Is your tech GDPR compliant?
Good news! Most tech is GDPR compliant, actually what you need for GDPR compliance is to be responsible and clear in using personal data. I have run into the argument of "we can not do this because of the GDPR" many times lately. It seems like people have internalised the GDPR as "you are not allowed to use personal data" or are just afraid of assuming responsibility for serving their customers responsibly. This is a shame and is proving a huge limitation for using personal data in both the public and private sector.
Then there are also interesting viewpoints into what is and is not covered under the GDPR, which can get very complex. One clear notion is that anything that contains personal data or biometric data needs consent. First of all, there are numerous cases where use of personal data has an exemption or is considered to fall within Legitimate Interest. Like some areas of marketing and publications are under these exemptions, photos and videos are still legal and many countries have also local exemptions for publishing images. The point is to protect peoples personal data without limiting freedom of expression or doing business.
The definition of personal data
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The interesting thing here is the general nature of this definition. One should understand that this definition is not static or stable in relation to any single dataset or technology. What this means is, that data that is currently not connectable, uniquely, to a natural person is not considered personal data. However, any new discovery that proves the data can be used to identify a natural person, would automatically shift the data in question to be personal data.
Why LIDAR is not GDPR safe
Many companies currently market LIDAR solutions as "GDPR safe", meaning that people can not be identified from LIDAR point clouds "because it's not a picture", e.g. you are not on a camera, in the traditional sense of the word. Or some say that point cloud data does not have biometric data. This is strange, considering that MRI and CT data in the medical field is considered personal data, even though they are not photographs. This is because you can quite trivially see that people are identifiable from shapes alone.
I'm sure that there is some burden of proof that needs to exist that some type of data can be use to identify people, before we need to scramble and ask consent. An interesting thought would be how to handle personal data that was saved before it was considered personal data and would consent for it now be required and can it be given retroactively?
I would say that once there are multiple peer reviewed research papers on identifying people from e.g. LIDAR data, we can say that it should be considered personal data in the same way as video. However, only using video or LIDAR data for some analysis, maybe using edge computing, where only the analysed variables are saved may not constitute use of personal data, at least for the end product. At least we can say that counting the sum of blobs in a video that an algorithm has guessed to be human, lets say 5 humans/hour, does not enable us to identify who passed the sensor. Using edge computing or smart sensors is a good way to minimise use of personal data. However, it is now clear that both video and LIDAR data contain biometric information, that can be used to uniquely identify individuals using common tools.
This technology is not new. Gait analysis has been around for quite a long time and neural networks have now become quite common in image analysis and data processing. This means we must be careful in implementing technological solutions and we need to be diligent in researching the risks involved. This should not deter us from making new discoveries and building new business.
In closing
Sure there are nuances and regional differences that make this topic very complex. I wanted to address two problems I have now faced multiple times. One is poor understanding or confusion on what is allowed in general, the other is a poor understanding of what constitutes personal data. Hopefully this sheds some light on those topics and stirs conversation.
Sources:
- https://gdpr.eu/article-4-definitions/
- https://gdpr.eu/article-85-right-to-freedom-of-expression-and-information/
- https://www.nature.com/articles/s41598-022-18806-4
- https://assets.researchsquare.com/files/rs-1425488/v1/91c3b856-21ad-4a43-b7ff-c33e4ca8560a.pdf?c=1653972928
- https://scholar.google.fi/scholar?q=gait+analysis+on+lidar+data&hl=en&as_sdt=0&as_vis=1&oi=scholart