Is Google Street View Legal in the UK?

Google Street View

A lot of fuss is happening in the UK regarding the legality of Google Street View. Though the service has been out in the US for about two years now, the UK only got it last month. Many people, including Privacy International, believe that that service is illegal in the UK. Google was aware that the original format of the service would have potentially violated UK legislation, but it consulted the ICO which approved the service when Google stated that it will blur the faces of pedestrians and car number plates.

Some people still argue that their privacy is infringed, but do they have any basis for this argument? 

There are two grounds for suing for the “privacy” violation in the UK, the first is through the Data Protection Act 1998 and the second is through the Article 8 on Privacy of the Human Rights Act 1998.

I will discuss the DPA in this post and will discuss Artile 8 in another post.

Does Google Street View Violate the DPA 1998?

The DPA 1998 covers personal data related to identifiable living persons when processed by a data collector. On its face, Google might fall under the act as it the scope of the act is very wide to include any information related to individual processed in any way using a computer. However, looking closer at the definitions of the these terms might indicate otherwise.

First of all, the personal data (in this case the photograph of the individual and their location when photographed by Google) must ‘relate’ to an identifiable person. The requirement for the info to ‘relate’ to the person is not defined by the act, but the court said in the case of Durant v Financial Services Authority [2003] EWCA Civ 1746 that the mere inclusion of someone’s information in the data is not sufficient for it to ‘relate’ to him. The person must be the ‘focus’ of the  information for it to relate to him and it must affect his privacy whether in his personal, family life, business or professional capacity.

There mere inclusion of someone’s photo on the street in an incidental manner which does not show him as a focus nor affects his privacy in anyway will probably not be held by the court to be falling under the DPA. This means will exclude these pictures from the scope of the act.

In circumstances where a person is the focus of a photograph and the picture shows him in a situation that infringes his privacy that person will be covered by the act if that person is identifiable. Google has tried to blur as many faces as it can. If this person cannot be identified by looking at the picture then that information is not covered by the act. The fact that the person can be identified by using the Google Street View information with other information taken from other sources which help identify the person will not bring the information within the scope of the act.

There are no such thing as the right not have to someone’s house or neighbourhood photographed. The DPA is about personal information and not about owned objects or companies.

Even if someone’s data is considered to fall under the DPA, that does not give them the right to ask for that information to be removed – except in situation of direct marketing or situations where the information causes substantial unwarranted damage or distress.

There is no requirement for a person to ‘consent’ to have his information processed under the DPA if the data collector satisfies any of the conditions of Schedule 2 of the act.

Google’s original form of Street View might have violated the DPA, but their current form with blurred faces and number plates would not violate the DPA if it works correctly to make the individuals unidentifiable. The majority of people photographed in the public not doing anything private would not be subject to the DPA even if there faces were not covered as the information would not be considered to be ‘related’ to them if Durant is to be applied.

Data Protection in the UK

Data Protection in the UK
(Photo Credits: -12°C)

Data protection law is the law that protects personal information about living individuals in the UK from being processed in anyway by commercial entities. This is governed by the Data Protection Act 1998 in the UK. Members of the EU have country-specific legislation implemented through the Directive 95/46/EC (the Data Protection Directive).

Though technically about data, the data protection law in effect is a privacy legislation that is meant to ensure that private information about people is not misused when collected by companies. 

The provisions of the DPA 1996 apply when personal information relating to an identifiable individual is processed by a data controller.

Personal data is defined by the act as “data which relate to a living individual”. This can be ANY data which relates to a person such as name and address, health conditions,  religious beliefs, or any form of recorded information whether textual, visual, etc.  The exact meaning of “relate” is not explained in the act, but it was discussed in the case of Duran v Financial Services Authority [2003] EWCA Civ 1746, where the court held that it “is information that affects [the person’s] privacy, whether in his personal or family life, business or professional capacity'” and that it the person must be “the focus rather than some other person” with home the information is concerned.

The personal information must be related to an “identifiable” person who can be identified (a) from the data or (b) from those data and other information which is in possession of, or is likely to come into the possession of, the data controller. Unlike the EU Directive, the UK act doesn’t cover the incidents where the processed personal data is used along with information held by a 3rd party is combined to identify the person.

 The personal data will only be regulated when it is ‘processed’ by  data controller. This is a very wide term that means obtaining, recording, or holding information or carrying out any operation or set of operations on the information or data, including organisation, retrieval, disclosure, or alignment. The definition used in the act is wide to include every imaginable action you may perform in relationship to data. 

The law imposes obligations on all “data controllers” – these are natural or legal persons who determine the purpose and means for prosesing the personal data. The law also imposes some additional obligations on a “data processor” – which is the natural or legal persons who processes the data on behalf of the data controller.

Rights for Individuals

If an individual’s personal data has been processed by a data collector, then he has the following rights:

  1. Right to access the personal information stored about him to have inaccurate data rectified.
  2. Right to to request an assessement of processing.
  3. Right to prevent processing of data if it causes substantial unwarranted damage or distress.
  4. Right to object to direct marketing.

It is possible to claim compensation for the breach of some of the rights mentioned above.

The Data Protection Principles

The act requires all data controllers to abide by eight data protection principles:

  1. Data must be fairly and lawfully processed and in accordance with one of the conditions in Schedule 2 of the act.
  2. It must be processed for limited purposes and not used for any purposes other than these.
  3. It must be adequate and relevant for the purpose and not excessive.
  4. It must be accurate and up to date.
  5. It must not be kept for longer than is necessary.
  6. It must be processed in line with the rights of data subjects.
  7. It must be processed using appropriate secure measures.
  8. It must not transferred outside the EEA without adequate protection.

The Information Commissioner’s Office is the body responsible for superivsing the adequate compliance by data controllers with the DPA.