Real-time data collection, including use of geo-location and even facial recognition technologies can underpin Augmented Reality (AR) and Virtual Reality (VR) applications. Imagine trying to locate Pokemon without the Pokemon Go app being able to determine your real world location. Much of the data being handled will relate to living, identifiable individuals, making the data “personal data”. AR and VR are rapidly evolving technologies but they still need to fit within established legal frameworks.
This means that developers of such systems and the businesses implementing them need to take account of data privacy rules otherwise they run the risk of legal sanctions or of potentially having to reengineer their service from the ground up.
The main legal requirements
In the UK, the Data Protection Act 1998 (DPA) governs the processing (which includes obtaining, organising, using and destroying) of personal data. Personal data means data which can (alone or in combination with other information held or likely to be held by a data controller) identify a living individual. In the language of the DPA, the “data controller” is the person or business which determines how and why the personal data are processed. Sometimes there may be more than one organisation acting jointly with another; it can also be challenging to work out in the complex online ecosystems which party is a “data controller” and for which use of data; for example, the user could be a data controller, so could the app owner, the social media website or the advertising network.
Businesses must comply with the DPA’s eight principles of data processing, the first of which requires the processing of personal data to be fair and lawful. To be lawful, the processing must meet one of the prescribed conditions for processing. In the context of AR or VR systems, the most relevant condition is the consent of the individual whose data are being collected. Consent needs to be a freely given, specific and informed indication of the individual’s wishes; this means that it is not a valid consent if someone has simply failed to object. In the UK, online consent may take the form of a data protection notice (with full information explaining the types of processing proposed) accompanied by a clear and positive consent statement.
In essence, the VR or AR user must be given every opportunity to appreciate what they are consenting to. If the users could be children, then a method for obtaining parental consent needs to be built in. The DPA includes rules about using personal data to carry out marketing, keeping personal data secure and preventing its loss or misuse; it also includes restrictions over retaining personal data indefinitely and sending it outside of the EEA without proper safeguards.
What are the consequences of mishandling data?
Where a data controller fails to comply with the provisions of the DPA, the Information Commissioner’s Office (ICO), which enforces compliance with the DPA, can take action. The ICO has the power to issue enforcement notices requiring data processing to cease or the deletion of data, issue monetary penalty notices up to £500,000, and even prosecute non-compliant data controllers. Where individuals’ rights have been infringed, individuals may bring compensation claims in the courts.
What rights do individuals have?
Individuals are legally entitled to make a Subject Access Request (SAR) to any data controller organisation that is processing their personal data. Organisations may charge a maximum of £10 for responding to such requests, and must produce a copy of the personal data held by the organisation, unless an exemption applies.
A SAR must be completed within 40 days, and a significant level of time and resources must be expended to comply (SARs are one of the main reasons for complaints received by the ICO). Preparation and efficient processes are therefore key. Individuals are also entitled to object to their data being used for direct marketing purposes and can force an organisation to delete their personal data in certain circumstances.
What if processing takes place outside the UK?
The DPA only applies to data controllers established in the UK or who use equipment to process personal data in the UK. Where an organisation processes personal data in the context of an establishment (a registered company, office, branch, or regular practice) in another country, then the data protection laws of that country may apply to the processing instead of the DPA. If the organisation also has a UK establishment, it would – though - be prudent to comply with UK law as well.
New data protection laws ahead
The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will replace the domestic data protection laws of every EU member state.
In the likely event that the UK’s Brexit negotiations have not concluded by that time, the GDPR will also come into force in the UK (at least for a brief period). It brings in more onerous consent and transparency requirements, introduces liability for data processors (those who simply process data upon the instruction of the data controller) and strengthens the protections for and rights of individuals.
Further, the GDPR introduces significantly tougher sanctions for non-compliance. Organisations may be fined up to €20 million or 4 per cent of annual global turnover if they fail to comply. The GDPR also brings in “privacy by design” and “privacy by default” approaches to encourage privacy to be a cornerstone of new product and services development.
Organisations operating in the VR and AR industry should consider their obligations under UK and EU data protection law, both present and future. The processing of facial images, location and real-time data should be compliant prior to such activities taking place. This is just as relevant for start ups as longer established businesses. It is not unknown for innovation to fail at the first funding hurdle if the business model or system design have failed to respect privacy principles.
Kate Brimsted, Partner, Reed Smith