Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

GDPR and registration plates

  • 29-01-2019 2:58am
    #1
    Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭


    Reading through a thread in the cycling forum when several posters refered to the Garda Twitter feed and if posting a registration number was "personal" data.

    Now I do know that under normal circumstances a registration number shouldn't be able to ID a driver, however, and this is where I'm looking for clarification if you put a registration number of a taxi into the Check if this vehicle is a licensed taxi web page then certain personal information is reported back such as the license owners name.

    https://www.transportforireland.ie/taxi/check-if-a-taxi-driver-is-properly-licensed/


    Also if the same information is input into the Driver Check App then you end up with a mugshot of the driver ( assuming he's followed the law and registered the link between himself and the taxi )

    https://www.transportforireland.ie/taxi/taxi-driver-check/


    To me that would certainly be personal data and if posted via a third party to Boards.ie or YouTube etc. would contravene the GDPR and leave the 3rd party liable?

    Yes or No


Comments

  • Registered Users, Registered Users 2 Posts: 10,900 ✭✭✭✭Riskymove


    Spook_ie wrote: »
    Yes or No

    It depends:pac:!

    simply being personal data does not mean it is against GDPR to share it.

    For example, if taxi drivers consent to their info being used in this way or its part of the terms and conditions of a taxi license etc. that this driver check is available then it most likely would not breach GDPR.

    TFI would need to ensure that the App was complaint


  • Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭Spook_ie


    But the consent from taxi drivers is that you can access the information to prove /disprove a person is the licensed driver for that vehicle and for no other reason, if someone takes that information and uses it for a different purpose then do they become a joint data controller and become liable for the misuse of that data?


  • Administrators, Social & Fun Moderators, Sports Moderators Posts: 78,393 Admin ✭✭✭✭✭Beasty


    Surely if your taxi is being used in a business (as it clearly is) then your potential customers have a right to know who you are (in the same way they can see your ID in the taxi)


  • Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭Spook_ie


    Spook_ie wrote: »
    But the consent from taxi drivers is that you can access the information to prove /disprove a person is the licensed driver for that vehicle and for no other reason, if someone takes that information and uses it for a different purpose then do they become a joint data controller and become liable for the misuse of that data?
    Beasty wrote: »
    Surely if your taxi is being used in a business (as it clearly is) then your potential customers have a right to know who you are (in the same way they can see your ID in the taxi)

    Yes but that doesn't necessarily mean that a taxi driver has given permission for personal date to be replicated onto a 3rd party server, such as when someone posts a video to Youtube that identifies a taxi via registration plate or plate number which then allows people to further obtain information.

    As an example, some terrible standard of driving exhibted but does the posting of such personally identifiable information contravene GDPR regulations?

    https://www.youtube.com/watch?v=RrFOJrOYDnU&t=2s

    I know there are exemptions but if GDPR applies then it does state that footage be kept safe which means you can't post it to public web sites as you have then relinquished control.

    A brief synopsis of GDPR referencing dashcams is available

    https://www.dataprotection.ie/en/guidance-landing/guidance-drivers-use-dash-cams

    And I would imagine if push came to shove the same GDPR principles will apply to cyclecams etc.

    EDIT

    Just as further thought if my car was involved in an incident, recorded and ID'd on YouTube etc. but my wife was the driver (legally possible as long as she isn't plying for hire and is carrying out a task directly involving the repair/maintenance etc. of the vehicle ) then the posters would likely be in total violation of GDPR legislation and indeed could be opening themselves to defamation proceedings if people associated me as the driver at the time.


  • Registered Users, Registered Users 2 Posts: 1,932 ✭✭✭huskerdu


    Dont forget that GDPR applies only to organisations, not to individuals.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,900 ✭✭✭✭Riskymove


    huskerdu wrote: »
    Dont forget that GDPR applies only to organisations, not to individuals.

    what makes you think that?

    ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

    In regards to the law a 'natural person' is someone like you or I, a carbon-based lifeform who breathes air, whereas a 'legal person' can be an organisation. So a data controller will include you and your company, it isn’t just organisation but individuals. Anyone who holds data on 'natural persons' is a 'data controller'.


  • Registered Users, Registered Users 2 Posts: 9,176 ✭✭✭blackwhite


    Riskymove wrote: »
    what makes you think that?

    https://gdpr-info.eu/art-2-gdpr/


    Article 2, section 2 (b) specifically exempts individuals when acting in purely personal activities.
    Any legal advice I've seen on it has taken that to mean anything that is not linked to work/profession - but until it's tested via the courts then it remains to be proven.
    2. This Regulation does not apply to the processing of personal data:
    (a) in the course of an activity which falls outside the scope of Union law;
    (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
    (c) by a natural person in the course of a purely personal or household activity;
    (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.


  • Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 10,581 Mod ✭✭✭✭Robbo


    blackwhite wrote: »
    https://gdpr-info.eu/art-2-gdpr/


    Article 2, section 2 (b) specifically exempts individuals when acting in purely personal activities.
    Any legal advice I've seen on it has taken that to mean anything that is not linked to work/profession - but until it's tested via the courts then it remains to be proven.
    One of the most celebrated cases in the field establishes that the household exemption should be construed narrowly. It's rather surprising that your legal advisors could have missed this.


  • Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭Spook_ie


    blackwhite wrote: »
    https://gdpr-info.eu/art-2-gdpr/


    Article 2, section 2 (b) specifically exempts individuals when acting in purely personal activities.
    Any legal advice I've seen on it has taken that to mean anything that is not linked to work/profession - but until it's tested via the courts then it remains to be proven.
    2. This Regulation does not apply to the processing of personal data:
    (a) in the course of an activity which falls outside the scope of Union law;
    (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
    (c) by a natural person in the course of a purely personal or household activity;
    (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.


    Yes would probably need a test case but purely personal or household activity would exclude you from uploading it to public servers such as youTube etc. surely?


  • Registered Users, Registered Users 2 Posts: 10,900 ✭✭✭✭Riskymove


    blackwhite wrote: »
    Article 2, section 2 (b) specifically exempts individuals when acting in purely personal activities.

    yes but that is quite different than "it does not apply to individuals"

    If the intention was that it didn't apply to individuals then it would have said that I think. it isn't a blanket exemption

    My view would be that an individual processing other people's data in many situations could well be considered a data controller


  • Advertisement
  • Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 10,581 Mod ✭✭✭✭Robbo


    Spook_ie wrote: »
    Yes would probably need a test case but purely personal or household activity would exclude you from uploading it to public servers such as youTube etc. surely?
    100%. The most common analogy for the "household exemption" is the old fashioned personal phone book gathering cobwebs by the equally dusty landline. No problem with it sitting there for the rest of eternity, issues arise when it grows legs or gets published elsewhere.


  • Registered Users, Registered Users 2 Posts: 9,176 ✭✭✭blackwhite


    Robbo wrote: »
    One of the most celebrated cases in the field establishes that the household exemption should be construed narrowly. It's rather surprising that your legal advisors could have missed this.

    In-house legal have never raised that to us - but then given we're a large corporate then it's never been the key focus.
    Any GDPR training we've been given has always said that anything done on a personal basis, unconnected to work, was highly unlikely to fall under the scope.

    Will mention it in next meeting we have with them


  • Registered Users, Registered Users 2 Posts: 8,922 ✭✭✭GM228


    Spook_ie wrote: »
    Yes would probably need a test case but purely personal or household activity would exclude you from uploading it to public servers such as youTube etc. surely?

    We don't need a test case, we already have one.

    The Case C-101/01, Lindqvist vs Jönköping 2003 gave us our answer:-

    http://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=11021608
    Lindqvist wrote:
    That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.


    With regards to the question of registration plates, the DPC does consider them to be personal data in accordance with the EUs Article 29 "Opinion 4/2007 on the Concept of Personal Data" as it will indirectly make someone identifiable:-

    https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
    3. THIRD ELEMENT: “IDENTIFIED OR IDENTIFIABLE” [NATURAL PERSON]

    The Directive requires that the information relate to a natural person that is “identified or identifiable”. This raises the following considerations. In general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is "distinguished" from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it (that is the meaning of the suffix "-able"). This second alternative is therefore in practice the threshold condition determining whether information is within the scope of the third element. Identification is normally achieved through particular pieces of information which we may call “identifiers” and which hold a particularly privileged and close relationship with the particular individual. Examples are outward signs of the appearance of this person, like height, hair colour, clothing, etc… or a quality of the person which cannot be immediately perceived, like a profession, a function, a name etc. The Directive mentions those “identifiers” in the definition of “personal data” in Article 2 when it states that a natural person "can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity".

    "Directly" or "indirectly" identifiable

    Further clarification is contained in the commentary to the Articles of the amended Commission proposal, in the sense that "a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria which allows him to be recognized by narrowing down the group to which he belongs (age, occupation, place of residence, etc.)". The terms of this statement clearly indicate that the extent to which certain identifiers are sufficient to achieve identification is something dependent on the context of the particular situation. A very common family name will not be sufficient to identify someone - i.e. to single someone out - from the whole of a country's population, while it is likely to achieve identification of a pupil in a classroom. Even ancillary information, such as "the man wearing a black suit" may identify someone out of the passers-by standing at a traffic light. So, the question of whether the individual to whom the information relates is identified or not depends on the circumstances of the case.

    In 2013 in the UK Hertfordshire Police fell foul with the Information Commissioners Office who also considered registration plates were personal data as per their decision FS50186040.
    Recently, the ICO took enforcement action against Hertfordshire Constabulary in circumstances where breach of the DPA by the police could have been avoided had a DPA been carried out. The Constabulary had installed automatic number plate recognition (ANPR) cameras to monitor traffic going in and out of the town of Royston. In a landmark decision, the ICO declared the practice to be unlawful and ordered the Constabulary to cease all processing of information recorded by the cameras immediately and not to resume until an assessment of the risk to individuals’ privacy has been conducted which demonstrates that the practice is in compliance with the requirements of the DPA.

    The system was deemed to be unlawful by the ICO because license plates and other vehicle registration marks constitute personal data under the DPA and, as such, the Constabulary was under a duty not to process personal data that was excessive in relation to the purpose or purposes for which it was collected originally. In addition, the practice was found to be a violation of the vehicle license plate holders’ right to privacy under Article 8 of the European Convention on Human Rights

    https://ico.org.uk/media/action-weve-taken/decision-notices/2009/494046/FS_50186040.pdf
    FS50186040 wrote:
    The Commissioner does not consider the withheld information in this case to be truly anonymous. This is because in this context the information could be used with other widely available sources to identify the names and addresses of the victims of car crime, and this makes the information the personal data of those individuals. The Commissioner notes that his guidance states that the point of reference when considering identifiability is whether it is above a slight hypothetical possibility that a very determined individual could identify the individuals involved. He believes that the chance is indeed above a hypothetical possibility in this instance. The Commissioner is therefore satisfied that the VRM numbers of individuals and sole traders constitute those individuals’ personal data...


  • Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭Spook_ie


    Follow on question

    Given the furore about the Garda Twitter account and asking people to remove unredacted videos.

    If I were to post a video photograph etc. to someone's Twitter account that is then visible to their followers who is responsible for the further dissemination of the data would it be Twitter, the account holder or the poster. On the basis that afaik the account holder can't delete someone's tweet from their page the onus should surely be on either the poster or Twitter?


  • Registered Users, Registered Users 2 Posts: 10,896 ✭✭✭✭Spook_ie


    Interesting that the Data Protection Commissioner doesn't seem to share the same levels of concern as the EU and that there are minimal breaches of GDPR.

    http://www.stickybottle.com/latest-news/data-protection-commissioner-garda-cyclists-videos/


  • Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 10,581 Mod ✭✭✭✭Robbo


    Spook_ie wrote: »
    Interesting that the Data Protection Commissioner doesn't seem to share the same levels of concern as the EU and that there are minimal breaches of GDPR.

    http://www.stickybottle.com/latest-news/data-protection-commissioner-garda-cyclists-videos/
    I doubt it's an area she wants to even have to make public pronouncements on (or "verdicts" as the terribly written article would suggest). Her office spent long enough avoiding any meaningful regulation of the giants of the field that having to fine John Q Cyclist because he failed to comply with a subjects access rights would be the last thing on the agenda.

    A further exemption that I've seen mentioned in relation to this controversy has been the "journalistic exemption" that may be applied to those who publish such footage online. The recent jurisprudence would suggest that anyone who's ever seen a keyboard is now some form of journalist so have at it.


Advertisement