GDPR and registration plates

Spook_ie wrote: »

Yes or No

Riskymove wrote: »

what makes you think that?

2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Spook_ie wrote: »

Yes would probably need a test case but purely personal or household activity would exclude you from uploading it to public servers such as youTube etc. surely?

Lindqvist wrote:

That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.

EU Article 29 wrote:

3. THIRD ELEMENT: “IDENTIFIED OR IDENTIFIABLE” [NATURAL PERSON]

The Directive requires that the information relate to a natural person that is “identified or identifiable”. This raises the following considerations. In general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is "distinguished" from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it (that is the meaning of the suffix "-able"). This second alternative is therefore in practice the threshold condition determining whether information is within the scope of the third element. Identification is normally achieved through particular pieces of information which we may call “identifiers” and which hold a particularly privileged and close relationship with the particular individual. Examples are outward signs of the appearance of this person, like height, hair colour, clothing, etc… or a quality of the person which cannot be immediately perceived, like a profession, a function, a name etc. The Directive mentions those “identifiers” in the definition of “personal data” in Article 2 when it states that a natural person "can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity".

"Directly" or "indirectly" identifiable

Further clarification is contained in the commentary to the Articles of the amended Commission proposal, in the sense that "a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria which allows him to be recognized by narrowing down the group to which he belongs (age, occupation, place of residence, etc.)". The terms of this statement clearly indicate that the extent to which certain identifiers are sufficient to achieve identification is something dependent on the context of the particular situation. A very common family name will not be sufficient to identify someone - i.e. to single someone out - from the whole of a country's population, while it is likely to achieve identification of a pupil in a classroom. Even ancillary information, such as "the man wearing a black suit" may identify someone out of the passers-by standing at a traffic light. So, the question of whether the individual to whom the information relates is identified or not depends on the circumstances of the case.

News Piece on FS50186040 wrote:

Recently, the ICO took enforcement action against Hertfordshire Constabulary in circumstances where breach of the DPA by the police could have been avoided had a DPA been carried out. The Constabulary had installed automatic number plate recognition (ANPR) cameras to monitor traffic going in and out of the town of Royston. In a landmark decision, the ICO declared the practice to be unlawful and ordered the Constabulary to cease all processing of information recorded by the cameras immediately and not to resume until an assessment of the risk to individuals’ privacy has been conducted which demonstrates that the practice is in compliance with the requirements of the DPA.

The system was deemed to be unlawful by the ICO because license plates and other vehicle registration marks constitute personal data under the DPA and, as such, the Constabulary was under a duty not to process personal data that was excessive in relation to the purpose or purposes for which it was collected originally. In addition, the practice was found to be a violation of the vehicle license plate holders’ right to privacy under Article 8 of the European Convention on Human Rights

FS50186040 wrote:

The Commissioner does not consider the withheld information in this case to be truly anonymous. This is because in this context the information could be used with other widely available sources to identify the names and addresses of the victims of car crime, and this makes the information the personal data of those individuals. The Commissioner notes that his guidance states that the point of reference when considering identifiability is whether it is above a slight hypothetical possibility that a very determined individual could identify the individuals involved. He believes that the chance is indeed above a hypothetical possibility in this instance. The Commissioner is therefore satisfied that the VRM numbers of individuals and sole traders constitute those individuals’ personal data...