Commissioner Approved the Street View Service by Google

On 5 July 2011 the Hungarian Data Protection Commissioner has released its final standpoint (Case Nr ABI-2136-3/2010/K) on the Street View service of Google, Inc relating to the Hungarian territory. The Commissioner held that Google may lawfully take street view photos in Hungary, however, the US based search giant shall comply with the requirements articulated by the Commissioner.

As reported earlier in our blog, in May 2009 the Hungarian DPA launched an ex officio investigation in connection with the Street View service of Google relating to Hungary when street view cars appeared on the streets of Budapest. Following the Commissioner’s formal inquiry and with a view to the negotiations on-going between Google and the Commissioner’s Office, Google decided to temporarily suspend the activity of its street-view cars in Hungary. The Commissioner published its final standpoint on the operation of the street view service of Google by 5 July 2011 (the pertaining press release is available here) which laid down several conditions which should be adhered to by Google.

The Commissioner held in its standpoint that the photo-taking activity of Google fits into the definition of “data processing” under the provisions of the Hungarian Data Protection Act. Although it had been acknowledged by the Commissioner that Google does not wish to collect the personal data of passengers, upon personal inspection of the raw street view images taken by the street view cars in Hungary, the Commissioner concluded that individuals are easily identifiable on them, further, the picture of car license plates – also clearly visible on the images – shall be also considered as personal information since same may belong to an individual. Under Hungarian data protection laws, the legitimacy of data processing requires either the voluntary informed consent of the individual or a permission based on law (See Section 3 (1) of the Act). Google identified and indicated to the Commissioner two legitimate purposes she intends to use the collected data: (1) for creation of a database used for mapping services and use of this data for product development, as well as (2) for the provision of Google Street View Service to the public.

The Commissioner considered the above processing purposes as generally acceptable in the Hungarian jurisdiction, however, he also expressed that Google must provide guarantees that the potential privacy impact of its service is duly reduced which is necessary to comply with local data protection laws.

The Commissioner concluded in its standpoint, that raw photograph data could be lawfully processed by Google, since the well-established practice of the Hungarian Supreme Court generally permits the taking of street photos without the individuals’ consent (as laid down by the Hungarian Civil Code) provided that such photo was not aimed at the depiction of particular individuals. However, Google should not publish such photos (personal data), since the provisions of the Hungarian Civil Code require the consent of the individual for same. Consequently, Google should duly anonymize the personal data she collects through its street view photos, otherwise the street view service could not be lawfully operated.

The standpoint of the Commissioner generally relied on the provisions of the European Data Protection Directive (95/46/EC) as well as on the opinion of the Article 29 Working party Nr. 4/2007 on the concept of personal data. In that regard, the WP opinion articulated that that the second element of the definition of personal data (“relating to”) should also consider the purpose of data processing, which can be responsible for the fact that information “relates” to a certain person. The “purpose” element can be considered to exist when the data are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual. In connection with the evaluation of the Google Street View project, the Commissioner relied upon the following statement of the WP opinion:

Where identification of the data subject is not included in the purpose of the processing, the technical measures to prevent identification have a very important role to play. Putting in place the appropriate state-of-the-art technical and organizational measures to protect the data against identification may make the difference to consider that the persons are not identifiable, taking account of all the means likely reasonably to be used by the controller or by any other person to identify the individuals. In this case, the implementation of those measures are not the consequence of a legal obligation arising from Article 17 of the Directive (which only applies if the information is personal data in the first place), but rather a condition for the information precisely not to be considered to be personal data and its processing not to be subject to the Directive.

With a view to the above, the Commissioner concluded that he would not consider the activity of Google as processing of personal data as being within the material scope of the Hungarian data protection act, if adequate technical safeguards are introduced that removes / blurs the face of individuals as well as the license plate of cars on the street. Following the removal of personally identifiable information, the raw photograph data (including personal data) should be entirely deleted by Google. The Commissioner laid down the detailed list of conditions  which shall be complied with in the course of the entire Street View Project in Hungary, including the following:

Google must publish in advance the time and dated when and where photographs would be taken, not later than one week before the commencement of such activity. The respective notice must be made available also in Hungarian language and the Commissioner shall be informed on the circumstances of taking the photographs.

– It is strongly advised to take the photographs on those times and days when few people are present on the streets, which would mitigate the exposure of individuals and quantity of personal data contained in the raw photographs;

– any photographs taken in “sensitive” areas, such as hospitals and social institutes, shall be treated particularly carefully;

– the recording devices shall be placed at a height which does not show the image of those areas willfully hidden by others (view over fences, hedges and walls) before street passengers;

– Before publication of the images, the data subjects must be provided with the opportunity to object against the photographs taken at specified places on a person, vehicle or real estate.

– Besides submission of objections through the Internet, data subjects shall be provided with the possibility to submit objections via other communication ways, such as postal mail;

– personal information on the photographs must be blurred and raw data must be deleted as soon as possible;

– the purpose of the storage of raw data must be determined and this purpose shall be made public / disclosed by Google;

– data subjects must be informed on the identity of the transferee of raw data as well as on the organizations who may request access to the photographs under the legal provisions applicable to the assigned service provider.

Provided that Google complies with the above conditions, the Street View service would remain out of the material scope of the Data Protection Act according to the standpoint of the Commissioner. The Commissioner made it clear that the consent of individuals is paramount and the presence of individuals on the street could not be considered as consent for taking the photographs by street view cars in Hungary.

Regarding the transfer of personal data to the United States, the Commissioner held that raw photos could not be transferred to the US territory, even if Google abides by the US Safe Harbor framework, since the explicit consent of the individuals could not be obtained by Google to such transfer. (Notably, the effective Hungarian Data Protection Act requires explicit consent for data transfers abroad, see our earlier post on same).

Finally, the Commissioner requested from Google to register/notify its data processing activity to the Hungarian data protection register, which notification shall also include Google’s declaration of undertaking that she would comply with the conditions laid down by the Commissioner.

The Hungarian Commissioner’s standpoint can be reached at http://abiweb.obh.hu/abi/index201.php?menu=azallasfoglalas/2011&dok=ABI-2136-3_2010_K (available only in Hungarian).