Someone I follow on twitter recently posted a link from Google Streetview of the interior of a pub, in which he could identify himself and a friend having a quiet pint. I must confess this addition of building interiors to the Streetview portfolio had passed me by. It appears that businesses can sign-up to have “Google Trusted Photographers and Trusted Agencies” take photographs of their premises, which are uploaded to the web and linked to Streetview locations.
When it was launched Streetview caused some concern in privacy circles, and this was prior to, and separate from, the concerns caused by the discovery that huge quantities of wifi payload data had been gathered and retained during the process of capture of streetview data. These more general concerns were partly due to the fact that, in the process of taking images of streets the Google cameras were also capturing images of individuals. Data protection law is engaged when data are being processed which relate to a living individual, who can identified from the data. To mitigate against the obvious potential privacy intrusions from Streetview, Google used blurring technology to obscure faces (and vehicle number plates). In its 2009 response to Privacy International’s complaint about the then new service the Information Commissioner’s Office said
blurring someone’s face is not guaranteed to take that image outside the definition of personal data. Even with a face completely removed, it will still be entirely likely that a person would recognise themselves or someone close to them. However, what the blurring does is greatly reduce the likelihood that lots of people would be able to identify individuals whose image has been captured. In light of this, our analysis of whether and to what extent Streetview caused data protection concerns placed a great deal of emphasis on the fact that at its core, this product is in effect a series of images of street scenes…the important data protection point is that an individual’s presence in a particular image is entirely incidental to the purpose for capturing the image as a whole. (emphasis added)
One might have problems with that approach (data protection law does not talk in terms of “incidental” processing of personal data) but as an exercise in pragmatism it makes sense. However, it seems to me that the “business interiors” function of Streetview takes things a step further. Firstly, these are not now just “images of street scenes”, and secondly, it is at least arguable that an individual’s presence in, for instance, an image of an interior of a pub, is not “entirely incidental” to the image’s purpose.
Google informs the business owner that “it would be your responsibility to notify your employees and customers that the photo shoot is taking place” but that “Google may use these images in other products and services in new ways that will make your business information more useful and accessible to users”. It seems likely to me therefore that, to the extent that personal data is being processed in the publishing of these images, Google and the business owner are potentially both data controllers (with consequent responsibilities and liabilities under European law).
It would be interesting to know if the Information Commissioner’s assessment of this processing would be different given that a factor he previously placed a “great deal of emphasis on” (the fact that Streetview was then ”just images of street scenes”) no longer applies.