Computer Vision and Image Understanding : Privacy Risks and the Regulation of Processing Under the General Data Protection Regulation
Blomberg, Meeri (2019-01-09)
Computer Vision and Image Understanding : Privacy Risks and the Regulation of Processing Under the General Data Protection Regulation
Blomberg, Meeri
(09.01.2019)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe201902054095
https://urn.fi/URN:NBN:fi-fe201902054095
Tiivistelmä
This thesis analyses regulation of computer vision technology under the General Data Protection Regulation (GDPR). The ability to automatically read images and extract information from them provides data controllers with new ways to benefit from visual data. However, the use of computer vision technology also has the potential to violate an individual’s right to privacy and data protection. The aim of this thesis is to determine whether the GDPR and its safeguards are able to prevent and mitigate the privacy risks that data processing with computer vision technology may cause. This question is answered through the consideration of the special characteristics of the computer vision processing and relevant articles of the GDPR.
This study shows that visual data are in many cases personal data. In addition, certain categories of personal data are subject to a higher level of protection under the Article 9 of the GDPR. The applicability of Article 9 to visual data that reveals specific categories of personal data remains ambiguous. It is prohibited to use computer vision to process biometric data for the purpose of uniquely identify an individual. The definition of biometric data, however, does not specify the technologies to which it can be applied. This thesis argues that in the context of computer vision technology the traditional principles of processing and rights of the data subject can be difficult to implement into the processing.
The GDPR has introduced new safeguards for processing: the principle of privacy by design and default and the requirement to undertake a Data Protection Impact Assessment (DPIA). It follows from these measures that controller is required to assess the possible risk of processing to ensure a level of GDPR compliance that effectively protects the rights and freedoms of data subjects. A DPIA is potentially an effective tool to identify and prevent the risks that processing with computer vision may encompass. However, the GDPR leaves a significant amount of discretion to the controller. It is up to the controller to decide when the risks of the processing are on acceptable level. The effectiveness of new safeguards therefore depends on the controller’s ability to identify the possible risks and measures to mitigate them.
This study shows that visual data are in many cases personal data. In addition, certain categories of personal data are subject to a higher level of protection under the Article 9 of the GDPR. The applicability of Article 9 to visual data that reveals specific categories of personal data remains ambiguous. It is prohibited to use computer vision to process biometric data for the purpose of uniquely identify an individual. The definition of biometric data, however, does not specify the technologies to which it can be applied. This thesis argues that in the context of computer vision technology the traditional principles of processing and rights of the data subject can be difficult to implement into the processing.
The GDPR has introduced new safeguards for processing: the principle of privacy by design and default and the requirement to undertake a Data Protection Impact Assessment (DPIA). It follows from these measures that controller is required to assess the possible risk of processing to ensure a level of GDPR compliance that effectively protects the rights and freedoms of data subjects. A DPIA is potentially an effective tool to identify and prevent the risks that processing with computer vision may encompass. However, the GDPR leaves a significant amount of discretion to the controller. It is up to the controller to decide when the risks of the processing are on acceptable level. The effectiveness of new safeguards therefore depends on the controller’s ability to identify the possible risks and measures to mitigate them.