Data Protection for Mobile Mapping (for experts)

This article is an advanced version of our previous article. It is based on a webinar that we organized together with Arnold Redhammer - Data Protection Officer at Redhammer Consulting.

History of GDPR

The GDPR regulations go back to the Treaty of Lisbon (2009), which enshrined The Charter of Fundamental Rights. All the EU Members agreed, when it comes to personal data, to follow three fundamental principles:

Everyone has the right to the protection of personal data concerning him or her.

Such data must be fairly processed for specified purposes and based on the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of accessing collected data of him/her, as well of having it rectified.

Compliance with these rules shall be subject to control by an independent authority.

However, the turning point arrived in 2018, when GDPR came into force. For the first time, a data protection regulation gave a full-immersion perspective on this topic.

According to its art. 4, personal data is defined as:

“... Any information relating to an identified or identifiable natural person (‘data subject’) [...] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Similarly, other data protection regulations such as CCPA (California), PIPEDA (Canada) and APPI (Japan) are regulating personal data more or less strictly. That being said, we can generally convey that these regulations define personal data as:

"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular subject.”

Therefore, objects like faces, body parts (that contain distinctive signs such as tattoos, scars, etc.), license plates and vehicles collected by Mobile Mapping Systems are personal data.

Data Protection & Mobile Mapping

Since 2010, Google has been mapping the street from all over the world using Mobile Mapping. However, countries like Germany and Austria limited the coverage of the service until 2018, when Google was able to deliver high enough quality to match the standards set by the governments.

Neglecting privacy standards could slow down the progress and growth of any company. Anonymization is crucial because it’s more efficient and cost-effective than getting the consent of affected individuals. In fact, data protection laws do not apply to anonymized data.

Implications of Privacy Violations (Europe)

As we mentioned earlier, images and videos often contain faces, bodies and license plates, which are considered personal data. Using this data requires consent from the data subject.

We spotted non-anonymized images on Google Maps close to our headquarter in Linz?

How would you feel if your face or license plate is publicly available on the internet without your consent?

As you can easily imagine, no consent was given from the car owners to publish these images, yet no anonymization is applied, making Google liable to penalties under data protection laws. According to the GDPR, a company can be punished in two ways:

• Fine (art. 83): up to € 20 million or, in the case of a company, up to 4% of the total annual turnover achieved worldwide.
• Compensation (art. 82): calculated case per case by the National Data Protection Authority (DPA)

If fines are the most common form of penalty - until end of August 2020, European data protection authorities have imposed fines of €490 million - compensations might be much more costly.

A real-life example is the Austrian Postal Service (Österreichische Post), who were producing political profiles of around 2 million customers without consent. At the end of the trial, the Austrian Mail Service was sentenced to pay € 18 million (fine). As well, it was estimated that possible damage claims would cost € 1.76 billion (€ 800 per customer).

Public tenders

Given that public sector organizations at all levels (including municipalities) are subject to GDPR compliance, they – just like any other organization around the globe who handles data / personal information relating to people in the EU – need to comply with the GDPR. Public tenders had to adapt their technical and legal requirements to match its standards.

Technical Requirements

In September 2019, the city of Vienna released a public tender to map the entire city of Vienna. Within the tender (text below), they specified in detail what the technical requirements are that the tender winner has to deliver in terms of anonymization:

• Blurring
• Automated Anonymization using Deep Learning
• 99% detection rate
• No systematic errors
• A low number of false detections (false positives)

“Through the act of anonymisation, a previously given direct personal reference is permanently eliminated. This can be achieved by means of permanent pixelation (unsharp mask/blurring) of problematic areas with automation-supported state-of-the-art procedures such as deep learning / artificial intelligence with manual post-processing / control. With regard to the completeness of anonymisation, a triple standard deviation is required (3s, 99% of the data), whereby the errors must not be systematically distributed. The number of false detections (false positives) must be kept to a minimum.”

(Technical Service Description - Mobile Mapping Survey of the city of Vienna, September 2019)

Legal Requirements

Within the GDPR framework, there are always two subjects: data controller (who is responsible for the data) and data processor (any entity that processes these data).

That being said, the data controller (e.g. Mobile Mapping company) needs to ensure that the data privacy standards used to handle the data meets the legal requirements. In order to do so, the data controller needs to require following documents from the data processor:

• Data Processing Agreement: also known as DPA, it is a contract where the data controller says what the data processor (any third-party that processes data for the data controller) is allowed or not to do with the data. For example working with other third party companies or subcontractors.
• Technical & Organizational Measures (“TOM”): A list of measures where the data processor ensures data protection and safety in their processes and facilities.
• Data Processing Register: A register where the data processor documents how data is being processed.

At Celantur, data protection is our core business. That's why, in order to operate as a data processor, we have strong measures in place to comply with the GDPR and other data protection laws:

• Images are processed in GDPR-certified data centers in the European Union
• External Data Protection Officer at service
• All data and storage devices are encrypted
• Annual Data Protection Audit
• Up-to-date Documentation: Technical and Organizational Measures ("TOMs"), Records of Processing Activities and Service Description

Furthermore, our anonymization service allows you to securely distribute your data with other third-parties (e.g. another data processor) or share them publicly.

Summary

• Neglecting privacy standards could slow down your company’s progress as well as costing you a significant amount of money due to fines and compensations (see Austrian Postal Service example)
• Public institutions are not excluded from complying with data protection laws. This impacts the technical and legal requirements necessary to participate in public tenders (e.g. City of Vienna)
• As a data controller, you’re always liable that data is handled in a compliant manner. Ensure that your data processor partners are meeting certain standards (e.g. Data Processing Register)
• Apply anonymization when sharing your data with third parties or publicly.

About Celantur

Celantur offers automated anonymization for images & videos to comply with privacy laws. Specialized in Mobile Mapping, it works as well for automotive and ALPR use cases. Our technology automatically detects the objects to be anonymized and blurs them:

✓ We anonymize all kinds of RGB-imagery: planar, panorama images and videos

✓ Our cloud platform is capable of anonymizing around 200.000 panoramas per day and 90.000 video frames per hour.

✓ Industry-grade anonymization quality: detection rate up to 99%