Shoot later ask questions first
18 October 2016
Wearable cameras have been in the headlines quite a bit recently. The moment BBC presenter Jeremy Vine ‘got a kicking’ (as he put it) whilst cycling to work was captured by his helmet mounted camera.
Wearable cameras have been in the headlines quite a bit recently. The moment BBC presenter Jeremy Vine ‘got a kicking’ (as he put it) whilst cycling to work was captured by his helmet mounted camera. He published that footage online, and it led to his alleged assailant being identified and arrested. On the other side of the pond, Snapchat (or, ‘Snap’, as it is now more snappily known), a company familiar both to millennials and ‘sexters’ generally for its ephemeral messaging services, picked up where Google Glass left off three years ago, by announcing its launch of video recording sunglasses with a design and price aimed at the mass market.
You might be one of thousands of people who film their two wheeled commute to work out of concern for their safety, or just someone keen to log and share memories recorded from a first person perspective with friends and family. But in a world where take up of wearable cameras seems likely only to increase, there is limited public awareness of the legal framework in which such devices operate, particularly when it comes to data protection and privacy.
Why should I care?
You might have heard of the Data Protection Act 1998. It’s an English law with European origins. Generally people come across it when making a subject access request to find out what information a company holds about them. Or when they are one of a number of unlucky customers who receive a communication from a business notifying them that their confidential information has been stolen. Key to the Act are eight Principles which impose various obligations on controllers of personal data.
When we go about our daily lives outside of work, most of us would be forgiven for not giving a second thought to the Act or its Principles. And why should we? After all, the Act provides us with an exemption where our processing of personal data is for the purpose of our personal, family or household affairs (including recreational purposes). It’s because of this so-called ‘domestic purposes’ exemption that we don’t generally have to worry about the Information Commissioner breathing down our necks.
But the domestic purposes exemption isn’t a ‘get out of jail’ card. In fact, when it comes to filming public spaces, the exemption is arguably of limited use, as a Czech gentleman called Mr Ryneš found out. Poor Mr Ryneš was fed up of his family home being attacked by miscreants, so he installed CCTV to record the entrance to his home, a public footpath and the entrance to the house opposite. One night, it picked up one of his windows being broken by a shot from a catapult, and made it possible to identify two suspects. The footage was handed to the police and it was used in subsequent criminal proceedings. When one of the suspects challenged the lawfulness of Mr Ryneš’ activities, the case went up to the European Court. It held that the domestic purposes exemption didn’t apply because Mr Ryneš’ CCTV was monitoring a public space. The exemption is further eroded by another seemingly harmless activity linked to the use of wearable cameras: uploading footage featuring other people to the internet. This time it was a Swedish lady called Mrs Lindqvist who fell foul of the law. She set up a website where she published her fellow churchgoers’ personal data such as their names, jobs and hobbies without their knowledge. In many cases she also mentioned their family circumstances and telephone numbers. And in one case an injury. The parishioners weren’t best pleased. Mrs Lindqvist was fined. She appealed, and her appeal ended up in the European Court. It held that where personal data are published on the internet so that those data are made accessible to an indefinite number of people, the domestic purposes exemption doesn’t apply.
So where does this leave me?
The net result of these two decisions is that consumers who use wearable cameras to record others whilst in public spaces and/or publish such footage online are going to need to consider how the Act and its Principles apply to their activities, as they’re unlikely to fall within the domestic purposes exemption. It doesn’t necessarily mean that they’re breaching the Act, but they might well need to take some steps to comply with it.
That exercise is likely to be all the more important given that wearable cameras are potentially more intrusive than CCTV due to their mobility. This makes them less easy to spot and, once spotted, to work out whether or not they are recording, or if you are in their field of view. Unlike smartphones which will usually be held up at face height when recording, wearable cameras are static and generally less conspicuous. The fact that most devices record audio as well as video adds to the intrusion.
And because of their portability, people might be more inclined to use them in circumstances where those being filmed might well have a reasonable expectation of privacy. That doesn’t just mean in obviously private places such as someone else’s home, public toilets or a shared changing room at the gym. It can also include public places. Whether or not a reasonable expectation of privacy exists turns on the facts, and depends on matters such as who the person being filmed is, what they are doing, where they are doing it, why they are being filmed, whether they have consented and the effects of the filming on them. A road side suicide attempt, entering a drug clinic for treatment, or children – who are accorded a special status under the law – walking on the street, are all circumstances where judges have held privacy might reasonably be expected. If you’re starting to feel a bit confused, don’t worry: you’re not alone. Even the judiciary get it wrong sometimes.
That’s all very interesting, but what does it mean in practice?
- So before you don your wearable camera, press record and stroll down the street, you’ll likely want to assess whether you’re complying with the Act by asking yourself some basic questions, such as:
- do I need to use a wearable camera? Is there another less intrusive way to achieve the same result?
- do I need to register with the Information Commissioner as a data controller?
- why will I film, and is that reason a legitimate one? In circumstances where obtaining the consent of those being filmed is often not practicable, you’ll need to be especially clear about this.
- how will I let people know that I’m filming, why I’m filming or what I’m going to do with the footage?
- how will I make sure that the footage captured is not excessive? Do I need to record audio as well as video? Do I need to film continuously?
- will I need to keep the footage? If so, for how long?
- will the footage be kept securely, by using available security measures such as passwords, encryption etc?
- if people featured in the footage ask for a copy, am I prepared to give it to them? If so, how will I make sure other people’s rights are respected?
- will I share the footage with others?
These aren’t by any means an exhaustive list of questions, but might be a helpful place to start. There a couple of additional important points worth remembering.
Simply capturing footage on your wearable camera is quite a different activity to, and is significantly less intrusive than, for example, publishing it online – the latter is more likely to engage rights of privacy and data protection of those filmed. After all, you can’t stop other people looking at you when you’re out in public, and as one judge famously put it: “[t]he taking of photographs in a public street must … be taken to be one of the ordinary incidents of living in a free community.” But publishing footage online to millions of people is quite a different proposition. So think very carefully before uploading your footage online if you don’t have the subjects’ consent, as in most cases it will not be justifiable, even if capturing it was.
You should also keep in mind that under the Act, certain types of personal data are more sensitive than others, and are afforded greater protection. This includes data about someone’s sex life, health or the alleged commission of an offence. So, for example, if you and your wearable camera have the misfortune of witnessing or being involved in an accident, it’s quite possible that you will have processed sensitive personal data.
Help me! Privacy by design
Whilst this might seem quite a lot to think about, many tech companies are making life easier for us by incorporating privacy protecting features into their designs. Although those features can often result in efficiencies, such as saving on battery life, there’s also a new European law which comes into force in May 2018 which requires businesses to build them in. (FYI, the newly appointed Information Commissioner in the UK has made clear that she doesn’t think Brexit should mean Brexit when it comes to standards of data protection. So privacy by design isn’t a concept which is going away, regardless of the UK’s withdrawal from the EU).
So it’s not surprising to learn therefore that Snap’s Spectacles, like many other wearable cameras, apparently have an outfacing light which illuminates to show others when they’re recording. Or that given the potential difficulty in justifying continuous recording as not being excessive, Snap’s Spectacles are reported to stop recording automatically after 10 seconds. Privacy by design also requires other granularity, such as the ability to turn on and off video and audio recording independently of each other. But providing us with those features can only go so far. At some point we have to think about we’re doing, and exercise our own judgement about what features to use, and when.
Privacy protecting features are only going to become more important as additional functionality is added. Although Google Glass banned apps which used biometric data such as facial recognition or voice print to identify people, that didn’t stop those apps from being developed. Before the project ended, various apps were springing up which leveraged that ability. One provided ‘Glassholes’ (as early Google Glass adopters were pejoratively known) with personal information such as names, photos, and dating website profiles of strangers they were looking at with the glasses. It also cross referenced those images against criminal databases just for good measure.
When first launched, Google Glass (and indeed those who wore them) were criticised for being ‘creepy’. But in privacy circles, ‘creepiness’ is often another way of measuring a lack of transparency, or awareness of what is going on. Which is why the law places so much emphasis on controllers communicating what they are doing with personal data, and why. In terms of wearable cameras, this is a difficult challenge, and the regulator recognises that potentially innovative ways may need to be found in order to discharge that responsibility. But in a world where the law increasingly expects innovators to assess the impact on privacy of their activities, the time has come where we, the consumers, need to do the same by asking questions before shooting on wearable cameras.