Facebook View sunglasses questioned by Irish and Italian authorities

Facebook View sunglasses questioned by the Irish and Italian authorities, regarding whether they effectively notify data subjects that they are being recorded.

 

 

A new product by Facebook in collaboration with Ray Ban, is now coming under question by European data protection authorities. The product, called “Facebook View” was introduced to the general public with a short promotional video of Mark Zuckerberg speaking about these innovative glasses, which can take photos and record video. In the video, Mr. Zuckerberg made an attempt to appease possible qualms from the public on the privacy of this technology, citing that an LED light goes on, on the frame of these sunglasses, to notify those around when the glasses are recording. However this feature is now being called into question by the Irish and Italian regulators: the Irish DPC, and Garante respectively. Their main question: is a light on the frame enough to significantly notify people that they are being recorded?

 

 

Facebook View sunglasses are seen as much less conspicuous than a camera or cell phone, in communicating that recording is in progress.

 

It is important that when people are being recorded that they have a sense that this is happening. When someone pulls out a camera or a cell phone for example, the general assumption is that recording is in progress or a photo is being taken. People are not assuming automatically that they are being recorded when they see someone wearing a pair of Ray Bans. Most people are also not looking for a light on a pair of glasses under regular circumstances. The Irish and Italian authorities, according to this joint statement recently issued, do not believe that a pair of sunglasses can adequately give notice that recording is in progress.

 

 

The relevant authorities call on Facebook to demonstrate the effectiveness of the LED light to inform people that recording is in progress, as well as run an information campaign.

 

The Irish DPC and Garante claim that it has not been demonstrated to them that comprehensive testing was done by Facebook, to ensure that an LED light would effectively communicate to people that they are being recorded. Facebook is now being called to demonstrate the effectiveness of the LED light to inform people that they are being recorded. In addition, the authorities are asking Facebook to run an information campaign to adequately alert the public on how this new product may result in much less obvious recording of their images.

 

“Facebook should also explain whether there are any plans to combine the information recorded using the Facebook View sunglasses with Facebook existing databases. This scenario seems likely considering that Facebook core product consist on users sharing photos and videos on the social network, where they can tag their friends and contacts” points out Cristina Contero Almagro, Partner in Aphaia.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Right to erasure: Controller ordered to delete photos

Right to erasure is behind Slovenia supervisory authority IPRS’s recent decision, ordering a controller to delete 88 photos.

 

Slovenian SA recently ordered a data controller to delete a collection of 88 photos of a data subject, taken over a period of time 7 to 15 years ago. The order, which came this July, was on the basis of the data subject’s right to erasure, as reported by the EDPB. Article 17 of the GDPR gives data subjects the right to obtain, from the controller, the erasure of personal data concerning him or her without undue delay, under certain conditions. The controller in this case, a content production agency, creating content on the topic of lifestyle, processed a collection with a total of 88 photos of the data subject, and complainant in this case. The data subject claimed she  did not give permission to have her personal data processed, and then explicitly objected to the processing of her personal data stating also that there were no compelling legitimate grounds for the processing of her data.

 

The controller declined the data subject’s demand to have the photos deleted, claiming that the processing was lawful.

 

The controller refused the data subject’s demands to have her photos removed claiming that the processing was lawful under Article (6) (1) (f) of the GDPR. However, controller’s claims that the processing was needed for exercising his freedom of expression with regard to media activities, as well as for the public’s right to information and on the basis of legitimate interests did not hold up. The Supervisory Authority maintained that the data subject in this case has the right to erasure of her personal data, and that the right to personal data protection needs to be balanced with the right to freedom of expression and information.

 

The photos and other data features on the website were organized in such a way that a profile could be created on the data subject through a search of her name.

 

The Slovenian Supervisory Authority found that all the photos indeed represented personal data which formed part of a filing system. The thumbnail and the description of the photos were accompanied by the first and last name of the individual. From the photos and the information provided,it was possible to determine which events she attended, who her company was, and also her personal characteristics. A search for the data subject’s name through the website’s search engine could create a profile highlighting the photos and data about her in particular. The content of the website cannot be understood as reporting on a specific event, because it enables a search on the basis of first and last name.

The Supervisory Authority ordered the removal of the photos and any related data, upholding the data subject’s right to erasure.

 

The Supervisory Authority ordered that  the controller must delete, not just the photos from the website, but also the name of the individual, URL address and any metadata that enabled access to photographs. Publications of this nature are usually intended only for revealing interesting information to satisfy the curiosity of members of the public who seek information about public events and on the personal lives of specific people. However, by the Slovenian Supervisory Authority’s measure, the data subject was not an absolute public figure, and the content of the website did not contribute to any debate of social importance nor did they relate to any topic of public interest. In addition, the controller failed to demonstrate its legitimate interests. As a result, the Slovenian SA decided to uphold the complaint.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

CNIL opinion on health passes

CNIL opinion on health passes for COVID-19 vaccination and screening, touching on several aspects of its implementation and use. 

 

Since the world’s introduction into this COVID-19 health crisis, well over a year ago, there have been various measures implemented to facilitate people working, socializing, and living what can be considered a “normal” life. In the strive to return to what was once considered normal, vaccination campaigns have been launched all over the world. Vaccination efforts have been underway for several months now, and while different countries are at different points in that process right now, one thing is similar in most cases – we are entering a phase where vaccination requirements, and proof thereof, is becoming non negotiable in allowing people access to certain places, experiences and opportunities. There has been backlash from citizens all over the world, who have concerns about their rights, whether human rights in general, or privacy in particular. However, CNIL of France has issued an opinion on the matter. 

 

The parameters of the health pass have extended and CNIL deemed it necessary to issue an opinion. 

 

The health passes are not an entirely new concept, however, their application has now expanded to include several aspects of daily life from restaurants and other establishments, to spaces of employment likely to be affected by the virus. This has inspired quite some concern from members of the workforce, as well as the general public. In addition to this, the data attached to the health passes has just undergone a slight increase in its retention period, to facilitate the production of recovery certificates. In addition, due to the vaccination obligation in certain professions, regional health agencies now have access to the vaccination data of all health professionals under their control. 

 

The CNIL opinion on health passes remains generally consistent with previous opinions issued, with focus on specific amendments made. 

 

CNIL believes that the implementation of a health pass is an ethical choice, justified by the exceptional nature of the health situation as stated in its previous statements made on May 12th and June 7th. However, the CNIL opinion on the health passes this month stresses that the current health context can only justify exceptional measures if they remain limited in time and if they are necessary to fight against the pandemic. As a result, the CNIL has stated that the impact of the various digital devices on the overall health strategy must be studied and documented regularly, based on objective data, to ensure that the use of these devices ends as soon as their need disappears.

 

The CNIL would like the Government to review the draft decree on several aspects of the health pass. 

 

The measures of control for the health pass, which the CNIL voted on on June 7th are now subject to a few changes. There are new alternative systems in place to control the health pass which can be managed online. These systems include the “TousAntiCovid Verif” application, the data accessible to controllers has been extended to include information relating to the screening examination or the vaccine carried out and certain information may be stored temporarily by these devices. As a result of the perceived sensitivity of those systems, the CNIL has called for the Government to review several aspects of the draft decree.

 

In the CNIL opinion on health passes, there has been specific focus on ensuring that health professionals are able to exercise their data protection rights. CNIL urges the Government to limit temporary storage to the sole result of the verification carried out, remaining in accordance with the principle of data minimization. In addition, the CNIL reiterates the need to have foreign vaccination records secure with regard to the Government’s dedicated portal, connected to the “certificate converter”, allowing the generation of a health pass valid in France. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018 in the context of the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.