2
7/28/2019 International Data Privacy Law 2013 Kuner 1 2 http://slidepdf.com/reader/full/international-data-privacy-law-2013-kuner-1-2 1/2 Editorial Face-to-data—another developing privacy threat? Christopher Kuner*, Fred H. Cate**, Christopher Millard**, and Dan Jerker B. Svantesson*** The constant development of technology gives rise to an equally constant stream of privacy issues. One of the most interesting recent developments is what we can call face-to-data (F2D). F2D refers to at least partially automated processes for accessing personal information about a person based on an image of that person’s face. Ground-breaking research by a team of researchers from Carnegie Mellon University has highlighted that advances in face recognition technology, combined with the widespread posting of images linked to names on, for example, social media sites, and the processing power provided by advances in cloud computing, create a new set of privacy issues, 1 similar to, but also distinct from, traditional privacy issues associated with facial recognition. The Carnegie Mellon University team ran a series of experiments. For example, using a search tool, they built up a database of images and names collected from publicly available Facebook profiles. They then cap- tured images of consenting students and ran those images through off-the-shelf face-recognition software, linking in the data gained from the Facebook profiles. In the test, about a third of the students were identi- fied. The Carnegie Mellon work is striking because it uses commonly available devices (ie an iPhone) to perform highly effective facial recognition using candid photo- graphs, and then links those to a series of databases to generate an immediate response. So, for example, a person may use a phone on a street, take a picture, and within seconds have back the Social Security Number and street addresses of the people photographed. Infor- mation that can then be used to, manually or through automated processes, extract further personal data about those people. In light of this, the facial recognition aspect is only one part of the overall process of concern here, and facial recognition as such is a broader phenomenon than F2D. Thus, to properly understand the phenom- enon we are dealing with, it is undesirable to discuss F2D merely as a facial recognition issue. F2D can of course serve a variety of goals ranging from government surveillance, to business use and to satisfy personal curiosity, and it is interesting to con- sider how current data privacy laws address F2D. And with privacy laws being developed or changed in so many parts of the world, it is even more interesting to consider how the next generation of data privacy laws will address F2D. As is well known, the privacy regulation of today is largely focused on data use that falls outside the private sphere; that is, in those countries that do have some form of privacy regulation in place, there is typically some form of exemption for data use in the context of the ‘private affairs’ of individuals. This means that in most countries, while F2D for business purposes may be regulated, personal use would typically be unregu- lated. Furthermore, even in those countries, such as within the European Union, where commercial use may fall under applicable data protection schemes, it may be possible to circumvent the regulatory impact by placing a simple notice onsite informing potential customers of the use of F2D at that location, and then assuming that their failure to object to the processing should legitimize it. The conclusion is that traditional data protection regulation provides limited comfort for those con- cerned about the impact of F2D. While there have been some improvements to the rules governing consent in the EU General Data Protection Regulation proposed by the European Commission in January 2012, it seems unlikely that even the world’s most modern and pro- tective legislative initiative will satisfy fully those fearing the privacy impact of F2D. * Editor-in-Chief ** Editor *** Managing Editor 1 The highly interesting research findings have been presented by Alessandro Acquisti at various conferences, including IAPP Europe Data Protection Intensive 2012 (April 2012) and the IAPP Privacy Academy 2012 (October 2012). For more information about the research, see: ,http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/ ., accessed 30 October 2012. International Data Privacy Law , 2013, Vol. 3, No. 1 EDITORIAL 1 # The Author 2012. Published by Oxford University Press. All rights reserved. For Permissions, please email: [email protected]

International Data Privacy Law 2013 Kuner 1 2

Embed Size (px)

Citation preview

Page 1: International Data Privacy Law 2013 Kuner 1 2

7/28/2019 International Data Privacy Law 2013 Kuner 1 2

http://slidepdf.com/reader/full/international-data-privacy-law-2013-kuner-1-2 1/2

Editorial

Face-to-data—another developing privacy threat?

Christopher Kuner*, Fred H. Cate**, Christopher Millard**, and

Dan Jerker B. Svantesson***

The constant development of technology gives rise to

an equally constant stream of privacy issues. One of themost interesting recent developments is what we can

call face-to-data (F2D). F2D refers to at least partially automated processes for accessing personal information

about a person based on an image of that person’s face.Ground-breaking research by a team of researchers

from Carnegie Mellon University has highlighted that

advances in face recognition technology, combinedwith the widespread posting of images linked to names

on, for example, social media sites, and the processingpower provided by advances in cloud computing,

create a new set of privacy issues,1 similar to, but alsodistinct from, traditional privacy issues associated with

facial recognition.

The Carnegie Mellon University team ran a series of experiments. For example, using a search tool, they 

built up a database of images and names collected frompublicly available Facebook profiles. They then cap-

tured images of consenting students and ran those

images through off-the-shelf face-recognition software,linking in the data gained from the Facebook profiles.In the test, about a third of the students were identi-

fied.The Carnegie Mellon work is striking because it uses

commonly available devices (ie an iPhone) to performhighly effective facial recognition using candid photo-

graphs, and then links those to a series of databases to

generate an immediate response. So, for example, aperson may use a phone on a street, take a picture, and

within seconds have back the Social Security Numberand street addresses of the people photographed. Infor-

mation that can then be used to, manually or throughautomated processes, extract further personal data

about those people.In light of this, the facial recognition aspect is only 

one part of the overall process of concern here, and

facial recognition as such is a broader phenomenonthan F2D. Thus, to properly understand the phenom-

enon we are dealing with, it is undesirable to discuss

F2D merely as a facial recognition issue.F2D can of course serve a variety of goals ranging

from government surveillance, to business use and tosatisfy personal curiosity, and it is interesting to con-

sider how current data privacy laws address F2D. And

with privacy laws being developed or changed in somany parts of the world, it is even more interesting to

consider how the next generation of data privacy lawswill address F2D.

As is well known, the privacy regulation of today islargely focused on data use that falls outside the private

sphere; that is, in those countries that do have someform of privacy regulation in place, there is typically 

some form of exemption for data use in the context of the ‘private affairs’ of individuals. This means that in

most countries, while F2D for business purposes may 

be regulated, personal use would typically be unregu-

lated. Furthermore, even in those countries, such aswithin the European Union, where commercial usemay fall under applicable data protection schemes, it

may be possible to circumvent the regulatory impactby placing a simple notice onsite informing potential

customers of the use of F2D at that location, and thenassuming that their failure to object to the processing

should legitimize it.The conclusion is that traditional data protection

regulation provides limited comfort for those con-cerned about the impact of F2D. While there have been

some improvements to the rules governing consent in

the EU General Data Protection Regulation proposedby the European Commission in January 2012, it seems

unlikely that even the world’s most modern and pro-tective legislative initiative will satisfy fully those

fearing the privacy impact of F2D.

* Editor-in-Chief 

** Editor

*** Managing Editor

1 The highly interesting research findings have been presented by 

Alessandro Acquisti at various conferences, including IAPP Europe Data

Protection Intensive 2012 (April 2012) and the IAPP Privacy Academy 2012 (October 2012). For more information about the research, see:

,http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/.,accessed 30 October 2012.

International Data Privacy Law , 2013, Vol. 3, No. 1 EDITORIAL 1

# The Author 2012. Published by Oxford University Press. All rights reserved. For Permissions, please email: [email protected]

http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
Page 2: International Data Privacy Law 2013 Kuner 1 2

7/28/2019 International Data Privacy Law 2013 Kuner 1 2

http://slidepdf.com/reader/full/international-data-privacy-law-2013-kuner-1-2 2/2

Many people may view F2D as a ‘cool’ new technol-

ogy tool. But critics may question the societal benefitsthis technology has to offer. In the end, a widespread

private use of F2D may contribute little to society while presenting a significant risk of potential harm to

privacy. In light of this, some may go as far as to argue

that, with F2D we have finally reached a stage wherethe technology in question is so ‘creepy’ that it does

not matter whether it is merely being used for ‘harm-less’ curiosity.

F2D can also be seen to have highlighted a gap inthe coverage of privacy regulations that focus more or

less exclusively on the conduct of business operators,governments, and organizations. F2D may suggest a

need for a new level of data regulation of personal use

of other persons’ personal data. If such a regulatory re-sponse cannot be developed, and if inadequate steps

are taken to restrict the use of F2D, then privacy advo-cates may call for the recognition of a fundamental

right of anonymity.

In the end, F2D may best be viewed as justanother example of how technology is developed

based on what technology  can do. Should the focusinstead be shifted more to what the technologies we

develop should  do? 2

doi:10.1093/idpl/ips032

 Advance Access Publication 6 December 2012

2 For a deeper discussion of this topic see: D Svantesson, ‘Face-to-data—the ultimate privacy violation?’ (July 2012) 118 Privacy Laws & Business

21–4.

International Data Privacy Law , 2013, Vol. 3, No. 12 EDITORIAL


Class 13 Internet Privacy Law European Privacy

Class 13 Internet Privacy Law European Privacy

Documents
Privacy Law and Compliance

Privacy Law and Compliance

Documents
Privacy_Government and Privacy Law (RJEG)

Privacy_Government and Privacy Law (RJEG)

Documents
Email, Privacy, and Law Enforcement

Email, Privacy, and Law Enforcement

Documents
Informational Privacy, Privacy Law, Consent, and Norms

Informational Privacy, Privacy Law, Consent, and Norms

Documents
Australian Privacy Law & Practice - Pt2

Australian Privacy Law & Practice - Pt2

Documents
The Law Of Privacy - 39 Essex Chambers1 THE LAW OF PRIVACY 1. English law of privacy before the Human Rights Act 1998 The view that English law does not recognise invasion of privacy

The Law Of Privacy - 39 Essex Chambers1 THE LAW OF PRIVACY 1. English law of privacy before the Human Rights Act 1998 The view that English law does not recognise invasion of privacy

Documents
Health and Business Privacy Law

Health and Business Privacy Law

Documents
Disclosure & Privacy Law Reference Guide

Disclosure & Privacy Law Reference Guide

Documents
How Privacy Distorted Standing Law

How Privacy Distorted Standing Law

Documents
MA Privacy Law

MA Privacy Law

Technology
Class 6 Internet Privacy Law Social Media Privacy

Class 6 Internet Privacy Law Social Media Privacy

Documents
California Privacy Law: Resources & Protections

California Privacy Law: Resources & Protections

Technology
Catalyzing Privacy Law

Catalyzing Privacy Law

Documents
1 CLASS 7 Privacy and Law Enforcement pt. 2; Education Privacy Privacy and Information Security Law Randy Canis

1 CLASS 7 Privacy and Law Enforcement pt. 2; Education Privacy Privacy and Information Security Law Randy Canis

Documents
Developments in Security & Privacy Law

Developments in Security & Privacy Law

Business
Kalven - Privacy in Tort Law

Kalven - Privacy in Tort Law

Documents
Privacy Law Essentials template

Privacy Law Essentials template

Documents
Privacy Law

Privacy Law

Education
FEDERAL INTERNET - Fenno Law Firm LAW Similarly, there is no comprehensive federal law governing privacy in general. Internet privacy (and privacy in general) in the United

FEDERAL INTERNET - Fenno Law Firm LAW Similarly, there is no comprehensive federal law governing privacy in general. Internet privacy (and privacy in general) in the United

Documents
PRIVACY & DATA SECURITY LAW JOURNAL

PRIVACY & DATA SECURITY LAW JOURNAL

Documents
Privacy law-update-whitmeyer-tuffin

Privacy law-update-whitmeyer-tuffin

Technology
Upcoming Events - Brussels Privacy Hub Privacy Hub... · Prof. Christopher Kuner at European University Institute Hub Co-Director Prof. Christopher Kuner is a visiting fellow in the

Upcoming Events - Brussels Privacy Hub Privacy Hub... · Prof. Christopher Kuner at European University Institute Hub Co-Director Prof. Christopher Kuner is a visiting fellow in the

Documents
ONLINE PRIVACY LAW

ONLINE PRIVACY LAW

Documents
Privacy in Hebrew Law

Privacy in Hebrew Law

Law
P ratt’s Privacy & cybersecurity Law

P ratt’s Privacy & cybersecurity Law

Documents
Ubicomp challenges for privacy law

Ubicomp challenges for privacy law

Technology
us privacy law

us privacy law

Documents
Privacy!Handbook!! forStudent!! InformationOnline:! · Prepared!by!theFordham!University!School!of!Law!Technology!and!Privacy!Law!Practicum!(Fall!2014).! Privacy!Handbook!! forStudent!!

Privacy!Handbook!! forStudent!! InformationOnline:! · Prepared!by!theFordham!University!School!of!Law!Technology!and!Privacy!Law!Practicum!(Fall!2014).! Privacy!Handbook!! forStudent!!

Documents
Codis Excelerator Codis Excelerator Anil Kuner Sales Director

Codis Excelerator Codis Excelerator Anil Kuner Sales Director

Documents