I will start with a background statement. Privacy still remains one of the core democratic values. And invasion into someone’s private life is a threat to the way we like to live. European point of view is well laid in these two Conventions:
- the Convention for the Protection of Human Rights and Fundamental Freedoms (CPHRFF, LT translation):
- Article 8 (Right to respect for private and family life);
- Article 10 (Freedom of expression);
- the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CPIAPP, LT translation).
Full stop. Anybody wishing to discuss, should start with these widely accepted and trusted documents (I deliberately do not discuss less important legal acts).
General European requirements for GMSV service
CPHRFF Article 8 sets the basic principe: “Everyone has the right to respect for his private and family life, his home and his correspondence”. In case for Google Maps Street View service, we see clear interference into family life and private home area.
Therefore all “data subjects” will have rights defined in CPIAPP Article 8, i.e. they shall be enabled:
- to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
- to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
- to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this convention;
- to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.
Moreover, Google will have to provide information, that it will take measures to assure quality of data (CPIAPP Article 5) by assuring, that automatic processing will be:
- obtained and processed fairly and lawfully;
- stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which they are stored;
- accurate and, where necessary, kept up to date;
- preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Opt-in rule in the European Union
The most difficult legal principle to tackle for Google is set in the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (LT translation).
Article 7, which defines criteria for making automated data processing legitimate, allows it only if:
- the data subject has unambiguously given his consent; or
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
- processing is necessary for compliance with a legal obligation to which the controller is subject; or
- processing is necessary in order to protect the vital interests of the data subject; or
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
That means, that GMSV should receive a permission from ALL (!) involved data subjects or prove, that GMSV is, in essence, a public interest.
Such a rule is a completely different situation, than Google is used to in US, where opt-out rule (i.e. everybody might be involved, but has a right to withdraw from the system) is used.
Lithuanian authorities deny request made by GMSV
On May 18th, 2012 the State Data Inspectorate of the Republic of Lithuania made a public statement (LT version), where publicly declared (unofficial translation made by me):
[..] The Inspectorate holds, that such processing of images threatens a human right to private life, because during collection process personal data would have been processed at the same time (e.g. persons in streets, cars, etc.)
The Inspectorate refused to issue a permission for “Google” to carry on Google Maps Street View project and process personal data, therefore processing of personal data for that project in Lithuania would be qualified as illegal processing of personal data.
At the same time the Inspectorate will contact Google directly and encourage to respect a human right to private life and obey requirements set out in the laws of the Republic of Lithuania. [..]
Although final conclusions may be made only after carefull investigation on the Google request, but decision made by the local authority seems valid according to local regulation, which is harmonised to the European principles.
Related issues: human rights and social networking services, search engines
On April 4th, 2012, the Committee of Ministers adopted slightly changed versions we finalised in September 2011:
- Recommendation CM/Rec(2012)3 on the protection of human rights with regard to search engines
- Recommendation CM/Rec(2012)4 on the protection of human rights with regard to social networking services
Both these document provide insights for further discussion, where should the limits on the invasion to the privacy should be set in online environment.