3 Proposal for an individual rights impact assessment model
3.3 Elements of assessments of particular relevance to processing by the
3.3.1 Introduction
The impacts which were discussed in section 3.2 are of basic nature and designed to be applied on all location-enabling systems and services regardless of sector and situation. Emphasis was put on privacy protection aspects. In this section we will add certain impacts which we have identified as particularly important for police processing of personal location data as part of investigation and other police work which represents exercise of public authority over citizens or which has direct influence on such authority. Intelligence and other preventive work are important examples of work which may imply direct influence on exercise of authority; even when open sources are used.
We have only selected three elements with particular relevance to processing by the police. The relevance of the first element, lawfulness, is of course not limi-ted to the police and is for instance one of the basic principles of privacy. Thus we could have chosen to discuss it in section 3.2 or both in 3.2 and this section.
General questions of lawfulness of the processing of personal location data are in our view rather obvious and comparatively simpler than when processing is carried out in the police. Thus, we have chosen to limit the discussion to the last mentioned situations. The element contradiction (see section 3.3.4) is also rele-vant to privacy protection, but is not formulated as independent data protection principle. Ability to contradict may however be seen as the objective of central elements of privacy and data protection legislation in particular transparency and access rights. (The third element, regarding extent and type of police power (sec-tion3.3.3), is not closely related to any privacy principle.)
3.3.2 Lawfulness
Fairly and lawfully processing of personal data is a basic requirement in both the Data Protection Directive and the European Convention on Data Protection.182 More importantly, article 8 of the ECHR on “Right to respect for private and fam-ily life”, state in paragraph 2 that ”[t]here shall be no interference by a public au-thority with the exercise of [the right to respect for private and family life] except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (Italics added)
Here we will limit discussions to questions of lawfulness and refrain from going into discussions of criteria like “interference” and “necessary in a demo-cratic society”. In the context of location-enabling technology and processing of personal location data, our simple point is that the police always need to consider i) if access to such data represents an infringement of the right guaranteed by ECHR article 8 (1) and ii) if this is the case, if the police have sufficient legal basis to collect these data and further process them.
An individual rights impact assessment as described in section 3.1 (above) should investigate if individual rights could be endangered because there are do-ubts regarding lawfulness of police access to such data. An impact assessment model should assist police and courts in their evaluation of lawfulness. Like in section 3.2, the criteria of the model do not lead directly to conclusions; it rather indicates level of attention and helps to distinguish between (relatively) expecta-bly easy and hard cases.
We will suggest that lawfulness of police access to and processing of personal location data should be assessed according to two aspects:
1. Existence of legal basis and the authority of these sources, and
2. communicative qualities of legal sources and appurtenant legal information.
These criteria are close to criteria developed in case-law of the ECtHR,183 but we underline that our approach represent a much more simple line of action only designed to lead up to in-depth evaluation of legal questions affined to ECHR article 8. The criteria could also be seen as an extension of transparency aspects discussed in section 3.2.7 (above).
Regarding the first aspect, we will suggest the following set of criteria:
1. Police access to and processing of personal location data is not regulated by any legal source. Suggested weight: 10.
182 Cf. art 6(1)(a) respectively art. 5(a).
183 Van der Hilst 2013 discusses ECtHR case law regarding geolocation, see page 173 – 279.
2. Police access to and processing of personal location data is only regulated by internal guidelines and standard operating police routines. Suggested weight: 6.
3. Police access to and processing of personal location data is only regulated by general law. Suggested weight: 3.
4. Police access to and processing of personal location data is regulated by spe-cialised law which directly addresses questions of personal location data.
Suggested weight: 1.
In order to better identify assumed easy and grave cases, our suggested weights are defined over a broader scale compared to those in section 3.2. Thus, here the range is between 1 and 10, while in section 3.2 the range was between 1 and 4.
With “regulate” we both refer to legislation and case-law where a clear opinion is expressed regarding applicable law.
The second aspect regarding communicative qualities of legal sources and appurtenant legal information, seem to presuppose the existence of a legal basis, and thus logically situation 1 above will not be applicable. However, if these situa-tions are not part of assessment of quality of sources, they will receive a mislead-ing low total score. We have therefore included a criteria suited to comprise even these situations.
1. Police access to and processing of personal location data is not regulated by any legal source (and no information of lawfulness exists) Suggested weight: 10.
2. Legal sources are the only source of information regarding police access to per-sonal location data and further processing of such data. Suggested weight: 6.
3. Legal information regarding police access to personal location data and further processing of such data exists and is available on request. Suggested weight: 3.
4. Legal information regarding police access to personal location data and further processing of such data exists and is publically available (without re-quest). Suggested weight: 1.
The criteria above are built on a distinction between legal sources and legal infor-mation. By “legal sources” we mean the authentic texts and “legal information”;
the term refers to information based on legal sources in order to identify and explain legal rules derived from these sources.
Suggested weights of each criterion produce marked differences between them. The effect will be that cases of collection and further processing of personal location data without basis in legal sources or only regulated in police’ internal guidelines, and with no available legal information regarding this issue, will re-ceive score between 12 and 20. High scores will be a signal of needs of very careful legal considerations by the police, courts, privacy advocates and others.
3.3.3 Extent and type of police power
In D1 and D2 report, section 5.8 we raised questions concerning the extent and type of police power and suggested four subcategories which we will apply here.
It may in our view be reasonable to identify subgroups of people according to the degree and type of exposure to police interest and power. The large bulk of people will not be exposed, because in most cases police will only have access to data from a limited time period, geographical area, service provider etc.
Here, we will suggest the following four criteria:
1. Police access to personal location data and further processing of such data is carried out in the course of execution of direct police power (investigation, arrest etc.). Suggested weight: 10.
2. Police access to personal location data and further processing of such data is carried out in the course of surveillance and control (police intelligence work etc.). Suggested weight: 6.
3. Police has access to personal location data, but without using it. Suggested weight: 3.
4. Police access to personal location data and further processing of such data is limited to the aim of protecting and safeguarding these people.184 Suggested weight: 1.
It is natural to assume that special guarantees should be offered to people in every of these four categories. Needs of protection are however very different in situa-tion 1 and 2 compared to situasitua-tion 3 and in particular situasitua-tion 4. In the latter situations, the main requirement is that police respect the strong limitations con-nected to their processing; while in the two first situations processing could be extensive and possibly with very direct and severe consequences for individuals.
We assume it may be very practical that police process personal location data both in the course of e.g. surveillance and investigation, cf. categories 2 and 1. In such cases assessments should be made on basis of the sum of each criteria, i.e.
total weight = 16.
3.3.4 Contradiction
The adversarial principle is fundamental in criminal procedure and should thus be emphasised when access to and further processing of personal location data by the police is considered (by the police, courts, privacy advocates etc.). This prin-ciple may be entrance to many sub-problems but here we will limit ourselves to questions of finding alternative sources which could shed light on the same facts which personal location data is applied to prove/document. The more police may
184 For instance to protect children, senile and other mentally handicapped people.
be said to be in the position of a “information monopoly”, the more careful and critical the police and courts should be regarding police procedures, assessment of possible sources of error, data quality etc.
The more difficult it is to understand the technological aspects of processing, the stronger considerations should be of possible dangers of deficient possibilities to contradict. Such considerations are especially well-founded in situations where technometric techniques are applied, i.e. in situations where assumptions of a certain individual’s movements are based on location of objects connected to this person.185
We suggest the following criteria as basis to access the contradiction aspect:
1. There is only one known and available technologically based source of data that could shed light on locations of individuals in the case at hand. Suggested weight: 10.
2. There are several known and available technologically based sources of data that could shed light on locations of individuals in the case at hand, but these takes special expertise to access and interpret. Suggested weight: 6.
3. There are several known and available technologically based sources of data that could shed light on locations of individuals in the case at hand which expectedly could be accessed and interpreted without special expertise.
Suggested weight: 3.
4. There are several known and available sources (technological and other) of data that could shed light on locations of individuals in the case at hand which expectedly could be accessed and interpreted without special expertise.
Suggested weight: 1.
By “individuals” we refer to data subjects receiving special attention by the police as suspect, witness or in similar roles which actualise needs of legal protection. A source may be considered available if there are no insuperable formal or practi-cal/technical obstacles.
The first alternative will easily be apprehended by the data subject as a “black box experience”, i.e. a situation where input and output may be observed and understood but with no possibility to understand the encapsulated technological processes without help from experts. In such situations it should be expected that it will be hard for the data subject to contradict, i.e. produce an alternative under-standing of location data produced by a technical system. The possibility to for data subjects to contradict is better in situations 2 to 4 (above), because here there are several alternative sources of location data which may be compared. The dif-ference between situations 2 to 4 relates first and foremost to the level of expertise required and the type of data source.186
185 See D1, section 3.3. Even establishment of location based on biometric technology have uncertainties that should be taken very seriously.
186 “Other” source of data may for instance refer to a witness, a finger print etc.