surveillance
practices, legislation, doctrine and case law from both the Court of Justice of the European Union
and the European Court of Human Rights will be used. When describing the different methods for
commercial surveillance also other types of academic literature on the matter at hand will be used,
which will be complemented by journalistic pieces with accounts from practice.

1.6 Overview of chapters

The thesis is structured in five chapters, including the introduction and conclusion chapters. The
second chapter describes the various methods employed to track people in physical space. Further,
it examines the purposes that the collected data serves with special focus on the practices of
profiling and the possible consequences related to discriminative measures. The third chapter
presents the concepts of privacy and data protection from a theoretical perspective, but looks also at
the existing European legislation relating to these concepts. This section will also be looking more
closely into these concepts in relation to the private sector. The fourth chapter then brings together
the technologies presented in the second chapter with the upcoming GDPR and tries to analyse this
combination from a perspective primarily focused on the individual’s right to privacy. After this
follows a short conclusion.

                                                                                                         8
2. Different tracking methods

2.1 Introduction

Before any legal analysis can be made of a certain occurrence, it might first be necessary to examine
more closely the functioning and facts of the occurrence itself. Accordingly, this chapter presents
some of the technologies that are used for profit-enhancing surveillance in physical space. It thus
deals with the first sub-questions presented in the introduction chapter, namely: How does consumer
tracking in the physical space work? What methods are used and what are the results of the
surveillance – i.e. how is the collected data used? For the purposes of this paper, the focus is primarily
on three of these technologies, firstly, the tracking of mobile devices through their Wi-Fi and
Bluetooth capabilities, secondly, the use of beacons and, finally, video content analytics. Focussing
on these methods is done whilst acknowledging that there obviously are also other types of
technologies and methods that are used for the same purposes. Considering the interest commercial
actors have in acquiring customer data, the further development of new mechanisms to cater for such
surveillance is expected. The reasons for choosing these three technologies are that their usage is
already globally wide-spread and arguably that their use can be especially problematic from a data
protection perspective.

2.2 Mobile device tracking

The number of smartphone users worldwide is forecast to reach 2.32 billion in 2017, and increase in
the following years.4 This very fact has naturally revolutionized the way people can be tracked in
physical space, and according to ABI Research, some 200,000 shops world-wide now have systems
to track smartphones.5

4
  Statista, The Statistics Portal ´Number of smartphone users worldwide from 2014 to 2020’,
https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ accessed 5 Jan 2017.
5
  ABI Research, ‘Wearables, Usables and Expandables’, https://www.abiresearch.com/market-
research/practice/wearables-devices/ accessed 5 Jan 2017
                                                                                                        9
2.2.1 Wi-Fi tracking

One way to track a certain device (or in practice, its user) is to use the Wi-Fi6 capabilities that
virtually all smartphones have.7 A mobile device with Wi-Fi activated will continuously search for
nearby Wi-Fi zones, which have a specific range, usually 50 to 100 metres from the access point.8
Only within this range the device and base station are able to communicate with each other. When
searching, the network interface controller (NIC) of the device actively broadcasts so called probe
message transmissions, or probe requests.9 These probe requests contain a unique identifier, namely
the media access control (MAC) address of the device, to facilitate the differentiation on that
network so that the data packets can be routed to and from the correct device.10 The first part of the
MAC address identifies the organisation that issues the NIC, often revealing information about the
device manufacturer or the type of device that carries the MAC address.11 The MAC address is
assigned to a device when it is manufactured and usually12 cannot be changed, therefore rendering it
a permanent identifier of the device.13 The tracking of a device is then possible if an actor installs a
set of Wi-Fi access points or frequency scanner and collects the MAC address of any device within
range. Since the MAC address as stated above generally cannot be changed, monitoring a specific
MAC address indicates the return of that particular device, and consequently this can allow tracing
of a particular person. Additionally, collecting information about the number of MAC addresses
within a given area can give a rather accurate estimation of the amount of people present in a
certain location and their movement patterns respectively.14 A common element of using public Wi-
Fi is the requirement that users provide directly identifying information, for example an email
address, to gain access to the network. This information can then be combined with the MAC
address of the device. It should be noted however, that such a straightforward action is not

6
  Wi-Fi is a wireless local area network (LAN) protocol that allows devices to communicate without cords or cables.
See also http://www.wi-fi.org/who-we-are .
7
  See also A.B.M. Musa, Jakob Eriksson, ‘Tracking Unmodified Smartphones Using Wi-Fi Monitors’, SenSys, 281-
294, ACM 2012, .
8
  Datatilsynet (The Norwegian Data Protection Authority), Tracking in Public Spaces ((Report, June 2016) p. 5.
9
  International Working Group on Data Protection in Telecommunications, Working Paper on Location Tracking from
Communications of Mobile Devices (October 2015) p. 2.
10
   Ibid, and Vanhoef, et al, Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery
Mechanisms, available at: http://papers.mathyvanhoef.com/asiaccs2016.pdf.
11
   See note 9, above.
12
   It should be noted however, that this could be modified or spoofed using software. See ICO, Wi-Fi Location Analytics
(Guide, February 2016) at p. 3.
13
   Data Protection Commissioner (Ireland), Guidance Note for Data Controllers on Location Data,
 accessed 10
January 2017.
14
   See note 8, above.
                                                                                                                    10
necessary for the collection of personal data to occur.15 A study of five shopping malls in the US
undertaken in 2014 found that 62 % of shoppers left Wi-Fi active on their phones, resulting in
digital footprints wherever they went.16 While many actors do offer free Wi-Fi as a benefit or other
incentive to their customers, for the digital footprints to appear, the shoppers did not have to
connect to the Wi-Fi for the location data to register. In the study, only around 3 % of the shoppers
actually connected to the Wi-Fi. Mobile devices automatically detect the presence of access
points.17

2.2.2 Bluetooth tracking

BluetoothÒ is a wireless communication protocol, connecting devices using radio waves instead of
wires or cables to connect to a phone or a computer. Communication between Bluetooth devices
happens over short-range, ad hoc networks. When such a network is established, one device will act
as a master device while all other devices will act as slaves.18 Simply disabling Wi-Fi connectivity
will therefore not mean that the device cannot be tracked, as Bluetooth (and cellular phone
standards) also involve the broadcasting of active signals containing unique identifiers.19 The
Bluetooth capabilities can be switched on by default or because of the individual’s own choice (e.g.
to enable hands-free voice calls or using wireless headphones). A mobile device that has Bluetooth
activated sends out a unique signal, a Bluetooth MAC address. Similarly to Wi-Fi tracking,
Bluetooth tracking involves registering and saving these Bluetooth MAC addresses emitted by
mobile devices in order to track the users’ movements. An advantage of Bluetooth tracking
compared to Wi-Fi tracking is that because of the shorter range, Bluetooth technology can provide
more accurate data on the user’s location within a limited area.20

2.2.3 Use of the collected data

Actors that use Wi-Fi tracking are interested in collecting the positional data, i.e. where the device
(and consequently, its owner) is, and to use this data to count, analyse and compare information on
users’ movements for different purposes. From the Wi-Fi access data gathered for example in a

15
   Tracking in Public Spaces, (note 8), p.5.
16
   Subramanian Gopalaratnam In-store Analytics: Tracking Real-World Customers Just Like Online Shoppers (Tech
Radar, 27 February 2015) http://www.techradar.com/news/world-of-tech/future-tech/in-store-analytics-tracking-real-
world-customers-just-like-online-shoppers-1286293 accessed 10 January 2017.
17
   Article 29 Working Party, Opinion 13/2011 on Geolocation services on smart mobile devices, p. 6.
18
   Official webpage of Bluetooth®, ‘How it Works’, available at: https://www.bluetooth.com/what-is-bluetooth-
technology/how-it-works
19
   Working Paper on Location Tracking (note 9), p. 2.
20
   Tracking in Public Spaces, (note 8), p.4.
                                                                                                                 11
shopping centre, the movement of shoppers can be mapped. From a retailer’s perspective, this is
very useful information, providing retailers with insight into how the decisions they have made are
received amongst its customers. This can range from more ‘basic’ knowledge of the ‘hot’ and ‘cold’
zones type, for example which categories of goods often are purchased together and use this
information to better organize the store.21 However, through more sophisticated and advanced
technology even more detailed analyses can be made. An example of an actor doing more detailed
analyses is Finnish company Walkbase, which has a platform that provides real-time analytics on
customers’ habits with the goal of reaching the same level of personalisation in-store as online.22
This company is an example of an emerging group of actors that provide location tracking services
and analytics. Research performed by a market-research firm estimates that the market for tracking
phones indoors could grow five-fold worldwide between 2016 and 2021, to a total of 23 billion US
dollars.23 This kind of tracking does not only exist in the traditional shopping environment, it is also
used in other business premises such as railway stations and airports. As an example, Wi-Fi
tracking can be used to estimate the waiting time to pass through security, by positioning a number
of Wi-Fi access points before and after the security counters. In this way, the times at which
individuals pass each of these points are combined to calculate the time it has taken for the device
(the individual) to move between them, resulting in a fairly accurate indication of average transit
time through security. This information can then be conveyed to other airport visitors on frequently
updated information screens.24 Notable examples are Schiphol Airport in Amsterdam,
Barcelona/Madrid airports and New York JFK.25 As previously explained, most individuals are
tracked even if they are not actively using the Wi-Fi of the business premises in question. However,
it should also be noted that from those that do choose to log on to the Wi-Fi, an even greater amount
of data can be gathered. Actors may offer free Wi-Fi, which naturally comes with terms of service
that the vast majority of users do not care to read. These terms of service will typically allow stores
to see the individual’s online search history as well as track their location.26

21
   The Economist, ‘A new industry has sprung up selling “indoor-location” services to retailers’, (24 December 2016)
 accessed 10 January 2017.
22
   See < http://www.walkbase.com/about-us>.
23
   See note 21, above.
24
   Tracking in Public Spaces, (note 8), p.5.
25
   Working Paper on Location Tracking (note 9), p. 2.
26
   See note 21, above.
                                                                                                                   12
2.3 Beacons

The beacon technology was first introduced by Apple in 2013, under the name iBeacon.27 Beacons
are small battery-powered devices consisting of a chip and other electronic components, that
transmit signals that can be picked up by nearby smart devices.28 However, an important
distinguishable element is that beacons function through employing mobile applications (apps).
Essentially, beacon technology allows mobile apps to understand their position on a micro-local
scale, and can thus enable delivery of hyper-contextual content to users based on location.29
Sometimes, beacons are interpreted as instruments of surveillance that are capable of tracking smart
device users’ movements without their knowledge, but this evidently incorrect. Beacons do not
collect data themselves and cannot pinpoint smart devices’ positions.30 To exemplify, the iBeacon,
a device with iOS, can alert apps when the user is approaching or leaving a location. Through this,
apps can know when the device is close to an iBeacon, for example the checkout counter in a retail
store.31 It should be noted that there are also actors besides Apple who provide beacon technology,
and on a basic level all beacon technologies function the same way. The beacons emit an ID that is
unique to them. When this ID is read by an application, this can trigger an action, such as the
delivery of a message or advertisement to the user of the app. In this way, it is possible for the actor
responsible for the app to identify which beacons the user has been close to, as well as the distance
and the time, and this without the awareness of the user. The signals that beacons employ are
transmitted through Bluetooth technology, and the beacon can have a coverage area of up to 70
metres. A beacon thus can help an app determine how far away a smart device is within its coverage
area. Theoretically, merely an app belonging to the company that installed the beacons can read the
signals that the beacons transmit, however, in practice also other applications and operating systems
can pick up and read the signals.32 Sometimes, beacons are interpreted as instruments of
surveillance that are capable of tracking smart device users’ movements without their knowledge,
but as shown this is incorrect. As such, beacons differ significantly from the location tracking
methods presented in the previous section.

27
   H.O. Maycotte., ‘Beacon Technology: The Where, What, Who, How and Why’ (Forbes, 1 September 2015)
 accessed 10 January 2017.
28
   Sterling. et al., Understanding Beacons – A Guide to Beacon Technologies, Future of Privacy Forum, December
2014., p. 2 ff.
29
   See < http://www.ibeacon.com/what-is-ibeacon-a-guide-to-beacons/>.
30
   See note 28, above.
31
   See .
32
   Tracking in Public Spaces, (note 8), p.9 f.
                                                                                                                 13
2.3.1 Use of the collected data

Beacons are principally used by the retail industry, but also other venues, such as entertainment
venues, sports arenas and conferences as well as advertising screens and by real estate companies.
As mentioned above, actors that have beacons in place can detect where a smart device user is at
any given moment, and then use this information to send timely push messages, to promote
products or provide other useful information. Indeed, the beacons can also be used without any push
notifications to map and record customers’ visits and movements in stores or shopping malls,
provided the customer has downloaded the corresponding app. It is the corresponding app that
determines what the beacon signals are used for, and thus with permission of the smart device
owner.

2.4 Intelligent video analytics

Having presented the wide-spread concept of mobile device tracking, it is apparent that this model
already has a large impact on how surveillance in physical space is working. Nevertheless, the
development of intelligent video analytics adds a further element to the concept of surveillance for
commercial purposes. Through the use of intelligent video analytics content from e.g. surveillance
cameras can be automatically analysed.33 The technology can for example provide information on
what kind of objects there are in the footage, alert the system based on where and how the objects
are moving and recognise faces. The technology of intelligent video analytics is built on algorithms
rapidly interpreting changes from each picture. Intelligent video analytics has meant that the needs
for humans to look through the recorded material have diminished. The location of the software
depends on the type of functionality the system is meant to have. For less complex functions, such
as people counting, the analytics software can be incorporated into the cameras themselves, whereas
more complicated functions usually reside on the user’s server. This works so that images from the
cameras are sent to the server, where it is processed by the analytics software and subsequently
presented as part of a video management system. Generally this means that the user interface allows
the controlling of cameras, real-time viewing of images, reviewing of earlier footage and then
presenting the results of integrated analytics programs.34

33
  See Xiang Shaogang Gong, Video Analytics for Business Intelligence (Springer, 2012).
34
  Anthony Hildebrand, ‘Analysis: Retail CCTV – from surveillance to shopper analysis’, (Retail Week, 20 December
2012).
                                                                                                               14
2.4.1 How is the collected data used?

Within law enforcement and security sectors, the reasons for and advantages of using intelligent
video analytics are obvious. For retailers, the uses of this technology are perhaps not initially as
obvious, but they are in fact many and important. On a basic level, they can help with counting the
customers in a store at a certain time, as well as the possibility of queue management. The video
analytics software can then perform a real-time alert when queues exceed predefined thresholds.
Some more advanced analytics will even have the possibility to combine this with ‘footfall data’ of
people entering the store and then alert the staff proactively before long queues will start to form.
Then, there is the possibility to capture and analyse demographics, such as age and gender,
something that is very valuable for retailers as they can then see and structure the buying patterns
and shopping habits of different demographic groups. This is done through integrating network
cameras with facial recognition analytics. The analytics software will perform an evaluation to
establish if the biometric data of an individual belongs to a group with some predefined
characteristic. Through this biometric categorisation of an individual a specific action can be
decided, such as showing different kind of advertising to target the individual looking at the display,
based on age or gender.35 Through combining this with images with a greater focus, also the
reactions and emotions of shoppers can be known. An additional area of use for facial recognition
technology in the retail field is the possibility to distinguish unique visitors. The goal will thus not
be to identify any specific individuals, but to provide data on the number of unique visitors to the
store, for example to provide information on the success of a certain advertising campaign.36

2.4 Conclusion

The rapidly developing technologies deployed for tracking individuals for commercial purposes are
already capable of performing very precise evaluations. From a business point of view, this is
indeed an incredibly valuable development. Advocates of these technologies call for a shift in
mindset, where individual consumers should not regard themselves as being watched by Big
Brother, but instead see the advantages and benefits of getting a more tailor-made ‘customer
experience’. 37 An analysis of this will be done in the subsequent parts of this thesis.

35
   Working party 29 (WP203), Opinion 03/2013, p. 6.
36
   Gopalaratnam (note 16).
37
   Ibid.
                                                                                                        15
3. The concepts of privacy and data protection

3.1 Introduction

In the previous chapter, some different methods of tracking of people’s behaviour in physical space
for commercial purposes were presented. As the research question suggests, the primary focus is
how well the forthcoming General Data Protection Regulation will protect the individual’s right to
privacy in the context of the use of such methods. However, before shifting the focus to this legal
instrument, this chapter will metaphorically take a step back in order to see the bigger picture and
thus place the GDPR in a bigger context. As the GDPR is an instrument of the legal regime of data
protection, providing an explanation of data protection and its background will obviously be of vital
importance for this bigger picture. Similarly essential for the bigger picture here is the concept of
privacy. It should already be noted that privacy has a reputation of being “notoriously difficult to
describe”. This has repeatedly been concluded by a vast array of scholars and has also become
something that is included in nearly every introduction of any paper covering the notion of privacy.
As the aim of this paper however is not to further elaborate upon the notions of data protection or
privacy, but rather how the GDPR safeguards the interests protected by privacy and data protection
in relation to surveillance for commercial purposes in physical space, this consequently means that
the presentations of these concepts and their internal relationship will not be particularly detailed or
deep. Bearing this in mind, the sub-questions of this chapter are the following:

What do the notions privacy and data protection entail? What are the similarities and differences
between them?

Answering these questions will encompass quite a theoretical approach with the presentation of
these concepts and the legal frameworks that accompany them. After first presenting the two
concepts side by side, the focus is shifted first to privacy and its legal framework. Subsequently,
data protection and its legal framework, including the focal point of this paper, the GDPR, is
presented.

3.2. Privacy and data protection– side by side

As much as there are a wide range of differences between privacy and data protection, it should also

                                                                                                        16
be pointed out that they are societal concepts that share the same core.38 This core is the idea of the
autonomy, dignity and value of every single human being.39 Consequently, the right to respect for
private life and the right to the protection of one’s personal data are different expressions that
acknowledge this core. An analysis that pinpoints some of the inherently different aspects of
privacy and data protection is made by Gutwirth and de Hert, who use the concepts of opacity and
transparency for this purpose.40 Following this scheme, privacy is considered as a tool of opacity in
the sense that it works as a shield against unwarranted insight. On the other hand, data protection
works as a tool of transparency, in that it provides legislation with a focus on safeguarding
individuals from the abuse of data processing. Related to the notion of opacity, is for example the
idea of the sanctity of the home (“my home is my castle”).41 Of course, there are exceptions to the
sanctity of the home, such as the right for law enforcement authorities to enter one’s home in case
of suspected criminal activity, but in most (i.e. democratic) legal systems these exceptions are
subject to strict regulations. Another aspect of the notion of opacity is related to the idea that
individuals who know they are being watched will behave in way that is different from the way we
would behave if we knew no one was watching (or where they were not aware of the fact that they
are being watched).42 This does not necessarily mean that people would engage in illegal activities,
if there was no one watching, but rather the knowledge that no one is watching provides humans
with a relief from stress and can be the foundation of fostering creativity or creating new ideas.
These actors are both governments and authorities as well as private actors, like businesses. As the
world is becoming increasingly more complex through the development of various new
technologies, the amount of private actors that process personal data also increase. One reason why
data protection was developed was to stop the actors that process personal data from abusing their
power.43 The idea that power must be tamed is of course an old one, with the division of power in
the style of Montesquieu as a prominent example.44 This is especially topical today when devises
such as “data is the new oil”45 and other expressions related to the rapidly evolving and increasing

38
   Peter Blume, ‘Data Protection and Privacy – Basic Concepts in a Changing World’, Scandinavian Studies in Law
(Volume 56, 2010), p. 152.
39
   Peter Hustinx, ‘EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data
Protection Regulation’ (2014), < https://edps.europa.eu/data-protection/our-work/publications/speeches-articles/eu-
data-protection-law-review-directive_en> accessed 5 May 2017.
40
   Paul De Hert, Serge Gutwirth, ‘Privacy, Data Protection and Law Enforcement. Opacity of the Individual and the
Transparency of Power’,p. 61 ff. in Claes, Duff & Gutwirth (edss), Privacy and the criminal law (Intersentia nv, 2006).
41
   Ibid, p. 6 f.
42
   Ibid, in footnote 113.
43
   Ibid, p. 15.
44
   Ibid, p. 5.
45
   An expression likely coined by UK mathematician Clive Humby in 2006. https://www.quora.com/Who-should-get-
credit-for-the-quote-data-is-the-new-oil
                                                                                                                    17
use of data have become ubiquitous.

3.3 Privacy – the complexity

Presenting the notion of privacy can be made in a variety of ways, using a range of different
perspectives. It should be noted that privacy is an umbrella term that includes both the broader
concept concerning what privacy is and how it should be valued and additionally the narrower
concept of the right to privacy, which concerns the aspect of how privacy is or should be protected
legally.46 Accordingly, privacy as such can be approached not merely from the legal point of view,
but also from a range of different areas, such as from a sociological, ethical or philosophical
standpoint. In addition, even when approached from a strictly legal point of view, the right to
privacy will touch upon a variety of areas of law, such as private or tort law, constitutional law,
criminal law, and international or supranational law.47 Oftentimes it is defined in the academic
literature through comparing it with the concept of data protection and thereby showing what it is
and what it is not. Likewise, to define data protection it often makes sense to present it side by side
to privacy, as these concepts are intertwined and interlinked. This can be made through comparing
the different characteristics these concepts have, the different functions they fulfil or the different
rationales and backgrounds they have. Another way of approaching privacy is trying to find the
very core of this concept and see what the common denominators are for all kinds of privacy, such
as bodily, associational, spatial or informational (this is further discussed below in section 3.3.3).
However, and precisely because there are different kinds of privacy, it can also be approached like
this; through focusing on what these different kinds of privacy are and what characterizes them. Not
only the different kinds of privacy have been the focus of attention in the literature, also the
different understandings of this notion and corresponding terms such as private, public, etc. have
been scrutinized. This overview of different approaches hopefully gives a hint of the complexity
involved in any attempt to define, explain or describe privacy. Given this complexity, there is
consequently a risk that the following sections might come off as merely shattered pieces of
information. Even so, I still find it useful to compile some of these different approaches to privacy,
and thus assemble fragments of explanations of this multi-dimensional theme.

46
   Koops et al. A Typology of Privacy, University of Pennsylvania Journal of International Law 38(2): 483-575 (2017),
at p. 491 f.
47
   Ibid.
                                                                                                                   18
3.3.1 The individual and the collective

Starting on an abstract level, the right to privacy deals with situations related to either the physical
or the psychological environment of an individual person. Already this statement is not entirely
precise, as it leaves out the element of group privacy, which is also becoming increasingly
important in the age of big data.48 However, to simplify for the purposes of this short overview, the
focus is on the individual and the concept of privacy concerns the relationship between the
individual and the collective. The relationship between the individual and non-state actors will be
discussed later in this chapter. An essential foundation for the privacy of the individual is the idea
that the individual has some sort of autonomy, and thus is an independent being and not merely a
part of a community.49 Given this autonomy, the individual has a right to practise a certain degree
of control in relation to others, leading to restrictions on the community – e.g. it is not allowed to
trespass beyond the boundaries of the individual’s home, see discussion above in the introductory
part.50 Clearly, the notions of independence and control are of chief importance for the concept of
privacy. Another aspect directly related to this is the fact that privacy as such is a legal concept that
embodies individual freedom in its different shapes.51 Privacy functions as a guarantee for
individuals’ freedom of self-determination, their right (freedom) to be different and their freedom of
choice. It gives individuals the right to autonomy regarding their sexuality, health, personality
building, behaviour etcetera, and works as guarantee for the uniqueness of each individual, and as a
safeguard of alternative behaviour and also resistance to power.52

3.3.2 Two different understandings of privacy

González Fuster sees two different understandings of privacy that touch upon different aspects.53
Firstly, the idea that privacy is protecting what is seen as private as opposed to what is public.
Regarding this, “public” should be seen in both its meaning as governmental authority (“the State”)
or society or community in general as well as in its meaning of things that are shared, common,
open and so on. The first meaning is consequently private as the opposite to official, whereas the
second meaning is private as the opposite to exposed or accessible. The second understanding of

48
   See Taylor, L. et al. (eds.) Group Privacy, (Springer 2017).
49
   Blume (note 38) p. 153.
50
   Ibid.
51
   Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, (Springer
2014). p. 23.
52
   Ibid.
53
   Ibid, p. 22 ff.
                                                                                                                   19
privacy is related to what is private in the sense of what is individual or personal. This encompasses
the right for individuals to live as they choose, and not controlled or alienated from society and/or
themselves. In classifying the meanings of privacy and private in this way, González Fuster intends
to show that these notions can be regarded as opposing what is public, but it does not always have
to be the case. It should be noted, that González Fuster also holds that there will sometimes be an
overlap by the theoretical effects of these different understandings of privacy. An example of this is
the argumentation that for individuals to be truly able to live freely (in line with the second
understanding of privacy) they must be assured that some parts of their lives will remain
undisclosed (in line with the first understanding of privacy).

3.3.3 Eight different types of privacy

Koops et al. have recently published an article that aims to provide a comprehensive model through
a systematic typology of privacy.54 The underlying idea of this article is to provide an analytical
tool and explanatory model to help understand privacy better. In this typology, eight different types
of privacy are presented, namely: bodily, intellectual, spatial, decisional, communicational,
associational, proprietary and behavioural privacy; and these are all overlapped by a ninth type, the
informational privacy, which is related to the concept of personal data.55 This is done through using
perspectives of constitutional law and privacy literature of a number of different jurisdictions,
which is an approach not previously taken, as it has been commonplace to focus on merely one
particular jurisdiction (and this jurisdiction has often been the U.S.).

3.3.4 Legal framework

3.3.4.1 The ECHR

In the aftermath of the horrors of WWII the international community made various efforts to create
conditions for a more stable world with a common ground of respect for humanity. One such effort
was the adoption of the Universal Declaration of Human Rights (UDHR) by the United Nation’s
General Assembly in 1948. This declaration included in its Article 12 a statement that “(n)o one
shall be subject to arbitrary interference with his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation.” Although this was the first time the concept of privacy
appeared in a document of international law, this was clearly not a formulation of great strength.56

54
   Koops et al. (note 46).
55
   Ibid, pp. 537, 543, 554.
56
   Hustinx (note 39) p.3.
                                                                                                      20
Another post-war effort was that of the establishing of the Council of Europe (hereinafter CoE).
The stated aim of this international organisation is to uphold human rights, democracy and rule of
law in Europe and promote European culture. While the CoE does not have the power to pass
binding legislation, it has the power to enforce certain international agreements reached by
European states. The crown jewel of these agreements is the European Convention on Human
Rights (hereinafter ECHR), which was drafted in 1950 and entered into force in 1953.57 The ECHR
is established to protect human rights and fundamental freedoms in Europe. All CoE members are
parties to the ECHR. The ECHR established the European Court of Human Rights (hereinafter
ECtHR), which is seated in Strasbourg and has as its prime functionality to enforce the ECHR. The
ECtHR hears applications alleging that a contracting state has breached one or more of the
provisions set forth in the ECHR and its protocols. Applications can be submitted by individuals, a
group of individuals, non-governmental organisations or one or more of the other contracting states.

The ECHR contains a provision on protection for privacy, namely Article 8. To a large extent, the
ECHR builds upon the UDHR, and Article 8 does partly mirror Article 12 of the UDHR, however
with a different terminology, using “private life” instead of “privacy”, and also leaving out honour
and reputation.58 This Article is named “Right to respect for private and family life” and consists of
two sections; the general rule and the conditions for exception to this rule. The general rule is
formulated like this: “Everyone has the right to respect for his private and family life, his home and
his correspondence.” This seemingly simple sentence constitutes the foundation for the concept of
privacy protection in Europe and has given rise to a vast amount of case law from the ECtHR. It
should however be noted that there are different types of human rights, some of absolute nature and
some that are not absolute. Indeed, the right to privacy is not an absolute right. This stems from the
fact that there can be situations and circumstances where the right to privacy does not prevail. These
situations are formulated in the second section of Article 8. The interference with the right to
privacy requires justification, and these grounds are the following: it should be done in accordance
with the law, be necessary in a democratic society and pursue a legitimate aim. It should also be
noted that these requirements are cumulative, and thus all of them must be fulfilled in order for the
interference to be compliant with the Convention.

57
     See < http://www.coe.int/en/web/human-rights-convention/>
58
     González Fuster (note 51), p. 38.
                                                                                                     21
3.3.4.2 The Charter of Fundamental Rights

For a long time after its establishment the European Union did not have any provisions in its
founding treaties that explicitly concerned human rights in general and the right to privacy in
particular. As the idea underlying the founding of the EU was to establish an internal market and
promote free trade within Europe this is naturally not unexpected. However, as the Union has
moved towards a more ubiquitous presence, it was not unexpected that a shot at a more
comprehensive constitutional document would be taken.59 The Treaty of Lisbon, which entered into
force in 2009, succeeded in taking a step towards a more constitutional approach through including
in its wording the Charter of Fundamental Rights of the European Union (hereinafter the Charter),
making this binding for all EU member states. While the action itself of including fundamental
human rights in the body of law governing a trade organisation can seem unorthodox, the actual
phrasing of the provisions and structure of the document do not have a particularly novel or ground-
breaking character. Rather, the Charter borrows a lot from the ECHR; however, with some
important modifications. The provision on privacy has a very similar phrasing to that of the ECHR:
‘Everyone has the right to respect for his or her private or family life, home and communications.’
In the Charter, this provision is placed in Article 7. The more interesting provision is found in
Article 8, which establishes the human right to data protection. In this way, data protection can be
seen as ‘elevated’ from a right subordinate to privacy, to a right of its own.60 It can be argued that
this is one of the most important novelties of the Charter. The Article 8 of the Charter has three
subsections, with the first one being the general, simply stating that “Everyone has the right to the
protection of personal data concerning him or her.” The second subsection lays out the general
principles of data protection: that it must be processed fairly, for specified purposes and on the basis
of the consent or some other legitimate basis laid down by law. Furthermore it states that everyone
has the right of access to data which has been collected concerning him or her, as well as the right
to have it rectified. These are principles that can all be found in the existing Data Protection
Directive, and indeed in the coming General Data Protection Regulation. The last subsection also
sets forth a provision included in EU data protection legislation, namely that compliance with these
rules shall be controlled by an independent authority. On a national level these are the Data
Protection Authoritites (the DPAs), and on a Union level, experts from the national DPAs form the

59
     Ibid, Chapter 5, p. 111 ff.
60
     Ibid.
                                                                                                         22
Article 29 Working Party, which under the new Regulation will be renamed but remain in function,
as well as receiving additional powers.

As with all EU law, the only instance that can bindingly interpret the legislation is the Court of
Justice of the European Union (hereinafter the CJEU), located in Luxemburg. Also before the
inclusion of the Charter in the Treaty of Lisbon, the Luxemburg Court decided on cases related to
privacy and data protection, so the jurisdiction has been developed under a longer period. However,
during this time pre-introduction of the Charter, these rights were developed more as general
principles closely associated to the ECHR system.61 It should be borne in mind that there exists no
obligation for this court to interpret the law in the same way. Even if all EU member states also are
members of the CoE and consequently the ECHR, the EU itself is not a party, as the CJEU in 2014
issued a negative opinion on the EU’s accession to the ECHR.62 Regardless of, or perhaps partly
because of the non-accession, the relationships between these institutions and these instruments are
inevitably somewhat intertwined, something that has been noted by and dealt with by several
scholars.63

3.4 Data protection

This following section about data protection does not offer the same kind of introduction as the
section of privacy did. The reason for this is that data protection as a concept, while in no way
uncomplicated, arguably can be easier to grasp. An understanding of data protection is easier to
establish, as it is more directly and observably linked to a specific legal regime. This regime, which
started to materialize around five decades ago64, has been created with the purpose of solving one
particular problem – the impacts of modern technology on private life and personal integrity.65 The
new technologies and the new means of automatically dealing with data about individuals was what
gave rise to the new discipline of data protection. Already in the advent of the use of information
technology to process information relating to individuals, there was a common understanding that
such use could have a large impact on the rights and interests of individuals. However, it was also

61
   Juliane Kokott, Christoph Sobotta, ‘The Distinction Between Privacy and Data Protection in the Jurisprudence of the
CJEU and the ECtHR’, International Data Privacy Law (2013, Vol. 3, No.4), p.223.
62
   Opinion 2/13 of the Court, 18 December 2014.
63
   See e.g. De Hert, Gutwirth, ‘Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in
Action, in Gutwirth, et al. (Eds) Reinventing data protection? (Springer Science, 2009, 3-44) and Kokott, Sobotta, in
note 61, above.
64
   Hustinx (note 39) p. 1.
65
   Blume, (note 38), p. 152 f.
                                                                                                                   23
clear from the outset that this concept was neither intended to hinder the processing of information
relating to individuals, nor to limit the use of information technology as such. Rather, the
underlying idea was to offer safeguards related to the use of information technology for the purpose
of processing information relating to individuals.66 But even though data protection as a concept
was originally derived from privacy it has deviated from this path in many ways and does not
correspond to the legal interpretation of privacy.67 This is of course not unexpected, as the rules of
data protection have been made more specific and procedural (in relation to the right to privacy) in
light of the special regulatory purpose they have.68

As Hustinx states, “the concept of ‘data protection’ is broader than ‘privacy protection’ because it
also concerns other fundamental rights and freedoms, and all kinds of data regardless of their
relationship with privacy, and at the same time more limited because it merely concerns the
processing of personal information, with other aspects of privacy protection being disregarded.”
Accordingly, even though data protection as a concept initially does not seem as difficult to explain,
its relationship to privacy provides an added layer of complexity. Data protection was from the
outset focused on the rights and interests of individuals, and not primarily the information related to
those individuals.69 However, it is generally understood that data protection today serves also other
aims than merely the aim of protection of private information. The general interests in society
regarding the use of personal data is of course important, and increasingly so (see discussion
below). The quest for data protection rules is to facilitate the use of personal data in a societally
acceptable way.70 What is societally acceptable is in turn largely determined by the ethical ideas
related to privacy in general.71

3.4.1 Convention 108

It was in 1968 that the Parliamentary Assembly of the Council of Europe addressed a
recommendation to the Committee of Ministers, asking it “to examine whether the ECHR and the
domestic law of the member States offered adequate protection to the right of personal privacy vis-
à-vis modern science and technology”.72 Following this, the Committee of Ministers initiated a
study, which concluded that the existing national legislations indeed gave insufficient protection to

66
   Hustinx (note 39) p. 4.
67
   Blume, (note 38) p. 153
68
   De Hert, Gutwirth (note 40), p. 16.
69
   Hustinx,(note 39) p. 4.
70
   Blume (note 38) p.154.
71
   Peter Blume, ‘Data Protection in the Private Sector’, Scandinavian Studies in Law, 2004, Vol 47 p. 297 -318, p. 318.
72
     Explanatory Report to Convention 108, para. 4.
                                                                                                                     24
individual privacy and other rights and interests of individuals regarding automated data banks.
Particularly, it was found problematic that there was uncertainty regarding what was covered by
private life, that the emphasis was on protection against interference by public authorities and that
there was an absence of an approach that also handled the possible misuse of personal information
by actors in the private sector.73 Accordingly, the Committee of Ministers decided to adopt two
resolutions on data protection, in 1973 and 1974, of which the first one established data protection
principles for the private sector and the second established such principles for the public sector.74
Whereas this was the first initiative related to data protection on an international level, there was a
parallel development of this concept in the national legislations of for example Germany and
Sweden. After these first recommendations, the CoE proceeded to prepare a binding international
legal instrument in the same field. The original plan was that this should have been in the form of a
protocol to the ECHR, however this plan was abandoned in favour of a separate convention.75 This
came to be the Data Protection Convention, which also goes under the name of Convention 108,
which was adopted in Strasbourg in 1981. The purpose of Convention 108, as stated in its first
Article, is to secure in the territory of each Part for every individual, whatever his nationality or
residence, respect for his rights and fundamental freedoms, an in particular his right to privacy, with
regard to automatic processing of personal data relating to him. The definition of personal data as
set forth in Convention 108, is “any information relating to an identified or identifiable individual
(data subject)”. As opposed to other conventions by the CoE this one is open for all states to sign,
not just CoE members. Currently, there are three states outside the CoE that have signed this
convention. The Convention 108 also formed the basis for the European data protection directive
from 1995, and is explicitly mentioned in the recitals to the directive.76

3.4.2 General Data Protection Regulation

This legal instrument has gained a lot of attention during quite some time, and not without
justification. The first Commission proposal emerged already in 2012, as it was found that the DPD,
that had been the legal instrument used in the area of data protection within the EU since 1995,
needed an update to better handle the new challenges that the rapidly evolving technology had
posed upon data protection.77 In the recitals of the GDPR, the legislator highlights just this, for

73
   Hustinx (note 39) p. 4.
74
   Resolution (73) 22 and Resolution (74) 29.
75
   Blume (note 38). see note 2 at p. 153.
76
   See recital 11.
77
   COM (2012) 11 final.
                                                                                                        25
You can also read