A. Street View: the facts
Google claims to be on a worldwide mission to provide the most information to the most people in the most places … all of the time. Although a noble sounding aim, the cynics would say that this is a great way to make money. Over the last few months, the grand Google vision in pursuance of this mission has adopted a new point of view for how to achieve this – a street view.
Many have noticed innocuous-looking cars driving up and down the roads of
The photos being taken capture anything and everything at a particular time. However, this raises concerns because photos of “everywhere” would of course capture the person coming out of the doctor’s surgery or the Alcoholics Anonymous meeting room … to the father of five exiting a lap-dancing club … to the children playing in the local park.
B. Is Street View new?
The Street View project is not new. In May 2007, it was launched in five
But there are, as you might expect, privacy issues. The issues, raised largely by privacy campaigners are also not new, having been tried and tested in the
C. The legal framework
Different countries have different laws covering the privacy aspects of what Google proposes to do. Some, like
i) Data Protection Act 1998
In 1995, the EU passed Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” This Directive set minimum standards about data for each EU country to implement in national law. In the
The DPA contains eight central principles affecting personal data.
First Principle: – “Personal data shall be processed fairly and lawfully”.
Second Principle: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”.
Third Principle: “Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed”.
Fourth Principle: “Personal data shall be accurate and, where necessary, kept up to date”.
Fifth Principle: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
Sixth Principle: “Personal data shall be processed in accordance with the rights of data subjects”.
Seventh Principle: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Eighth Principle: “Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protections to the rights and freedoms of data subjects in relation to the processing of personal data”.
Clearly, if the Street View photos do constitute “personal data” (as to which, see below) then the various principles need to be carefully checked and complied with. For example, the first principle is the requirement to process personal data fairly and lawfully. Processing covers any action you might think of – including taking and recording data. Processing “regular” personal data fairly and lawfully can be done in several ways. One mechanism often used is to obtain the consent of the data subject (obviously not practical for Google’s Street View photos). Another condition commonly relied on is that the data processing is necessary for the legitimate interests of the data controller or the recipient of the data, except where this is unwarranted due to prejudicing the rights or legitimate interests of the person whose data is processed. Google may argue that it and its users have legitimate interests and the steps that it has put in place to protect individuals do not unfairly prejudice the individuals’ rights. Exactly what those methods may be is analysed below.
Another complication is that the Street View photos may also capture “sensitive personal data” (i.e. personal data about racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sexual life, and commission of a criminal offences) because the Street View photos may by their nature identify people’s racial origins or people coming out of places of worship or establishments known to be related to sex. Existing complaints on record for the
A further element for “fair and lawful processing” is that the data controller must ensure, so far as practicable, that the individual has readily available to him the details of the identity of the data controller, the purposes for which his data is being processed and any other information that would be fair in the circumstances. This is the world of the “privacy statement” or “privacy policy” which usually gives effect to these requirements. However, it seems clear that Google’s let-out is that to provide information to all possible people covered within its photos would not be “practicable” and therefore not required.
The other principles would also raise other issues but it seems that the main question to address for any of the principles is whether the photos taken by the Google Street View cameras constitute personal data at all. If they do not, the DPA principles will not apply. In the DPA, there are three definitions of particular interest when analysing Street View and privacy concerns. These are:
- “Personal data”, which is defined as any data which relates to a living individual who can be identified: (i) from those data, or (ii) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
- “Data”, which includes any information held in a structured form so that it is readily accessible. This, of course, includes information held on computer.
- A “data controller”, who is someone taking decisions in respect of doing anything with personal data.
Photos do constitute “data”. Whether they are “personal data” is the key issue. The Google Street View photos will of course contain images of people – those people who happened to be there when the photo was taken. This could satisfy the necessary condition for data relating to living individuals who can be identified from those data (although please see the caveat in the next paragraph). Those photos will also contain cars with number plates – those cars which happened to be there when the photo was taken. These photos, if linked to a database of car ownership (which it is not inconceivable that Google may acquire), would identify living individuals. This would satisfy the necessary condition for data relating to living individuals who can be identified from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. So it seems as if the Google photos could indeed constitute “personal data”.
A large caveat must be applied to this analysis, however. In December 2003, the Court of Appeal heard the case of Durant v FSA [2003] EWCA Civ 1746, which substantially “reinterpreted” the DPA by deciding that the mere mentioning of someone’s (Durant’s) name in a document did not amount to ‘personal data’ under the DPA. (Durant had been unhappy with how he had been treated by Barclays Bank, so he complained to the FSA. The FSA investigated but did not tell Durant the results of its investigation because of duties of confidentiality. Durant then asked the FSA, pursuant to the DPA, to disclose all personal data that it held about him so that he could re-open his case against Barclays. The FSA revealed some information, but not certain data held in a manual filing system, even though manual filing systems are covered by the DPA. Durant took the case to court. The Court of Appeal had said that the FSA was within its rights to refuse to disclose the data to Durant. The FSA’s opinions about Durant were only about his complaint and not about him personally. The Court said that the purpose of the DPA was not to provide a general right of access to all information in which someone was named or involved, but to give someone rights in respect of their privacy. To be ‘personal data’, the individual must not only be identifiable from the data, but the data must also relate to him in a biographical sense. In addition, the Court of Appeal was not keen on the DPA being used as a fishing expedition to obtain documents generally to assist in litigation. The Court said that this interpretation applied not just to manual records but also to computer and other electronic records. So it seems that the fact that persons appear in photos due to “incidental inclusion” would not make the photos “personal data” relating to them.
On the one hand, since the Durant case, it is at least questionable whether photos which include people in them who happen to be around but who are not the focus of the photos constitute “personal data” at all. On the other hand, there is a strong counterweight in the form of the UK Information Commissioner, who has previously warned that we are “sleepwalking into a surveillance society” and has, among other “decisions” decreed that most uses of CCTV fall within the DPA. On balance, it seems that the trend of the courts would be not to treat the Street View photos as personal data if any individual is merely an incidental part of the photo and not the focus of any activity in the photo.
One further caveat applies. Mr Durant is now claiming that he has suffered a breach of Article 8 of the ECHR (which gives everyone a right to respect for their private life). Although taking cases to the European Court of Human Rights is often seen as a desperate last resort, that Court will decide the issue eventually (it could take several years before the Court adjudicates). Given the importance of this landmark case in the interpretation of the DPA, it will be important to follow its progress.
(b) Human Rights Act 1998
The HRA establishes that English courts must have regard to the ECHR. Although never formally admitted by Parliament or any jurist (to date), one effect of this seems to be to create a de facto right of privacy in English law. Case law in this area changes from month to month.
Generally, in English law, anyone has a right (or at least – a civil liberty) to take a photo of the outside of your house. (That civil liberty stops at the front door, though, as any activities, however minor, within the home itself are protected by law (see McKennitt v Ash [2006] EWCA Civ 1714). Against this is the Right to Privacy in the ECHR. For example, Google’s publication of Street View photos of persons dealing drugs, summer day beachside photos of people in bikinis or trunks or celebrities outside rehab centres may infringe those people’s privacy rights, even though conducted in what would usually be considered areas accessible to the general public.
This is a fast-developing area of law. Earlier this year, the Court of Appeal heard the case of David Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446. Big Pictures published surreptitious photographs of JK Rowling and her family, who were in a public street. The Court of Appeal started by asking whether the persons photographed had a reasonable expectation of privacy, which was decreed to be an objective question based on all the circumstances, including:
(a) the attributes of the person photographed;
(b) the nature of the activity in which he was engaged;
(c) the place at which it happened;
(d) the nature and purpose of the intrusion;
(e) whether or not there was any express or implied consent; and
(f) the effect on the person photographed and the circumstances in which and the purposes for which the information reached the hands of the publishers.
The Court of Appeal went on to say that if there was a reasonable expectation of privacy then the next question to ask is how the balance should be struck between the right to privacy and the publisher’s right to freedom of expression. The Court of Appeal made it clear that children should have greater protection than adults, so extreme care should be taken when children are photographed even in innocuous activities.
Clearly, in this fast-developing area of law, Google is conscious of potential breaches of the HRA and has already taken steps to address the issues.
D. By-passing the problem?
Google is a multi-billion dollar corporation. As might be expected, it takes steps to comply with the law – or at least to minimise the risks of breaking it. To this end, Google has introduced some interesting technical measures and some interesting processes to avoid the DPA and HRA problems.
When Google launched Street View in
Technologies | Technical Processes |
|
|
| 2. Google only uploads photos under a time-lapse system (ie so photos are not uploaded in real time). |
The two technologies used should mean that the vast majority of photos will not constitute “personal data” under anybody’s classification because any identifying features should be automatically removed. However, for anything that is left (eg the software will not blur a T-shirt saying “I live at xxxxxx address”), there is a take-down mechanism in place. Also, the time-lapse system ensures that there is no chance that the photos can be tracked in time.
Importantly, the Information Commissioner has indicated that he is “satisfied” that Google’s safeguards are “adequate” for English legal requirements. Accordingly, the photos should not constitute personal data (under the DPA) and no-one’s rights to privacy (via the HRA) should be infringed.
However, some interesting legal issues remain. Technologies can fail. For example, a foreign number plate with a different background may not be picked up by the number-plate blurring software. A giant might be identified from his “build”. Unique advertising on a car might identify the car. Furthermore, the take-down reporting route will suffer the same issues as YouTube; there will inevitably be a delay between report and take-down.
Although these cases may seem far-fetched, lawyers (particularly in the
For the
Mark Weston is a Partner at Matthew Arnold & Baldwin and Head of the Commercial/IP/IT Department there. He is also Chair of the