Surveillance for commercial purposes in physical space - how does the GDPR protect the individual's right to privacy? - Master's Thesis LL.M. Law ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Surveillance for commercial purposes in physical space – how does the GDPR protect the individual’s right to privacy? Master’s Thesis LL.M. Law and Technology Sofia Pensar
Surveillance for commercial purposes in physical space – how does the GDPR protect the individual’s right to privacy? Master’s Thesis LL.M. Law and Technology 2016-2017 Author: Sofia Pensar ANR: U437777 Tilburg Law School Tilburg Institute of Law, Technology and Society (TILT) Supervisor: PhD researcher Maša Galic Second reader: Dr. Linnet Taylor 13 July 2017 2
1. INTRODUCTION 5 1.1 BACKGROUND 5 1.2 CENTRAL RESEARCH QUESTION AND SUB-QUESTIONS 6 1.3 LIMITATIONS 7 1.4 SIGNIFICANCE 7 1.5 METHODOLOGY 8 1.6 OVERVIEW OF CHAPTERS 8 2. DIFFERENT TRACKING METHODS 9 2.1 INTRODUCTION 9 2.2 MOBILE DEVICE TRACKING 9 2.2.1 WI-FI TRACKING 10 2.2.2 BLUETOOTH TRACKING 11 2.2.3 USE OF THE COLLECTED DATA 11 2.3 BEACONS 13 2.3.1 USE OF THE COLLECTED DATA 14 2.4 INTELLIGENT VIDEO ANALYTICS 14 2.4.1 HOW IS THE COLLECTED DATA USED? 15 2.4 CONCLUSION 15 3. THE CONCEPTS OF PRIVACY AND DATA PROTECTION 16 3.1 INTRODUCTION 16 3.2. PRIVACY AND DATA PROTECTION– SIDE BY SIDE 16 3.3 PRIVACY – THE COMPLEXITY 18 3.3.1 THE INDIVIDUAL AND THE COLLECTIVE 19 3.3.2 TWO DIFFERENT UNDERSTANDINGS OF PRIVACY 19 3.3.3 EIGHT DIFFERENT TYPES OF PRIVACY 20 3.3.4 LEGAL FRAMEWORK 20 3.4 DATA PROTECTION 23 3.4.1 CONVENTION 108 24 3.4.2 GENERAL DATA PROTECTION REGULATION 25 3.5 PRIVACY AND DATA PROTECTION IN RELATION TO THE PRIVATE SECTOR 27 3.6 CONCLUSION 28 4. TRACKING PEOPLE FOR COMMERCIAL PURPOSES IN PHYSICAL SPACE IN LIGHT OF THE GENERAL DATA PROTECTION REGULATION 30 4.1 INTRODUCTION 30 4.2 PRINCIPLES IN THE GDPR RELATING TO PROCESSING OF PERSONAL DATA 30 4.2.1 TRANSPARENCY 31 4.2.2 PURPOSE LIMITATION 32 4.2.3. DATA MINIMISATION AND STORAGE LIMITATION 32 4.2.4 INTEGRITY AND CONFIDENTIALITY 33 4.2.5 ACCOUNTABILITY 33 4.3 LAWFULNESS OF PROCESSING 34 4.3.1 CONSENT 34 4.3.2 LEGITIMATE INTEREST OF THE DATA CONTROLLER 35 4.4 GDPR APPLIED TO THE TRACKING TECHNOLOGIES 35 4.4.1 MOBILE DEVICE TRACKING 35 4.4.2 BEACONS 38 4.4.3 VIDEO CONTENT ANALYTICS 38 3
5. DISCUSSION AND CONCLUSION 41 TABLE OF LEGISLATION 45 BIBLIOGRAPHY 45 4
1. Introduction 1.1 Background Surveillance technologies have been used for different aspects of security and law enforcement purposes for several decades, from preventing shoplifting and physical assaults to tracking suspected terrorists. This is a part of modern society that citizens have become aware of and used to, and which has been scrutinised and analysed over a long period of time. Similarly, in the online environment, there is increasing awareness that internet users are being tracked, in this area mostly by private parties for commercial purposes. However, there seems to be a somewhat weaker societal awareness of the corresponding methods that are increasingly being used for consumer behaviour tracking and other commercial purposes in the physical environment. Some years ago, in 2012, mannequins with built-in facial recognition software with capabilities of analysing age, sex, race and dwelling time of customers so that companies could use these data for targeted marketing strategies stirred quite some attention in the media.1 A lot of commentators found the mannequins “creepy” or “privacy intruding”, and discussed that people experienced this as particularly uncomfortable because they were being monitored by a ‘quasi-human’ with cameras installed in their eyes.2 In fact, the same kind of data (and considerably more of such data) on persons that these particular mannequins were processing, is being collected constantly by private parties in the physical environment for the same kind of reasons, but done in less distinguishable and visible ways. Methods applied range from CCTV and sound sensors, often combined with content analytics and facial recognition to various forms of mobile device tracking (e.g. via GPS). Another example of surveillance technology also used for commercial purposes is the camera drone. So, whether we are browsing the internet or browsing our local mall, our behaviour is (often) being tracked. In a European context, the forthcoming General Data Protection Regulation3 (hereafter, GDPR) will be 1 Liat Clark, ‘Mannequins Are Spying On Shoppers For Market Analysis’ (WIRED UK, 23 Nov 2012) http://www.wired.co.uk/article/mannequin-spies-on-customers accessed 1 Dec 2016. 2 Kashmir Hill, ‘Why Do Mannequins That Spy On Us Creep Us Out?’ (Forbes, 28 Nov 2012) http://www.forbes.com/sites/kashmirhill/2012/11/28/why-do-mannequins-that-spy-on-us-creep-us-out/#ad713d0386f6 accessed 1 December 2016. 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 5
the principal instrument that commercial actors need to comply with when processing personal data, and consequently of principal interest for questions related to surveillance for commercial purposes. 1.2 Central research question and sub-questions The objective of this thesis is to provide an account for the practices of surveillance for commercial purposes in the physical environment, the legal grounds and problems thereof. Given the background provided above, the central research question can be formulated as: In view of expanding surveillance of people’s behaviour for commercial purposes in physical space, how well does the forthcoming EU General Data Protection Regulation protect the individual’s right to privacy? To facilitate the answer to this question, the thesis will deal with the following sub-questions: - How does consumer tracking in the physical space work? What methods are used and what are the results of the surveillance – i.e. how is the collected data used? The technologies that are analysed are limited to three: the tracking of mobile devices through their Wi-Fi and Bluetooth capabilities, the use of beacons, and intelligent video content analytics, or VCA. This is done while acknowledging that of course also other technologies for the same basic purposes exist, and more are likely to be developed. This is however not the main focus of this thesis, but these questions strive to provide a somewhat general background that these technologies in fact are used today and thus it is at least part of what the legislator currently needs to take into account. The second set of sub-questions is - What do the notions privacy and data protection entail? What are the similarities and differences between them? This section is included to provide a more comprehensive basis for understanding the context and challenges of the upcoming GDPR. As these concepts are incredibly complex, it should be emphasized that this constitutes just a small scratching of the surface of these notions. As such, this constitutes quite a theoretical and abstract part of this paper. The last substantive chapter shifts the focus to zoom in on the GDPR. It does this through using the following set of sub-questions: 6
- How does the General Data Protection deal with the tracking of people in physical space? - How well does the GDPR safeguard the interests protected by privacy and data protection when it comes to surveillance for commercial purposes in physical space? 1.3 Limitations The thesis will only examine and analyse surveillance for commercial purposes in the physical setting. This means that the practices of surveillance and tracking in the online environment when a person is using her computer in her home (or other protected places) will fall outside the scope of this analysis. Further, the thesis will not discuss the differences between private and public space. The territorial scope of the analysis is the European Union, not particular member states, unless where necessary for exemplifying reasons. Furthermore, the thesis will not extend to surveillance for other purposes than commercial, even if examples from this area can be used for clarification or comparison purposes. 1.4 Significance As the practices and methods of surveillance become more refined and consequently will result in greater impact on individuals, it will generate a need for more legal evaluation. While there is already legal research that has been dealing with this particular topic, the perspective of the forthcoming European GDPR is nonetheless research that is due and important. Both the introduction of the GDPR and increasing surveillance for commercial purposes are factors that are likely to impact the lives European citizens in significant ways in the near future, so the addressing of this combination is of special interest. Another aspect is that by using methods that formerly were for reasons of security and crime prevention for financial gain, the boundaries of legitimate purpose for processing personal data might become modified. An example is facial recognition software that by its nature is processing sensitive data and is considered to be very privacy intruding. When this is used by law enforcement for purposes of preventing, investigating, detecting or prosecuting criminal offences, the balancing act, can in many cases (although admittedly not always) be seen as quite straightforward. But when such a privacy infringement is done not in the name of the law, but in the name of “serving customers better”, the balancing act will of a completely different nature. Furthermore, this thesis can also be viewed as a contribution to a larger perspective of the increasing power of private actors over individuals. Surveillance performed by 7
the state is, and rightfully so, subject to a lot of scrutiny and debate. In the context of private surveillance practices, the possibilities for similar examinations are small and the control mechanisms few and far between. Therefore, it can be of use to pay extra attention to private actors employing methods of surveillance. 1.5 Methodology In this thesis, I will employ the traditional legal method. Accordingly, my sources will be existing legislation, literature and case law. As stated in the research question itself, the key focus will be on the forthcoming Regulation. Therefore, materials analysing this instrument will be duly employed. Since a comparison with the current Data Protection Directive is made, literature relating to this is also used. For the parts that will deal with the legitimacy of the commercial purpose surveillance practices, legislation, doctrine and case law from both the Court of Justice of the European Union and the European Court of Human Rights will be used. When describing the different methods for commercial surveillance also other types of academic literature on the matter at hand will be used, which will be complemented by journalistic pieces with accounts from practice. 1.6 Overview of chapters The thesis is structured in five chapters, including the introduction and conclusion chapters. The second chapter describes the various methods employed to track people in physical space. Further, it examines the purposes that the collected data serves with special focus on the practices of profiling and the possible consequences related to discriminative measures. The third chapter presents the concepts of privacy and data protection from a theoretical perspective, but looks also at the existing European legislation relating to these concepts. This section will also be looking more closely into these concepts in relation to the private sector. The fourth chapter then brings together the technologies presented in the second chapter with the upcoming GDPR and tries to analyse this combination from a perspective primarily focused on the individual’s right to privacy. After this follows a short conclusion. 8
2. Different tracking methods 2.1 Introduction Before any legal analysis can be made of a certain occurrence, it might first be necessary to examine more closely the functioning and facts of the occurrence itself. Accordingly, this chapter presents some of the technologies that are used for profit-enhancing surveillance in physical space. It thus deals with the first sub-questions presented in the introduction chapter, namely: How does consumer tracking in the physical space work? What methods are used and what are the results of the surveillance – i.e. how is the collected data used? For the purposes of this paper, the focus is primarily on three of these technologies, firstly, the tracking of mobile devices through their Wi-Fi and Bluetooth capabilities, secondly, the use of beacons and, finally, video content analytics. Focussing on these methods is done whilst acknowledging that there obviously are also other types of technologies and methods that are used for the same purposes. Considering the interest commercial actors have in acquiring customer data, the further development of new mechanisms to cater for such surveillance is expected. The reasons for choosing these three technologies are that their usage is already globally wide-spread and arguably that their use can be especially problematic from a data protection perspective. 2.2 Mobile device tracking The number of smartphone users worldwide is forecast to reach 2.32 billion in 2017, and increase in the following years.4 This very fact has naturally revolutionized the way people can be tracked in physical space, and according to ABI Research, some 200,000 shops world-wide now have systems to track smartphones.5 4 Statista, The Statistics Portal ´Number of smartphone users worldwide from 2014 to 2020’, https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ accessed 5 Jan 2017. 5 ABI Research, ‘Wearables, Usables and Expandables’, https://www.abiresearch.com/market- research/practice/wearables-devices/ accessed 5 Jan 2017 9
2.2.1 Wi-Fi tracking One way to track a certain device (or in practice, its user) is to use the Wi-Fi6 capabilities that virtually all smartphones have.7 A mobile device with Wi-Fi activated will continuously search for nearby Wi-Fi zones, which have a specific range, usually 50 to 100 metres from the access point.8 Only within this range the device and base station are able to communicate with each other. When searching, the network interface controller (NIC) of the device actively broadcasts so called probe message transmissions, or probe requests.9 These probe requests contain a unique identifier, namely the media access control (MAC) address of the device, to facilitate the differentiation on that network so that the data packets can be routed to and from the correct device.10 The first part of the MAC address identifies the organisation that issues the NIC, often revealing information about the device manufacturer or the type of device that carries the MAC address.11 The MAC address is assigned to a device when it is manufactured and usually12 cannot be changed, therefore rendering it a permanent identifier of the device.13 The tracking of a device is then possible if an actor installs a set of Wi-Fi access points or frequency scanner and collects the MAC address of any device within range. Since the MAC address as stated above generally cannot be changed, monitoring a specific MAC address indicates the return of that particular device, and consequently this can allow tracing of a particular person. Additionally, collecting information about the number of MAC addresses within a given area can give a rather accurate estimation of the amount of people present in a certain location and their movement patterns respectively.14 A common element of using public Wi- Fi is the requirement that users provide directly identifying information, for example an email address, to gain access to the network. This information can then be combined with the MAC address of the device. It should be noted however, that such a straightforward action is not 6 Wi-Fi is a wireless local area network (LAN) protocol that allows devices to communicate without cords or cables. See also http://www.wi-fi.org/who-we-are . 7 See also A.B.M. Musa, Jakob Eriksson, ‘Tracking Unmodified Smartphones Using Wi-Fi Monitors’, SenSys, 281- 294, ACM 2012, . 8 Datatilsynet (The Norwegian Data Protection Authority), Tracking in Public Spaces ((Report, June 2016) p. 5. 9 International Working Group on Data Protection in Telecommunications, Working Paper on Location Tracking from Communications of Mobile Devices (October 2015) p. 2. 10 Ibid, and Vanhoef, et al, Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms, available at: http://papers.mathyvanhoef.com/asiaccs2016.pdf. 11 See note 9, above. 12 It should be noted however, that this could be modified or spoofed using software. See ICO, Wi-Fi Location Analytics (Guide, February 2016) at p. 3. 13 Data Protection Commissioner (Ireland), Guidance Note for Data Controllers on Location Data, accessed 10 January 2017. 14 See note 8, above. 10
necessary for the collection of personal data to occur.15 A study of five shopping malls in the US undertaken in 2014 found that 62 % of shoppers left Wi-Fi active on their phones, resulting in digital footprints wherever they went.16 While many actors do offer free Wi-Fi as a benefit or other incentive to their customers, for the digital footprints to appear, the shoppers did not have to connect to the Wi-Fi for the location data to register. In the study, only around 3 % of the shoppers actually connected to the Wi-Fi. Mobile devices automatically detect the presence of access points.17 2.2.2 Bluetooth tracking BluetoothÒ is a wireless communication protocol, connecting devices using radio waves instead of wires or cables to connect to a phone or a computer. Communication between Bluetooth devices happens over short-range, ad hoc networks. When such a network is established, one device will act as a master device while all other devices will act as slaves.18 Simply disabling Wi-Fi connectivity will therefore not mean that the device cannot be tracked, as Bluetooth (and cellular phone standards) also involve the broadcasting of active signals containing unique identifiers.19 The Bluetooth capabilities can be switched on by default or because of the individual’s own choice (e.g. to enable hands-free voice calls or using wireless headphones). A mobile device that has Bluetooth activated sends out a unique signal, a Bluetooth MAC address. Similarly to Wi-Fi tracking, Bluetooth tracking involves registering and saving these Bluetooth MAC addresses emitted by mobile devices in order to track the users’ movements. An advantage of Bluetooth tracking compared to Wi-Fi tracking is that because of the shorter range, Bluetooth technology can provide more accurate data on the user’s location within a limited area.20 2.2.3 Use of the collected data Actors that use Wi-Fi tracking are interested in collecting the positional data, i.e. where the device (and consequently, its owner) is, and to use this data to count, analyse and compare information on users’ movements for different purposes. From the Wi-Fi access data gathered for example in a 15 Tracking in Public Spaces, (note 8), p.5. 16 Subramanian Gopalaratnam In-store Analytics: Tracking Real-World Customers Just Like Online Shoppers (Tech Radar, 27 February 2015) http://www.techradar.com/news/world-of-tech/future-tech/in-store-analytics-tracking-real- world-customers-just-like-online-shoppers-1286293 accessed 10 January 2017. 17 Article 29 Working Party, Opinion 13/2011 on Geolocation services on smart mobile devices, p. 6. 18 Official webpage of Bluetooth®, ‘How it Works’, available at: https://www.bluetooth.com/what-is-bluetooth- technology/how-it-works 19 Working Paper on Location Tracking (note 9), p. 2. 20 Tracking in Public Spaces, (note 8), p.4. 11
shopping centre, the movement of shoppers can be mapped. From a retailer’s perspective, this is very useful information, providing retailers with insight into how the decisions they have made are received amongst its customers. This can range from more ‘basic’ knowledge of the ‘hot’ and ‘cold’ zones type, for example which categories of goods often are purchased together and use this information to better organize the store.21 However, through more sophisticated and advanced technology even more detailed analyses can be made. An example of an actor doing more detailed analyses is Finnish company Walkbase, which has a platform that provides real-time analytics on customers’ habits with the goal of reaching the same level of personalisation in-store as online.22 This company is an example of an emerging group of actors that provide location tracking services and analytics. Research performed by a market-research firm estimates that the market for tracking phones indoors could grow five-fold worldwide between 2016 and 2021, to a total of 23 billion US dollars.23 This kind of tracking does not only exist in the traditional shopping environment, it is also used in other business premises such as railway stations and airports. As an example, Wi-Fi tracking can be used to estimate the waiting time to pass through security, by positioning a number of Wi-Fi access points before and after the security counters. In this way, the times at which individuals pass each of these points are combined to calculate the time it has taken for the device (the individual) to move between them, resulting in a fairly accurate indication of average transit time through security. This information can then be conveyed to other airport visitors on frequently updated information screens.24 Notable examples are Schiphol Airport in Amsterdam, Barcelona/Madrid airports and New York JFK.25 As previously explained, most individuals are tracked even if they are not actively using the Wi-Fi of the business premises in question. However, it should also be noted that from those that do choose to log on to the Wi-Fi, an even greater amount of data can be gathered. Actors may offer free Wi-Fi, which naturally comes with terms of service that the vast majority of users do not care to read. These terms of service will typically allow stores to see the individual’s online search history as well as track their location.26 21 The Economist, ‘A new industry has sprung up selling “indoor-location” services to retailers’, (24 December 2016) accessed 10 January 2017. 22 See < http://www.walkbase.com/about-us>. 23 See note 21, above. 24 Tracking in Public Spaces, (note 8), p.5. 25 Working Paper on Location Tracking (note 9), p. 2. 26 See note 21, above. 12
2.3 Beacons The beacon technology was first introduced by Apple in 2013, under the name iBeacon.27 Beacons are small battery-powered devices consisting of a chip and other electronic components, that transmit signals that can be picked up by nearby smart devices.28 However, an important distinguishable element is that beacons function through employing mobile applications (apps). Essentially, beacon technology allows mobile apps to understand their position on a micro-local scale, and can thus enable delivery of hyper-contextual content to users based on location.29 Sometimes, beacons are interpreted as instruments of surveillance that are capable of tracking smart device users’ movements without their knowledge, but this evidently incorrect. Beacons do not collect data themselves and cannot pinpoint smart devices’ positions.30 To exemplify, the iBeacon, a device with iOS, can alert apps when the user is approaching or leaving a location. Through this, apps can know when the device is close to an iBeacon, for example the checkout counter in a retail store.31 It should be noted that there are also actors besides Apple who provide beacon technology, and on a basic level all beacon technologies function the same way. The beacons emit an ID that is unique to them. When this ID is read by an application, this can trigger an action, such as the delivery of a message or advertisement to the user of the app. In this way, it is possible for the actor responsible for the app to identify which beacons the user has been close to, as well as the distance and the time, and this without the awareness of the user. The signals that beacons employ are transmitted through Bluetooth technology, and the beacon can have a coverage area of up to 70 metres. A beacon thus can help an app determine how far away a smart device is within its coverage area. Theoretically, merely an app belonging to the company that installed the beacons can read the signals that the beacons transmit, however, in practice also other applications and operating systems can pick up and read the signals.32 Sometimes, beacons are interpreted as instruments of surveillance that are capable of tracking smart device users’ movements without their knowledge, but as shown this is incorrect. As such, beacons differ significantly from the location tracking methods presented in the previous section. 27 H.O. Maycotte., ‘Beacon Technology: The Where, What, Who, How and Why’ (Forbes, 1 September 2015) accessed 10 January 2017. 28 Sterling. et al., Understanding Beacons – A Guide to Beacon Technologies, Future of Privacy Forum, December 2014., p. 2 ff. 29 See < http://www.ibeacon.com/what-is-ibeacon-a-guide-to-beacons/>. 30 See note 28, above. 31 See . 32 Tracking in Public Spaces, (note 8), p.9 f. 13
2.3.1 Use of the collected data Beacons are principally used by the retail industry, but also other venues, such as entertainment venues, sports arenas and conferences as well as advertising screens and by real estate companies. As mentioned above, actors that have beacons in place can detect where a smart device user is at any given moment, and then use this information to send timely push messages, to promote products or provide other useful information. Indeed, the beacons can also be used without any push notifications to map and record customers’ visits and movements in stores or shopping malls, provided the customer has downloaded the corresponding app. It is the corresponding app that determines what the beacon signals are used for, and thus with permission of the smart device owner. 2.4 Intelligent video analytics Having presented the wide-spread concept of mobile device tracking, it is apparent that this model already has a large impact on how surveillance in physical space is working. Nevertheless, the development of intelligent video analytics adds a further element to the concept of surveillance for commercial purposes. Through the use of intelligent video analytics content from e.g. surveillance cameras can be automatically analysed.33 The technology can for example provide information on what kind of objects there are in the footage, alert the system based on where and how the objects are moving and recognise faces. The technology of intelligent video analytics is built on algorithms rapidly interpreting changes from each picture. Intelligent video analytics has meant that the needs for humans to look through the recorded material have diminished. The location of the software depends on the type of functionality the system is meant to have. For less complex functions, such as people counting, the analytics software can be incorporated into the cameras themselves, whereas more complicated functions usually reside on the user’s server. This works so that images from the cameras are sent to the server, where it is processed by the analytics software and subsequently presented as part of a video management system. Generally this means that the user interface allows the controlling of cameras, real-time viewing of images, reviewing of earlier footage and then presenting the results of integrated analytics programs.34 33 See Xiang Shaogang Gong, Video Analytics for Business Intelligence (Springer, 2012). 34 Anthony Hildebrand, ‘Analysis: Retail CCTV – from surveillance to shopper analysis’, (Retail Week, 20 December 2012). 14
2.4.1 How is the collected data used? Within law enforcement and security sectors, the reasons for and advantages of using intelligent video analytics are obvious. For retailers, the uses of this technology are perhaps not initially as obvious, but they are in fact many and important. On a basic level, they can help with counting the customers in a store at a certain time, as well as the possibility of queue management. The video analytics software can then perform a real-time alert when queues exceed predefined thresholds. Some more advanced analytics will even have the possibility to combine this with ‘footfall data’ of people entering the store and then alert the staff proactively before long queues will start to form. Then, there is the possibility to capture and analyse demographics, such as age and gender, something that is very valuable for retailers as they can then see and structure the buying patterns and shopping habits of different demographic groups. This is done through integrating network cameras with facial recognition analytics. The analytics software will perform an evaluation to establish if the biometric data of an individual belongs to a group with some predefined characteristic. Through this biometric categorisation of an individual a specific action can be decided, such as showing different kind of advertising to target the individual looking at the display, based on age or gender.35 Through combining this with images with a greater focus, also the reactions and emotions of shoppers can be known. An additional area of use for facial recognition technology in the retail field is the possibility to distinguish unique visitors. The goal will thus not be to identify any specific individuals, but to provide data on the number of unique visitors to the store, for example to provide information on the success of a certain advertising campaign.36 2.4 Conclusion The rapidly developing technologies deployed for tracking individuals for commercial purposes are already capable of performing very precise evaluations. From a business point of view, this is indeed an incredibly valuable development. Advocates of these technologies call for a shift in mindset, where individual consumers should not regard themselves as being watched by Big Brother, but instead see the advantages and benefits of getting a more tailor-made ‘customer experience’. 37 An analysis of this will be done in the subsequent parts of this thesis. 35 Working party 29 (WP203), Opinion 03/2013, p. 6. 36 Gopalaratnam (note 16). 37 Ibid. 15
3. The concepts of privacy and data protection 3.1 Introduction In the previous chapter, some different methods of tracking of people’s behaviour in physical space for commercial purposes were presented. As the research question suggests, the primary focus is how well the forthcoming General Data Protection Regulation will protect the individual’s right to privacy in the context of the use of such methods. However, before shifting the focus to this legal instrument, this chapter will metaphorically take a step back in order to see the bigger picture and thus place the GDPR in a bigger context. As the GDPR is an instrument of the legal regime of data protection, providing an explanation of data protection and its background will obviously be of vital importance for this bigger picture. Similarly essential for the bigger picture here is the concept of privacy. It should already be noted that privacy has a reputation of being “notoriously difficult to describe”. This has repeatedly been concluded by a vast array of scholars and has also become something that is included in nearly every introduction of any paper covering the notion of privacy. As the aim of this paper however is not to further elaborate upon the notions of data protection or privacy, but rather how the GDPR safeguards the interests protected by privacy and data protection in relation to surveillance for commercial purposes in physical space, this consequently means that the presentations of these concepts and their internal relationship will not be particularly detailed or deep. Bearing this in mind, the sub-questions of this chapter are the following: What do the notions privacy and data protection entail? What are the similarities and differences between them? Answering these questions will encompass quite a theoretical approach with the presentation of these concepts and the legal frameworks that accompany them. After first presenting the two concepts side by side, the focus is shifted first to privacy and its legal framework. Subsequently, data protection and its legal framework, including the focal point of this paper, the GDPR, is presented. 3.2. Privacy and data protection– side by side As much as there are a wide range of differences between privacy and data protection, it should also 16
be pointed out that they are societal concepts that share the same core.38 This core is the idea of the autonomy, dignity and value of every single human being.39 Consequently, the right to respect for private life and the right to the protection of one’s personal data are different expressions that acknowledge this core. An analysis that pinpoints some of the inherently different aspects of privacy and data protection is made by Gutwirth and de Hert, who use the concepts of opacity and transparency for this purpose.40 Following this scheme, privacy is considered as a tool of opacity in the sense that it works as a shield against unwarranted insight. On the other hand, data protection works as a tool of transparency, in that it provides legislation with a focus on safeguarding individuals from the abuse of data processing. Related to the notion of opacity, is for example the idea of the sanctity of the home (“my home is my castle”).41 Of course, there are exceptions to the sanctity of the home, such as the right for law enforcement authorities to enter one’s home in case of suspected criminal activity, but in most (i.e. democratic) legal systems these exceptions are subject to strict regulations. Another aspect of the notion of opacity is related to the idea that individuals who know they are being watched will behave in way that is different from the way we would behave if we knew no one was watching (or where they were not aware of the fact that they are being watched).42 This does not necessarily mean that people would engage in illegal activities, if there was no one watching, but rather the knowledge that no one is watching provides humans with a relief from stress and can be the foundation of fostering creativity or creating new ideas. These actors are both governments and authorities as well as private actors, like businesses. As the world is becoming increasingly more complex through the development of various new technologies, the amount of private actors that process personal data also increase. One reason why data protection was developed was to stop the actors that process personal data from abusing their power.43 The idea that power must be tamed is of course an old one, with the division of power in the style of Montesquieu as a prominent example.44 This is especially topical today when devises such as “data is the new oil”45 and other expressions related to the rapidly evolving and increasing 38 Peter Blume, ‘Data Protection and Privacy – Basic Concepts in a Changing World’, Scandinavian Studies in Law (Volume 56, 2010), p. 152. 39 Peter Hustinx, ‘EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation’ (2014), < https://edps.europa.eu/data-protection/our-work/publications/speeches-articles/eu- data-protection-law-review-directive_en> accessed 5 May 2017. 40 Paul De Hert, Serge Gutwirth, ‘Privacy, Data Protection and Law Enforcement. Opacity of the Individual and the Transparency of Power’,p. 61 ff. in Claes, Duff & Gutwirth (edss), Privacy and the criminal law (Intersentia nv, 2006). 41 Ibid, p. 6 f. 42 Ibid, in footnote 113. 43 Ibid, p. 15. 44 Ibid, p. 5. 45 An expression likely coined by UK mathematician Clive Humby in 2006. https://www.quora.com/Who-should-get- credit-for-the-quote-data-is-the-new-oil 17
use of data have become ubiquitous. 3.3 Privacy – the complexity Presenting the notion of privacy can be made in a variety of ways, using a range of different perspectives. It should be noted that privacy is an umbrella term that includes both the broader concept concerning what privacy is and how it should be valued and additionally the narrower concept of the right to privacy, which concerns the aspect of how privacy is or should be protected legally.46 Accordingly, privacy as such can be approached not merely from the legal point of view, but also from a range of different areas, such as from a sociological, ethical or philosophical standpoint. In addition, even when approached from a strictly legal point of view, the right to privacy will touch upon a variety of areas of law, such as private or tort law, constitutional law, criminal law, and international or supranational law.47 Oftentimes it is defined in the academic literature through comparing it with the concept of data protection and thereby showing what it is and what it is not. Likewise, to define data protection it often makes sense to present it side by side to privacy, as these concepts are intertwined and interlinked. This can be made through comparing the different characteristics these concepts have, the different functions they fulfil or the different rationales and backgrounds they have. Another way of approaching privacy is trying to find the very core of this concept and see what the common denominators are for all kinds of privacy, such as bodily, associational, spatial or informational (this is further discussed below in section 3.3.3). However, and precisely because there are different kinds of privacy, it can also be approached like this; through focusing on what these different kinds of privacy are and what characterizes them. Not only the different kinds of privacy have been the focus of attention in the literature, also the different understandings of this notion and corresponding terms such as private, public, etc. have been scrutinized. This overview of different approaches hopefully gives a hint of the complexity involved in any attempt to define, explain or describe privacy. Given this complexity, there is consequently a risk that the following sections might come off as merely shattered pieces of information. Even so, I still find it useful to compile some of these different approaches to privacy, and thus assemble fragments of explanations of this multi-dimensional theme. 46 Koops et al. A Typology of Privacy, University of Pennsylvania Journal of International Law 38(2): 483-575 (2017), at p. 491 f. 47 Ibid. 18
3.3.1 The individual and the collective Starting on an abstract level, the right to privacy deals with situations related to either the physical or the psychological environment of an individual person. Already this statement is not entirely precise, as it leaves out the element of group privacy, which is also becoming increasingly important in the age of big data.48 However, to simplify for the purposes of this short overview, the focus is on the individual and the concept of privacy concerns the relationship between the individual and the collective. The relationship between the individual and non-state actors will be discussed later in this chapter. An essential foundation for the privacy of the individual is the idea that the individual has some sort of autonomy, and thus is an independent being and not merely a part of a community.49 Given this autonomy, the individual has a right to practise a certain degree of control in relation to others, leading to restrictions on the community – e.g. it is not allowed to trespass beyond the boundaries of the individual’s home, see discussion above in the introductory part.50 Clearly, the notions of independence and control are of chief importance for the concept of privacy. Another aspect directly related to this is the fact that privacy as such is a legal concept that embodies individual freedom in its different shapes.51 Privacy functions as a guarantee for individuals’ freedom of self-determination, their right (freedom) to be different and their freedom of choice. It gives individuals the right to autonomy regarding their sexuality, health, personality building, behaviour etcetera, and works as guarantee for the uniqueness of each individual, and as a safeguard of alternative behaviour and also resistance to power.52 3.3.2 Two different understandings of privacy González Fuster sees two different understandings of privacy that touch upon different aspects.53 Firstly, the idea that privacy is protecting what is seen as private as opposed to what is public. Regarding this, “public” should be seen in both its meaning as governmental authority (“the State”) or society or community in general as well as in its meaning of things that are shared, common, open and so on. The first meaning is consequently private as the opposite to official, whereas the second meaning is private as the opposite to exposed or accessible. The second understanding of 48 See Taylor, L. et al. (eds.) Group Privacy, (Springer 2017). 49 Blume (note 38) p. 153. 50 Ibid. 51 Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, (Springer 2014). p. 23. 52 Ibid. 53 Ibid, p. 22 ff. 19
privacy is related to what is private in the sense of what is individual or personal. This encompasses the right for individuals to live as they choose, and not controlled or alienated from society and/or themselves. In classifying the meanings of privacy and private in this way, González Fuster intends to show that these notions can be regarded as opposing what is public, but it does not always have to be the case. It should be noted, that González Fuster also holds that there will sometimes be an overlap by the theoretical effects of these different understandings of privacy. An example of this is the argumentation that for individuals to be truly able to live freely (in line with the second understanding of privacy) they must be assured that some parts of their lives will remain undisclosed (in line with the first understanding of privacy). 3.3.3 Eight different types of privacy Koops et al. have recently published an article that aims to provide a comprehensive model through a systematic typology of privacy.54 The underlying idea of this article is to provide an analytical tool and explanatory model to help understand privacy better. In this typology, eight different types of privacy are presented, namely: bodily, intellectual, spatial, decisional, communicational, associational, proprietary and behavioural privacy; and these are all overlapped by a ninth type, the informational privacy, which is related to the concept of personal data.55 This is done through using perspectives of constitutional law and privacy literature of a number of different jurisdictions, which is an approach not previously taken, as it has been commonplace to focus on merely one particular jurisdiction (and this jurisdiction has often been the U.S.). 3.3.4 Legal framework 3.3.4.1 The ECHR In the aftermath of the horrors of WWII the international community made various efforts to create conditions for a more stable world with a common ground of respect for humanity. One such effort was the adoption of the Universal Declaration of Human Rights (UDHR) by the United Nation’s General Assembly in 1948. This declaration included in its Article 12 a statement that “(n)o one shall be subject to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” Although this was the first time the concept of privacy appeared in a document of international law, this was clearly not a formulation of great strength.56 54 Koops et al. (note 46). 55 Ibid, pp. 537, 543, 554. 56 Hustinx (note 39) p.3. 20
Another post-war effort was that of the establishing of the Council of Europe (hereinafter CoE). The stated aim of this international organisation is to uphold human rights, democracy and rule of law in Europe and promote European culture. While the CoE does not have the power to pass binding legislation, it has the power to enforce certain international agreements reached by European states. The crown jewel of these agreements is the European Convention on Human Rights (hereinafter ECHR), which was drafted in 1950 and entered into force in 1953.57 The ECHR is established to protect human rights and fundamental freedoms in Europe. All CoE members are parties to the ECHR. The ECHR established the European Court of Human Rights (hereinafter ECtHR), which is seated in Strasbourg and has as its prime functionality to enforce the ECHR. The ECtHR hears applications alleging that a contracting state has breached one or more of the provisions set forth in the ECHR and its protocols. Applications can be submitted by individuals, a group of individuals, non-governmental organisations or one or more of the other contracting states. The ECHR contains a provision on protection for privacy, namely Article 8. To a large extent, the ECHR builds upon the UDHR, and Article 8 does partly mirror Article 12 of the UDHR, however with a different terminology, using “private life” instead of “privacy”, and also leaving out honour and reputation.58 This Article is named “Right to respect for private and family life” and consists of two sections; the general rule and the conditions for exception to this rule. The general rule is formulated like this: “Everyone has the right to respect for his private and family life, his home and his correspondence.” This seemingly simple sentence constitutes the foundation for the concept of privacy protection in Europe and has given rise to a vast amount of case law from the ECtHR. It should however be noted that there are different types of human rights, some of absolute nature and some that are not absolute. Indeed, the right to privacy is not an absolute right. This stems from the fact that there can be situations and circumstances where the right to privacy does not prevail. These situations are formulated in the second section of Article 8. The interference with the right to privacy requires justification, and these grounds are the following: it should be done in accordance with the law, be necessary in a democratic society and pursue a legitimate aim. It should also be noted that these requirements are cumulative, and thus all of them must be fulfilled in order for the interference to be compliant with the Convention. 57 See < http://www.coe.int/en/web/human-rights-convention/> 58 González Fuster (note 51), p. 38. 21
3.3.4.2 The Charter of Fundamental Rights For a long time after its establishment the European Union did not have any provisions in its founding treaties that explicitly concerned human rights in general and the right to privacy in particular. As the idea underlying the founding of the EU was to establish an internal market and promote free trade within Europe this is naturally not unexpected. However, as the Union has moved towards a more ubiquitous presence, it was not unexpected that a shot at a more comprehensive constitutional document would be taken.59 The Treaty of Lisbon, which entered into force in 2009, succeeded in taking a step towards a more constitutional approach through including in its wording the Charter of Fundamental Rights of the European Union (hereinafter the Charter), making this binding for all EU member states. While the action itself of including fundamental human rights in the body of law governing a trade organisation can seem unorthodox, the actual phrasing of the provisions and structure of the document do not have a particularly novel or ground- breaking character. Rather, the Charter borrows a lot from the ECHR; however, with some important modifications. The provision on privacy has a very similar phrasing to that of the ECHR: ‘Everyone has the right to respect for his or her private or family life, home and communications.’ In the Charter, this provision is placed in Article 7. The more interesting provision is found in Article 8, which establishes the human right to data protection. In this way, data protection can be seen as ‘elevated’ from a right subordinate to privacy, to a right of its own.60 It can be argued that this is one of the most important novelties of the Charter. The Article 8 of the Charter has three subsections, with the first one being the general, simply stating that “Everyone has the right to the protection of personal data concerning him or her.” The second subsection lays out the general principles of data protection: that it must be processed fairly, for specified purposes and on the basis of the consent or some other legitimate basis laid down by law. Furthermore it states that everyone has the right of access to data which has been collected concerning him or her, as well as the right to have it rectified. These are principles that can all be found in the existing Data Protection Directive, and indeed in the coming General Data Protection Regulation. The last subsection also sets forth a provision included in EU data protection legislation, namely that compliance with these rules shall be controlled by an independent authority. On a national level these are the Data Protection Authoritites (the DPAs), and on a Union level, experts from the national DPAs form the 59 Ibid, Chapter 5, p. 111 ff. 60 Ibid. 22
Article 29 Working Party, which under the new Regulation will be renamed but remain in function, as well as receiving additional powers. As with all EU law, the only instance that can bindingly interpret the legislation is the Court of Justice of the European Union (hereinafter the CJEU), located in Luxemburg. Also before the inclusion of the Charter in the Treaty of Lisbon, the Luxemburg Court decided on cases related to privacy and data protection, so the jurisdiction has been developed under a longer period. However, during this time pre-introduction of the Charter, these rights were developed more as general principles closely associated to the ECHR system.61 It should be borne in mind that there exists no obligation for this court to interpret the law in the same way. Even if all EU member states also are members of the CoE and consequently the ECHR, the EU itself is not a party, as the CJEU in 2014 issued a negative opinion on the EU’s accession to the ECHR.62 Regardless of, or perhaps partly because of the non-accession, the relationships between these institutions and these instruments are inevitably somewhat intertwined, something that has been noted by and dealt with by several scholars.63 3.4 Data protection This following section about data protection does not offer the same kind of introduction as the section of privacy did. The reason for this is that data protection as a concept, while in no way uncomplicated, arguably can be easier to grasp. An understanding of data protection is easier to establish, as it is more directly and observably linked to a specific legal regime. This regime, which started to materialize around five decades ago64, has been created with the purpose of solving one particular problem – the impacts of modern technology on private life and personal integrity.65 The new technologies and the new means of automatically dealing with data about individuals was what gave rise to the new discipline of data protection. Already in the advent of the use of information technology to process information relating to individuals, there was a common understanding that such use could have a large impact on the rights and interests of individuals. However, it was also 61 Juliane Kokott, Christoph Sobotta, ‘The Distinction Between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR’, International Data Privacy Law (2013, Vol. 3, No.4), p.223. 62 Opinion 2/13 of the Court, 18 December 2014. 63 See e.g. De Hert, Gutwirth, ‘Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action, in Gutwirth, et al. (Eds) Reinventing data protection? (Springer Science, 2009, 3-44) and Kokott, Sobotta, in note 61, above. 64 Hustinx (note 39) p. 1. 65 Blume, (note 38), p. 152 f. 23
clear from the outset that this concept was neither intended to hinder the processing of information relating to individuals, nor to limit the use of information technology as such. Rather, the underlying idea was to offer safeguards related to the use of information technology for the purpose of processing information relating to individuals.66 But even though data protection as a concept was originally derived from privacy it has deviated from this path in many ways and does not correspond to the legal interpretation of privacy.67 This is of course not unexpected, as the rules of data protection have been made more specific and procedural (in relation to the right to privacy) in light of the special regulatory purpose they have.68 As Hustinx states, “the concept of ‘data protection’ is broader than ‘privacy protection’ because it also concerns other fundamental rights and freedoms, and all kinds of data regardless of their relationship with privacy, and at the same time more limited because it merely concerns the processing of personal information, with other aspects of privacy protection being disregarded.” Accordingly, even though data protection as a concept initially does not seem as difficult to explain, its relationship to privacy provides an added layer of complexity. Data protection was from the outset focused on the rights and interests of individuals, and not primarily the information related to those individuals.69 However, it is generally understood that data protection today serves also other aims than merely the aim of protection of private information. The general interests in society regarding the use of personal data is of course important, and increasingly so (see discussion below). The quest for data protection rules is to facilitate the use of personal data in a societally acceptable way.70 What is societally acceptable is in turn largely determined by the ethical ideas related to privacy in general.71 3.4.1 Convention 108 It was in 1968 that the Parliamentary Assembly of the Council of Europe addressed a recommendation to the Committee of Ministers, asking it “to examine whether the ECHR and the domestic law of the member States offered adequate protection to the right of personal privacy vis- à-vis modern science and technology”.72 Following this, the Committee of Ministers initiated a study, which concluded that the existing national legislations indeed gave insufficient protection to 66 Hustinx (note 39) p. 4. 67 Blume, (note 38) p. 153 68 De Hert, Gutwirth (note 40), p. 16. 69 Hustinx,(note 39) p. 4. 70 Blume (note 38) p.154. 71 Peter Blume, ‘Data Protection in the Private Sector’, Scandinavian Studies in Law, 2004, Vol 47 p. 297 -318, p. 318. 72 Explanatory Report to Convention 108, para. 4. 24
individual privacy and other rights and interests of individuals regarding automated data banks. Particularly, it was found problematic that there was uncertainty regarding what was covered by private life, that the emphasis was on protection against interference by public authorities and that there was an absence of an approach that also handled the possible misuse of personal information by actors in the private sector.73 Accordingly, the Committee of Ministers decided to adopt two resolutions on data protection, in 1973 and 1974, of which the first one established data protection principles for the private sector and the second established such principles for the public sector.74 Whereas this was the first initiative related to data protection on an international level, there was a parallel development of this concept in the national legislations of for example Germany and Sweden. After these first recommendations, the CoE proceeded to prepare a binding international legal instrument in the same field. The original plan was that this should have been in the form of a protocol to the ECHR, however this plan was abandoned in favour of a separate convention.75 This came to be the Data Protection Convention, which also goes under the name of Convention 108, which was adopted in Strasbourg in 1981. The purpose of Convention 108, as stated in its first Article, is to secure in the territory of each Part for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, an in particular his right to privacy, with regard to automatic processing of personal data relating to him. The definition of personal data as set forth in Convention 108, is “any information relating to an identified or identifiable individual (data subject)”. As opposed to other conventions by the CoE this one is open for all states to sign, not just CoE members. Currently, there are three states outside the CoE that have signed this convention. The Convention 108 also formed the basis for the European data protection directive from 1995, and is explicitly mentioned in the recitals to the directive.76 3.4.2 General Data Protection Regulation This legal instrument has gained a lot of attention during quite some time, and not without justification. The first Commission proposal emerged already in 2012, as it was found that the DPD, that had been the legal instrument used in the area of data protection within the EU since 1995, needed an update to better handle the new challenges that the rapidly evolving technology had posed upon data protection.77 In the recitals of the GDPR, the legislator highlights just this, for 73 Hustinx (note 39) p. 4. 74 Resolution (73) 22 and Resolution (74) 29. 75 Blume (note 38). see note 2 at p. 153. 76 See recital 11. 77 COM (2012) 11 final. 25
You can also read