By Akshat Kothari, a IIIrd year B..Com. LLB. student at Institute of Law, Nirma University and Harsh Khanchandani, a IIIrd year B.B.A L.L.B (Hons) at Symbiosis Law School, Pune.
Introduction
On September 9, 2021, Facebook launched its Ray-Ban series which is the first rehearsal of their smart glasses. But since the launch of these glasses, they have raised serious concerns over the privacy issues related to the glasses such as it enables the users to film others without their consent and that who shall possess the data when it goes on the social media handles. These glasses could be the next big step in the wearables sector, but they pose severe risks in terms of human rights, privacy, and data security.
Hence, through this article, the authors shall attempt to showcase and legally analyze the privacy concerns arising due to the smart glasses launched by the collaboration of Facebook and Ray-Ban. For that, we shall break down the glasses and analyze its privacy and security concerns, analyze the legal perspective of the same concerns and provide our own analysis to the issue.
Privacy Concerns vis-à-vis Ray-ban Glasses:
One of the most significant troubles of these glasses is the capacity to capture video and audio in such a way that the people being watched are completely unaware. Individuals within viewing range may be recorded which may occur without their awareness, and the recordings may be utilized for additional data processing, such as being provided to third parties in a cloud computing environment. Personal information such as fitness and medical profiles may be acquired in a number of circumstances owing to a wide range of networked IoT devices. Sensors on IoT devices allow for the collection of data that goes beyond explicit user inputs to include data about the device’s surroundings, which can be used to access personal data without the user’s awareness.
With the growing popularity of smart glasses, the European Data Protection Supervisor (“EDPS”) has released a paper that examines the privacy and data security consequences. It draws attention to the following issues:
- Videos of people in public places;
- Audio recordings and localization;
- Non-users’ lack of data control;
- Repurposing and inferences generated from data;
- Profiling and invasive behavior analysis;
- The processing of special types of data that necessitates extra precautions; and
- Security flaws provide unauthorized access to personal information
Furthermore, hacking smart glasses is also a possibility which puts the data more in jeopardy. Vulnerabilities previously revealed allowed for attacks that rendered the device partially or completely inoperable, as well as allowing an attacker to spy on or steal user data. The authors are of the opinion that since Facebook is widely known for collecting data on its users and selling it to third parties is a source of concern. As a result, Facebook might have backdoor access to linked gadgets, allowing them to monitor the user’s data. This information might also be used to target adverts to users, putting users’ privacy at risk and leaving them exposed to surveillance at all times.
Legal Stance:
- The European Stance:
In the recent case of Rynes[i]the Court of Justice of the European Union (“CJEU”) observed that the recording of footage of humans comprises the processing of personal data when a CCTV camera is installed by an individual in a family home. From the analysis of the technical features of the Ray-Ban/Facebook glasses it can be evidently seen that these smart glasses can perform numerous activities that can harm the personal data of an individual especially as it can become substitute of the CCTV cameras and record audio-visual material, movement orientation, etc. Smart glasses that handle personal data must be utilized in compliance with the applicable law, which includes the appropriate data protection law.
The General Data Protection Regulation (“GDPR”) has been accepted by the European Parliament and Council since the launch of Google Glass and its subsequent withdrawal. The GDPR specifies standards for the lawful and fair processing of personal information, such as transparency, the need for a sufficient legal basis for processing, purpose limitation, data minimization, data retention limitations, data security and quality, data subjects’ rights, and independent monitoring. Furthermore, with regards to the processing of personal data and its transmission to the Internet yields, Article 29 Data Protection Working Party Opinion 8/2014 has already discussed the implications. Thus, from the European Perspective, Data protection legislation is completely pertinent, and many privacy problems must be assessed in their application, with suitable safeguards implemented in each situation.
- The Indian Stance:
In the historic verdict of K.S. Puttaswamy v. Union of India, the Hon’ble Supreme Court declared that the Right to Privacy is a protected fundamental right of Indian citizens under Articles 14, 19, and 21 of the Indian Constitution. Since the verdict, there has been a renewed emphasis on adopting laws to preserve the right to privacy through regulating the digital industry in India. Digital privacy for people is still primarily safeguarded by the Information Technology Act (“IT Act”). The government has also established a set of rules under Section 87 of the IT Act.
The “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” provide a baseline for data protection measures to be implemented by data collectors and processors. The SPDI standards, like the GDPR, categorize data as ‘personal data’ or ‘sensitive personal data.’ Physical and physiological data, biometric information, and medical records are examples of sensitive personal data stored by wearables. The Rules require the data owner to be notified of the information being collected, the purpose of the collection, and the intermediaries with whom the information is shared. The Rules also require the enterprise to get the owner’s express approval and allow the owner the ability to withdraw consent at any time for data gathering.
The Personal Data Protection Bill 2021:
The Personal Data Protection Bill (“PDPB”) is a proposed piece of legislation that will overhaul India’s digital privacy protection system. The Bill proposes to create a data protection system in which data is gathered and processed in a necessary, fair, and transparent way that needs the consent of the person from whom the data is being obtained. The Bill outlines numerous key ideas in digital privacy protection, such as de-identification and anonymization, and provides context for India’s interpretation of these principles.
The PDPB Bill 2021 includes sensitive personal data and defines it as data relating to mental and physical health of such data principle. Aside from the key players in the healthcare sector, such as hospitals, clinical establishments, and digital health technology platforms, companies that manufacture/operate health wearable smart devices will be particularly affected if the PDPB, 2021 is enacted. This is because, in addition to complying with data collection, processing, storage, and sharing requirements, the PDPB, 2021 requires entities to submit to the Data Protection Authority (“DPA“) monitoring, testing, and certification of hardware/software computing equipment/applications process.
Analysis and the Way Forward:
It is opined by the authors that the application of data protection to recordings has been previously discussed in various European case laws of dash cam, CCTV cameras, etc. and these instances may be used while determining the criteria within which smart glasses can be lawfully used in the European Union and around the world. GDPR is a regulation designed to regulate the collection and processing of personal data. It assures users that their data will be handled fairly and transparently. Thus, a regulation like GDPR can help people feel more secure about their personal data and hence their privacy.
Hence, in the present situation, Facebook/Ray-Ban shall have to adhere to the rules laid down in the GDPR as Regulators will increase scrutinization of smart glasses vendors in the future years as their gadgets become more popular and when additional data-generating features are added to them. For example, in order to comply with the EU’s General Data Protection Regulation, Google has included audio and visual notifications that are triggered when Google Glass starts recording audio or video. Vendors of smart glasses have included comparable capabilities, such as the ability to turn off the device’s microphone and camera manually to prevent privacy invasions.
From an Indian Perspective, the current legislation has a limited intent to safeguard people’ privacy, instead focusing on fighting cybercrime and guaranteeing cyber security. The IT Act and its accompanying guidelines establish the groundwork for creating safeguards by identifying sensitive personal data and criminalizing violations of privacy. The SPDI rules apply to any corporate entity that deals with such data. However, when it comes to the wearable market, these steps fall short of providing effective safety. This is evident from the definition of the term ‘body corporate’ under the SPDI rules.
The wearable itself, as well as the app that collects the data on the user’s mobile, are not considered under the ambit of ‘body corporate’. Even if the manufacturing company is included in the definition, the primary storage space for the data doesn’t have any constraints on what data to collect, how to collect, or where to store the data in. Furthermore, while the IT Act covers offenses done outside of India, it is only applicable if a computer, computer system, or computer network is used in India. Thus, Devices and networks that operate outside of India are not included, as wearables. Therefore, there exists a major lacuna in the present law dealing with data collected by wearable technologies.
Currently, there is a dearth of data protection laws that will safeguard users’ rights when new technical projects and schemes are implemented. The PDPB, 2021 is the first step in this approach. In India, the necessity for established regulation is urgent since there have been various issues and disputes around the government’s assimilation of personal data. A similar scenario has been noticed with private entities’ operations and owing to the lack of suitable legislation(s), they do not come under the radar of any defaults/punishments. Given this, an individual’s privacy in the use of wearable technology becomes critical owing to the quantity of information that such gadgets consume and the potential for problems it contains after a breach. Although there is a gap in the law, court precedents do not entirely cripple an individual/entity in this respect. Another important thing to highlight is that, although the privacy of wearable devices must be examined, their interoperability with regard to relevant mobile/computer applications must also be explored, since these wearable devices are linked to such mobile apps.
[i] CJEU Judgement of 11 December 2014 in case C-212/13 František Ryneš v Úřad pro ochranu osobních údajů, ECLI:EU:C:2014:2428.