Earlier this month, the Belgian Privacy Commission (the “Belgian DPA”) published its December 15, 2010 Recommendation on Mobile Mapping (Recommandation d’initiative en matière de Mobile Mapping, or “the Recommendation”). The Recommendation defines Mobile Mapping as “technology by which a vehicle equipped with a camera and/or a scanner can digitally record all data on a specific road, including by taking 360° photos.” The scope of the Recommendation covers not only applications such as Google Street View, but also other types of Mobile Mapping such as mapping by public authorities, mapping for tourism, real estate applications and GPS navigation mapping.
In its Recommendation, the Belgian DPA confirms that the Belgian Data Protection Act applies to most Mobile Mapping services, since these types of services usually involve the processing of personal data. Interestingly, the Belgian DPA takes the position that photos usually constitute personal data, and that in some cases, Mobile Mapping may involve the processing of sensitive data (e.g., a picture of an individual near a doctor’s office or entering a church). The Belgian DPA also provides guidance to data controllers on how to apply general data protection principles to Mobile Mapping services. The guidance can be summarized as follows:
- Legal Basis. The main legal basis for the processing of personal data is the balance of interest test. The Belgian DPA notes, however, that in limited cases the data controller also may have to rely on another legal basis such as individuals’ consent or compliance with a legal obligation.
- Purpose Limitation and Proportionality. Since the balance of interest test is the primary legal basis for the processing of personal data, the proportionality principle is key in protecting individuals’ privacy. There must be a clearly defined purpose for processing personal data in the Mobile Mapping context in order to assess the lawfulness of the service.
- Privacy by Design. The Recommendation highlights the need for industry to develop tools, products and services incorporating privacy by design. Accordingly, some privacy measures (e.g., blurring of faces and license plates or adjusting camera angles) should be implemented at a very early stage in the development process.
- Privacy Impact Assessment. Data controllers should conduct privacy impact assessments and adopt a risk-based approach for the development of these types of tools, products and services.
- Notice. Individuals affected by Mobile Mapping must be properly informed about that type of processing of their personal data. Given the specific nature of this type of service, the Belgian DPA recognizes that a general notice via a website or in the press should be sufficient. A proper notice should include:
- The name of the data controller;
- The purpose of the processing;
- The type of data processed;
- A summary of the privacy impact assessment;
- The measures taken to mitigate privacy risks (e.g., implementing an online tool that enables individuals to opt-out from the processing); and
- Information on how to contact the data controller.
In addition, the vehicle recording the pictures should display information on how to contact the data controller.
- Data Retention. Personal data collected through Mobile Mapping should not be retained for longer than necessary to meet the purpose of the collection.
- Security. Data controllers should implement appropriate security measures. In that context, the Belgian DPA recommends that data controllers:
- Conduct a privacy impact assessment;
- Appoint a person in charge of monitoring the proper application and implementation of the security measures; and
- Provide a summary of the privacy impact assessment to the relevant supervisory authority at least six weeks before data capture.
- Registration. Data controllers must register Mobile Mapping services in Belgium. The Belgian DPA notes that the registration should be accurate and include all the information outlined above.