Want to use a Nest Cam in the UK? - Register with the ICO

The announcement that Google’s smart homewares firm Nest has developed a motion-activated web cam for home security purposes sounds like a neat idea for those householders about to leave on holiday, or want to know what the au pair is doing in their bedroom when they are out at work.

However, householders using the Nest Cam technology in the European Union (EU) need to be aware that any images they capture of people are regarded under 95/46/EC as personal data, and as such, those that capture the images need to register with their country’s Data Protection Authority (DPA) that they are storing personal information, and potentially in order to comply with the registration, put up signs warning people in the house that they may be subject to recording of their activities.

The new device comes from developments following the acquisition of Dropcam by Nest in 2014 (which itself had only recently been acquired by Google). Motion-activated, it streams and then records live video to Google’s servers. It then ‘alerts’ those customers and then gives them access to the recordings for 10 or 30 days, for a ‘nominal’ amount of £8 or £24 per month respectively. So that’s the technology bit.

Now the legal aspect. Under the EU Directive 95/46/EU images of people, are personal data, and as such should only be managed by a Data Custodian who can ask a Data Provider to store it on their behalf, although the Data Custodian retains ultimate responsibility for the storage, access and even loss or breach of the data.

Now the fun bit, and why we need the forthcoming EU Data Protection Regulation (#EUdataP, #gdpr) without it being watered down over the next months.

Data Protection today (UK focused)
The Data Custodian is the person/organisation capturing the personal data, so the householder, and therefore Google (with the majority of it’s servers in the US), will be the Data Provider. But with a Nest Cam, it could potentially be argued that Google via Nest is the Data Custodian, but that misses the real issue of 'informed consent' for the data to be stored.

In either circumstance, under 95/46/EU personal data captured in the EU can only be ‘exported’ outside the European Economic Area (EEA) with the explicit consent of the data subject, easy when you fill in the bank loan application, but how do you get the ‘ne’er do well’ who is taking your iPad and jewelry from your bedroom to consent that their image can be stored by a hosting provider in US?

Simple fact, you need to alert them to the fact they are being recorded. Thus a sign such as we see in many ‘public places’ in the UK, stating that images are subject to recording, and who the is Data Custodian, is probably going to be required in houses installing a Nest Cam. Furthermore, taken to the limit of the UK law, the householder needs to register with the UK Information Commissioner’s Office  (ICO) – other EU countries have their own DPA - as a Data Custodian. The reason being if you are not the Data Custodian (in the UK), and you present evidence gathered without the data subject’s consent, that may be inadmissible in court.

Do you really want a Nest Cam? Of course you do, it will be fun when the smallest child says that the dog has eaten the cheese in the fridge. But please ensure you have registered yourself as a Data Controller with the ICO.

EU GDPR - data protection will never be the same again

(This blog entry is based on an AIIM webinar given on 17 July 2014)

 
As an IT practitioner I have a lot of bitter experience regarding Data Protection. I helped implement the first 1984 DPA in a large chunk of the UK NHS in 1985, and was on one of the people involved in the advisory panels for the amendments brought in for the 1998 Act.
For those readers who are unfamiliar with the abbreviation, the GDPR is the European Union General Data Protection Regulation that is intended to replace the current Data Protection Directive, and throughout this blog I will aim to explain the reason for the new Regulation and the differences from the Directive(s).
This blog and its wording is based upon the assumption that most readers are in businesses or organisations which will be affected by the GDPR, there are very few who won’t be. If not forgive me and contact me later for specifics relating to your context.
Just to clarify, Data protection is about effectively managing personally identifiable information, ensuring that the rights of the persons identified are not breached. It applies equally to both manual and electronic records
Data Protection in the EU has been around for a long time, but not because of the bureaucratic ambitions of Brussels. Rather it supports the founding principles and objectives of the EU, facilitating both free trade and a level playing field for businesses. It also supports the articles of the European Convention on Human Rights (ECHR) which all member states ascribe to.
Like the US Sarbanes Oxley Act (SBA) in 2002, the DP Directive(s) and the new Regulation effectively codify best business practice. The SBA basically enshrined in law the Federal Rules of Business first published in 1937.
The GDPR is not one of those ideas put out by Brussels which will get forgotten. It has been in debate for 20 months, it has had 250 hours of committee time, and has had 3000+ amendments tabled and addressed, it will happen.
As previously mentioned EU DP legislation is not new, being 30 years old, however the original directive did not envisage the rapid march of technology. For example the emergence of social media and cloud, Neither did it consider that the EU would be 28 countries big with ambitions to be bigger. At present, each of the 28 states has its own Data Protection Act and some of them conflict. In addition multinational companies currently have to register with the relevant Data Protection Authority in each of the member countries within which they operate.
The current directive, snappily named 95/46/EC, is therefore no longer fit for purpose, and needs updating for all the reasons mentioned above, and GDPR is has a specific focus on making the rules clearer for both social media and cloud services. 
Readers please note, it is a Regulation not a Directive, so rather than the 28 different interpretations we currently have, it will create a single regulatory landscape within the EU. This is particularly relevant for cloud applications and cloud storage providers.
Meanwhile, until it kicks in, organisations will have to comply with the individual regulations across 28 member states, plus those outside. AIIM, in association with the London law firm Bird & Bird, is currently producing a definitive guide as to how 11 of those country’s rules apply to the cloud, and to an extent, how their Information Commissioners are interpreting and enforcing them across a number of different data types.
From the implementation of the GDPR one single set of rules will apply to all EU member states and there will be one Single Data Protection Authority (DPA) within the EU responsible for each company depending on where the Company is based or which DPA it chooses to register with.
The significant changes from the previous directive include:

·         The GDPR Applies to “any information” (that can identify a person i.e. a ‘data subject’) whether private, professional or from public life.

·         The GDPR requires both ‘Privacy by Design and by Default’ (Article 23) and  that data protection is built into systems and processes and therefore privacy is accorded a high priority.

·         Data controllers in organisation must be able to prove "explicit consent" (opt-in) and consent may be withdrawn by the data subjects.

·         A data subject shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system, and delete it.

·         Data Protection Officers (Articles 35-37) are to ensure compliance within organisations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.

·         The Company’s data controller has to inform the Data Protection Authority (DPA) within 24 hours (this will probably change to ‘without due delay’) of any breach (Article 31).

·         Data subjects must be notified of any adverse impact consequent upon a breach (Article 32).

·         The Regulation enforces the ‘right to be forgotten’. Upon withdrawal of consent (or upon it no longer becoming necessary), an individual’s  data must be deleted unless there is a legitimate reason for its retention (Article 17).

     ·         There are a range of fines can be levied for non-compliance – up to EUR 250,000 or 0.5% of annual global sales for not responding to requests by the data subject or DPA, and up to EUR 1 million or 2% of annual global sales for not complying with specific GDPR regulations. To put that in context, currently in the UK the maximum fine for breach is £500,000 or EUR 628,500.

The drivers for a change to the directive also reflect what is happening on the ground. Mario Costeja, the Spanish Lawyer who recently took a case against Google requesting that it removed search results to ‘outdated’ information on him won his case in the ECHR, and now Google has established a process for removing such links in searches. However it has been to put it mildly ‘overwhelmed’ with 70,000 individuals requesting in excess of 250,000 links being removed.
And as we found out here in the UK recently, the ruling could have unforeseen consequences, as when a top BBC journalist was informed by Google that links to one of his blog posts, on the BBC website would be cut.
However, this is NOT the right to be forgotten as envisaged by the Regulation, but it is an important step towards it.
I previously referenced the US SBA – that act not only applied to the actions of US companies on US soil but to all their subsidiaries in other countries. With a similar global view, the GDPR applies to any organisation collecting personal data on individuals in any of the 28 EU states, irrespective of where that company is headquartered, or where the data is held.
Thus a company such as the cloud based file sharing and collaboration provider BOX, which does not have any EU data centres IS subject to the regulation, because it collects personal details on an EU subject.
The regulation also overrides the legal complexities we have established in current business relationships. For example, a German company signs a contract with the Irish subsidiary of a US cloud provider, fully aware that a backup of all data is physically stored in a data centre in India. While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India, legally under the regulation all data is still under German control and the responsibility of the German company.
In April, here in the UK, Trend Micro commissioned some research on awareness of the GDPR undertaken by Vanson Bourne. It includes some good and some frightening figures. First a scary, across Europe 15% of companies were not aware of the GDPR. Then some mixed messages:

·         Whilst 88% of British companies said they were aware, a tiny 7% thought their understanding was good.

·         Whilst the French had a lower level of awareness overall at 73%, those whose understanding was very good was much higher than the UK at 23%.

·         Somewhat stereotypically our German cousins had a very high awareness of  a forthcoming EU Regulation i.e. 92%

·         The real scary figure revealed by the survey is that 14% of British companies do not currently comply with 95/46/EC. That does not put them in a good position for meeting the timescale of the regulation.

Continuing the look at the awareness of the GDPR, AIIM undertook some research earlier in 2014, looking at world-wide numbers, for financial services organisations. Whilst having a “what is it?” figure, not surprisingly a bit higher than Trend’s “Not aware”, the research also had the frightening figure that 23.5% did not think the GDPR applied to their organisation.
The vast majority of those organisations have got it wrong! As I have previously expressed, if an organisation holds personally identifiable information either electronically or in manual form on EU citizens – the Regulation, applies to them in whichever country they are based. And it is not just customer data, it is employee or even associate data (with, it must be added, a few exceptions that would confuse this piece).
Whilst I have an opinion on the date for implementation of the regulation, it is still ‘up for grabs’. The reason being that the Regulation has to be approved by the 700 plus new Members of the European Parliament (MEPs) that took their seats on the 1 July 2014. A not insignificant chunk of them don’t like the EU, and want to frustrate its operations. However, back to my earlier comments, the Regulation is pretty much ‘done and dusted’ in technical terms. It has been in negotiation for 20 months, there have been 3000 plus amendments tabled and in excess of 250 hours debating time. I don’t foresee many more changes and neither does the EU Parliament, with a target date for passing the Regulation set for late 2014.
However, for organisations that are worried about addressing the Regulation, there is a 2 year implementation period, recognising that some countries and organisations need to be brought up to a level of compliance. Therefore by early 2017 all organisations need to be ready. Obviously if an organisation is complying with respective countries Data Protection Acts, it should be easier.
So in summary: Organisations should not be afraid of the GDPR. Unless they are one of the 14% of UK companies that do not currently comply with 95/46/EC. Compliance with the GDPR should not be a big leap, and even if they don’t two years is a big window.
Please note however, given the Mario Costeja case and the recent revelations that Facebook tested user responses without their consent, this is ‘hot stuff’, and potentially easy pickings for regulators
The relevant experience I would like to bring to readers is again of the SBA. Companies investigated by the SEC for potential breach would spend effectively 6 months in ‘shut down’ whilst their directors and executives provided information to the SEC, irrespective of their compliance or not. Six months when their competitors could innovate, and take market share.
Back to my opening comments  – at its base the GDPR it is about supporting free competition – it is coming - grab it – use it – those who are ready will have an major advantage.