German laws - new European "General Data Protection Regulation" (GDPR, DSGVO)

#22
Re: German laws - new German "Basic Data Protection Ordinance" (DSGVO)

Maximilian: Thanks for providing these compact and very readable pieces of information!

I searched for my 1000x filter and if I want to take photographs of something surrounded by lots of people I will use that filter to blurr the people away for the case I want to use that photo on my home page!



Maximilian said:
[...]

BUT:
If you constantly film a scene in case a crime could happen (e.g. car dash cam) this again is forbidden.
As far as I know there is some gray zone: If the camera films constantly but stores only the last e.g. 10 minutes a dashcam system is accepted - and the video material can be used in a trial as body of evidence.
 

Maximilian

The dark side - I've been there
Nov 7, 2013
2,139
89
Germany
#23
Re: German laws - new German "Basic Data Protection Ordinance" (DSGVO)

mb66energy said:
Maximilian: Thanks for providing these compact and very readable pieces of information!
You're welcome.

Maximilian said:
[...]
BUT:
If you constantly film a scene in case a crime could happen (e.g. car dash cam) this again is forbidden.
As far as I know there is some gray zone: If the camera films constantly but stores only the last e.g. 10 minutes a dashcam system is accepted - and the video material can be used in a trial as body of evidence.
This system (with storing only the last few minutes) is not finally decided by the highest courts.
With other systems that constantly films and stores you commit a crime but you are also allowed to use it as commit a crime. ::) ::) ::)
Funny lawmakers, funny lawyers, funny judges.
 

Keith_Reeder

No apologies for not suffering fools gladly...
Feb 8, 2014
676
103
58
Blyth, NE England
#24
So is photography covered or not? And does this affect how the photo magazine interpreted it?


See how messy this gets....?
Late to the conversation, but this is what I do for a living.

So to answer your question Mike - photography is covered, to the extent that an individual is identifiable by a photo: the section you quoteq:

The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
is simply saying that photos are not automatically "Special Category" data - what used to be called "Sensitive" data in the old UK DPA.

It's not really messy - it's just about making measured considerations.
 

Mikehit

EOS 5D Mark IV
Jul 28, 2015
3,074
277
#25
True. But one think easily overlooked is how interpretation of the laws and the wording drifts over time. I work with sensitive personal information every day and once it was limited to 'can you identify his person immediately '(picture or name/DOB) but it has moved to 'will it narrow down the search' (if you use postcode ) to 'how easy would it be for someone to deduce their identity'. As a result, without any change in the law some authorities have decided we are not allowed to collect initials, DOB or hospital number (or part thereof) all of which were acceptable at one point.
So the issue is not the wording of the law but the latitude it gives someone for interpreting those words combined with increasing (but justifiable) paranoia about personal data.
 

Keith_Reeder

No apologies for not suffering fools gladly...
Feb 8, 2014
676
103
58
Blyth, NE England
#26
In your opinion.
The lawyers consulted by the German magazine said otherwise:
Mike, if an image does not contain personal data (ie nobody is identifiable from image) is it not caught by DP legislation.

If an "identifiable" image is processed (ie the personal data in it used in some way - although simply obtaining and retaining personal data is "processing"), then how the controller is processing the data - how it is being used - will dictate how, and the extent to which, the law bites.

And how do the laws define 'personal use'? My picture of my wife/sister?
My picture of a stranger in the street?
What happens if the stranger decides to use the new laws to make me delete all those frames with him in them because of a breach of privacy?
As a private individual, you are unlikely to be a controller, and therefore you are not bound by GDPR/DPA legislation. Google "Domestic Purposes exemption".
 

Keith_Reeder

No apologies for not suffering fools gladly...
Feb 8, 2014
676
103
58
Blyth, NE England
#27
. I work with sensitive personal information every day and once it was limited to 'can you identify his person immediately '(picture or name/DOB) but it has moved to 'will it narrow down the search' (if you use postcode ) to 'how easy would it be for someone to deduce their identity'. .
Not in law, Mike - the law hasn't meaningfully changed here, even with the introduction of GDPR/DPA 2018 (I assume you're UK based): how quickly or easily an individual can be identified has never been at issue.

I've been a DPA "Subject Matter Expert" for the largest UK holder of personal data (a Govt. department) for about 15 years now - lawyers and barristers come to me for DPA implementation advice, and I deal daily with the ICO - so I'm not uninformed about the subject, and as I say, sensitive data are sensitive data regardless of how quickly an individual can be identified from the data.

The issue around sensitive/Special Cat data is the harm that their misuse can result in: how easy or hard it might be to find a way to unlawfully process these data isn't relevant in law.
 

Keith_Reeder

No apologies for not suffering fools gladly...
Feb 8, 2014
676
103
58
Blyth, NE England
#28
But I doubt police and other government agencies are notifying all the people photographed in high resolution and put in databases.
Nor are they under any obligation to, except in general "we may obtain and use..." terms - to do more could well compromise investigations, and there's an explicit exemption allowing them (us) to avoid that happening.

Of course they will never share those databases with other countries or corporations.
"Of course"? Wrong, in spades. About 90% of my day job is about facilitating the lawful, proportionate sharing of personal data with other government and law enforcement bodies for the purposes of crime prevention and detection.
 

Keith_Reeder

No apologies for not suffering fools gladly...
Feb 8, 2014
676
103
58
Blyth, NE England
#29
But all data protection legislation is in its infancy
The UK has had a DP Act since 1984, Mike - this is old news for some of us.
and there is no clear definition of what is justifiable.
Course there is - DPA compliance is far less complicated than lay people think it is.
And, of course, the government can justify whatever it wants....
That's pretty much the polar opposite of the reality of the situation, Mike. I spend much of each working say saying "nice idea - it won't fly in DPA terms and here's why. Try again..."

The fact is that government depts are so paranoid about reputational damage, that they don't do lots of the things that legally they can do.
 

Mikehit

EOS 5D Mark IV
Jul 28, 2015
3,074
277
#30
how quickly or easily an individual can be identified has never been at issue.
That goes completely against my direct experience with Regulatory Authorities, auditors and inspectors. And while I agree with your view on how it should work, things change when people become responsible for making decisions on what is acceptable - and in those situations people tend to make defensive decisions. The very fact we have different experiences illustrate only one point and that is that the regulations are open to interpretation: in your role you have come to a consensus with key players as to how those regulations should be interpreted but your view is little more than an interpretation by consensus. The ultimate arbiter is the court if it ever gets there.
The regulations are still relatively new with little to no case law. If there were a breach of the law it would be tested in court where the view of people such as yourself would be taken into account and may well prevail, but every law has grey areas and it is distinctly possible that such a grey area could lead to a re-interpretation without the law actually being changed.


This may sound cynical, and I guess it is but I have seen laws and regulations like this drift and adapt in many areas especially when you are balancing things like privacy, public interest, freedom of expression etc.
 

Mikehit

EOS 5D Mark IV
Jul 28, 2015
3,074
277
#31
The fact is that government depts are so paranoid about reputational damage, that they don't do lots of the things that legally they can do.
and that, in a nutshell is my view above - people become paranoid about how their interpretation will be viewed and make decisions unconnected with the intention behind the law. In every walk of life. And eventually that paranoid interpretation can take hold as the 'norm' in behaviour which in turn colours the interpretation.
 

AlanF

EOS 5DS R
Aug 16, 2012
4,046
274
#32
The woman in charge of data control gave a very good interview on the BBC some months ago and specifically made it clear that they would have a light touch and not go for individuals, they are concerned with large corporations etc.
 

YuengLinger

EOS 7D Mark II
Dec 20, 2012
1,940
32
Southeastern USA
#33

"Of course they will never share those databases with other countries or corporations."


"Of course"? Wrong, in spades. About 90% of my day job is about facilitating the lawful, proportionate sharing of personal data with other government and law enforcement bodies for the purposes of crime prevention and detection.
The sarcasm went right past you. Chill, my friend.