Persónuvernd - 2020082122

From GDPRhub
Persónuvernd - 2020082122
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 44 GDPR
Act no. 75/2019 on the processing of personal information for law enforcement purposes
Type: Investigation
Outcome: Violation Found
Decided: 10.03.2021
Published: 15.03.2021
Fine: None
Parties: Icelandic National Police
National Case Number/Name: 2020082122
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Personuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that the chief of police in the capital area has not complied with the law on the processing of personal information for law enforcement purposes when requesting information and suggestions via Facebook.

English Summary[edit | edit source]

Facts[edit | edit source]

On the occasion of a news report that the office of the chief of police in the capital area requested information and suggestions via the social media Facebook, the DPA started an investigation into whether such processing complied with Act no. 75/2019 on the processing of personal information for law enforcement purposes. The DPA asked the office questions concerning processing data via Facebook by the police and then considered received answers.

Holding[edit | edit source]

The DPA held that all processing of personal data for law enforcement purposes must comply with the principles set out in Article 4. Act no. 75/2019. It states that in the processing of personal data for law enforcement purposes, care shall be taken to ensure that it is processed in a lawful and fair manner, that the processing is necessary for the competent authority for law enforcement purposes, that information is obtained for clearly stated, lawful and objective purposes and not further processed. In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph, following Article 6 Act no. 75/2019.

As such, personal information was processed in accordance with the role of the police according to the second paragraph of Article 1 Police Act no. 90/1996. The police keeps a register of complaints they receive about crimes with all the necessary information concerning cases, a diary with information about complaints and their resolution, a list of arrested persons and other files necessary for law enforcement interests to avert imminent danger or deterrence. we commit crimes. In view of the above, the DPA considered that the processing of personal information for the purpose in question is generally permitted, provided that it is carried out in accordance with the provisions of the previously cited law.

At the same time, however, the DPA considered Article 14 of Act no. 75/2019, which states that the storage of personal information should be in accordance with Act no. 90/2018 on personal data protection and the processing of personal data and the Act on Public Archives. According to Act no. 90/2018, Coll. Article 44 of the General Data Protection Regulation, (EU) 2016/679, it is not permitted to process personal data in such a way that copies of communications are kept outside the European Economic Area, provided that such processing is not based on the sources of Chapter V of the Regulation.

In this context, the Data Protection Authority pointed out that communications through Facebook are stored there without the possibility for users, at least without special agreements with Facebook, to adequately delete the information contained therein. Therefore, communication via Facebook cannot be compared to communication via traditional telecommunication devices, your own portal, small programs or e-mail. According to the DPA, when personal information is shared with the police via Facebook, it is shared with Facebook at the same time. It is also clear that Facebook shares personal information with companies related to Facebook, as well as other parties (ie third parties), in further specified circumstances.

The DPA concluded that the processing that took place went against the stated procedures of the office of the Chief of Police in the capital area and without an assessment of the impact on personal protection due to the processing. The chief of police in the capital area's processing of personal information, requesting information and suggestions from the public, via private messages on Facebook, due to incidents that may be related to law and/or concerning certain individuals, has not complied with Act no. 75/2019, on the processing of personal information for law enforcement purposes.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Receiving police information via Facebook
Case no. 2020082122
15.3.2021
The Data Protection Authority has come to the conclusion that the processing of the chief of police in the capital area has not complied with the law on the processing of personal information for law enforcement purposes.

On the occasion of a news report that the office of the chief of police in the capital area had requested information and suggestions about alleged criminal offenses via the social media Facebook, the Data Protection Authority decided to initiate an initiative investigation into whether such processing complied with Act no. 75/2019, on the processing of personal information for law enforcement purposes. As stated above, the conclusion of the Data Protection Authority was that the chief of police in the capital area processed personal information, requesting information and suggestions from the public, via private messages on Facebook, due to incidents that may be related to law and / or concerned certain individuals that were published form of, has not complied with Act no. 75/2019, on the processing of personal information for law enforcement purposes.

Decision

On March 10, 2021, the board of the Data Protection Authority announced the following decision in case no. 2020082122:

I.
 

Procedure
On the occasion of a news report that the office of the chief of police in the capital area requested information and suggestions via the social media Facebook, the Data Protection Authority decided to start an investigation into whether such processing complied with Act no. 75/2019, on the processing of personal information for law enforcement purposes.

By letter dated On 3 September 2020, the Chief of Police in the greater Reykjavík area was informed that an initiative investigation had been initiated and a response requested, in addition to which an opportunity was provided to provide explanations. A special law was requested for answers on the following issues:

What kind of personal information has been received through Facebook and for what purpose. Assuming that this had been the case, the Data Protection Authority also requested an electronic copy of the part of the Office's processing file that relates to the processing in question.
Whether personal information goes beyond the EEA area and if so on the basis of which legal provisions this is the case.
How the security of personal information is safeguarded during the processing, cf. Article 23 Act no. 75/2019, especially what measures have been taken so that personal information does not fall into the hands of unauthorized parties.
Whether an impact assessment has been carried out on privacy due to the processing, cf. Article 26 Act no. 75/2019. Assuming this is the case, the Data Protection Authority requested a copy of such an assessment.
The position of the office on how the processing complies with Article 4. Act no. 75/2019.
Each assessment of the chief of police in the capital area is on whether the office is considered responsible, due to the receipt of personal information via Facebook, cf. Number 4 Article 2 Act no. 75/2019, Coll. as the case may be, point 6. Article 3 Act no. 90/2018, or a processing party, cf. 5. tölul. Article 2 Act no. 75/2019, Coll. as the case may be, point 7. Article 3 Act no. 90/2018.
Whether a processing agreement has been made with Facebook for the processing in question. Provided that this had been done, a copy of that agreement was requested or, as the case may be, the agreement of the joint guarantors, cf. Paragraph 2 Article 18 Act no. 75/2019.
Responses were received by e-mail on November 2, 2020. It states that the office of the Chief of Police in the capital area has had access to Facebook since 2010. The role of the police according to Art. Police Act no. 90/1996 is, among other things, to safeguard public safety, maintain law and order, pave the way for citizens as appropriate and assist when there is danger. The purpose of using Facebook as a means of communication is first and foremost to facilitate communication with the public, improve and increase services to users and also respond to modern calls for changed and more diverse means of communication by increasing the number of means available.

It is pointed out that the communication is diverse, but is primarily about serving the ordinary citizen who can send questions and receive answers in real time. A wide group of people choose to use social media rather than make a phone call during office hours, the office has a selected group of staff, on average 5-10 people, who handle messages received through the medium.

It is stated that the office does not provide personally identifiable information to parties through the communication medium and does not collect this information. It is the users themselves who provide information about themselves, if they so choose, and in most cases it is non-personally identifiable information, tips or questions, for example questions about when studded tires can be placed under cars or when they must be removed from cars to enter. prevention of fines, concerns of residents about speeding on certain streets or in the districts of the capital area and concerns about suspicious human movements or objects in the open. Such notices are answered with general instructions. If parties request personal information, such requests are invariably rejected and the person in question is referred to a police station where it is possible to talk to parties in a formal manner, provided that such information is not shared through Facebook. If the parties provide personal information, it is treated as such and compliance with the general rules of the Personal Data Protection Act and the secrecy provisions of the Act by which police officers are bound. Information is passed on to other employees as appropriate and if there is a reason to do so. In cases where the interviewee requests that communication with himself be destroyed, this is done.

It is stated that the police have in some cases requested information from citizens. You are then asked to contact 112 or by telephone at the office. It has happened that suggestions have been requested via Facebook. It is pointed out that when information is requested from the police, it is very common for it to be received in this way, even though it has not been requested. In many cases, such tips do not contain reliable or personally identifiable information and often do not really concern individuals. When an individual provides information via Facebook, an attempt is made to process the complaint with the person in question or to instruct him or her to provide information to the police in a formal manner, ie. by phone, e-mail, through the notification portal or through the police website if applicable.

It is also pointed out that individuals in acute danger have managed to make themselves known through Facebook, as they have not had access to a phone card, only an internet connection. People who have been in hiding in the field of domestic violence, considered to be in urgent danger or worried about others have contacted the police on Facebook for help. The individuals in question did not reach the police by other means. People at risk of suicide have also reached out to the police in this way and the police have been able to respond in time for these individuals.

With regard to question two, the Office considered that a user who provides information to the police about, for example, himself via Facebook, is responsible for the information he provides, makes public or shares with the police and / or the media. Facebook is not a forum for formal messages, but the police do not rule out investigating incidents when personal information is received, for example if there is an urgent danger to an individual and he cannot approach the police by other means. Third-party reports of endangered persons are also taken seriously. As stated above, the police do not disseminate personally identifiable information except in cases where there is an urgent need and then taking into account the general rules on the processing of personal information.

It is stated that on the Facbook page of the police, the information tab informs about what does not belong on the page. The text is as follows:

"WHAT DOESN'T HOME ON THIS PAGE?

Please note that Facebook is not the right place to post information about specific offenses, specific cases, suspected crimes or offenders or complaints, for example complaints about the work of certain police officers.

The site may not be used as a notification page about lost / found or stolen items.

Such items should be communicated to the police by telephone, letter or e-mail or by visiting a police station in your area or municipality. Here is information on how best to contact the police in the capital area depending on the occasion. "

It is referred to that the processing of personal information for law enforcement purposes takes place in other respects in the case file system of the police, cf. authority in III. section of Act no. 75/2019.

With regard to the third question, reference is made to the role of the police according to Art. Police Act no. 90/1996 is, among other things, to safeguard public safety, maintain law and order, pave the way for citizens as appropriate and assist when there is danger. In accordance with the role of the police, the office has emphasized on responding to everyone and caring to the best of its ability for those who contact the police via Facebook. The police and its staff are bound by a duty of confidentiality according to Art. Chapter X of the Administrative Procedure Act and this obligation is observed in the services that go through Facebook. When registering Facebook users with the office, two security features are always used, so that authentication takes place with a password and also by telephone, and no one can log in to their area without such two-factor authentication. The Office considers that these security measures comply with the provisions of Article 23. Act no. 75/2019, taking into account the risk to the freedom of those who choose to communicate with the police in this way.

With regard to the fourth question, reference is made to the fact that according to Art. Act no. 75/2019 and Article 29. Act no. 90/2018, an assessment shall be made of the impact of the proposed processing measures on the protection of personal data before the processing begins, if it is probable that a certain type of processing may entail a high risk to the rights and freedoms of individuals. It is also referred to that the Data Protection Authority has published advertisement no. 828/2019 on a list of processing measures that always require an assessment of the impact on personal data protection, as well as guidelines on such an assessment. In addition, the office states that it was in doubt as to whether the processing of personal information was involved except in exceptional cases and that there is some doubt as to whether it is considered to be responsible for communication with citizens.

With regard to question five, the Office considers that it is in accordance with the principles of processing personal information to communicate with parties via Facebook in the way it is currently done. The processing is necessary for the police to carry out their work according to the Police Act no. 90/1996 as described in Article 1. their. The information is obtained from individuals who provide it voluntarily and without coercion. It is also seldom personal information and the information is sufficient, relevant and not far beyond what is necessary for the purpose of the processing. Information obtained by the office in this way is not processed in another and incompatible manner and is not stored by the police.

With regard to the sixth question, the Office considers that in the communication in question it could be considered a responsible party. However, it is not always the case that personal information is processed as it is defined in Act no. 75/2019 and 90/2018.

As for the seventh question, no processing agreement has been made with Facebook as the office did not consider itself responsible for this communication. No formal impact assessment has been carried out. The office states that it has reviewed whether there is a need to make such an assessment and processing agreement.

By letter dated February 9, 2021, with reference to the above explanations of the office of the Chief of Police in the capital area, further information and explanations were requested regarding four more specific cases of which the Data Protection Authority was aware, as the procedure described in the Chief of Police's response to the capital area from 2 November 2020. In the cases in question, information had been requested from the public, via a private message on Facebook, regarding incidents that may be related to law and / or concerned certain individuals whose picture was published.

A reply was received by letter dated. 19 February 2021. It states that in the four cases in question the current working methods were not followed and it is stated that there was a mistake on the part of the office. It is stated that following a letter from the Data Protection Authority, dated February 9, 2021, the current working methods have been reaffirmed with the staff of the office who handle the communication in question with the aim of ensuring that this does not happen again.

II.
Assumptions and conclusion

1.
Scope - Responsible party
The processing of personal data by competent authorities carried out for law enforcement purposes is governed by Act no. 75/2019 on the processing of personal information for law enforcement purposes, cf. Paragraph 1 Article 3 of the Act. Does it therefore fall according to Article 30 of the Act under the role of the Data Protection Authority to supervise their implementation.

The Act was enacted to implement the provisions of Directive (EU) 2016/680 of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities in connection with the prevention, investigation, detection or prosecution of criminal offenses. or comply with criminal sanctions and the free movement of such information. The competent authority is defined in point 11. Article 2 of the Act as a public authority responsible for or entrusted by law with the task of preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions, including protecting against and preventing threats to public safety. The country's police departments are defined as competent authorities according to this provision.

So Act no. 75/2019 validity must be in the case of processing of personal information that is automated in part or in full or processing by other methods than automatic processing of personal information that is or is to become part of a register, cf. Paragraph 2 Article 3 of the Act. Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 1. tölul. Article 2 Act no. 75/2019. Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. 2. tölul. Article 2 Act no. 75/2019.

In order for the processing of personal information to fall within the scope of Act no. 75/2019, the mere fact that an authority falls under the definition of a competent authority is not sufficient, but the processing that takes place at any given time must be for law enforcement purposes. The purpose of law enforcement is defined in point 8. Article 2 Act no. 75/2019 whose purpose is to prevent, investigate, prosecute or prosecute criminal offenses or comply with criminal sanctions, including protecting against and preventing threats to public safety. It is clear that when processing personal information for this purpose, it is based on the powers obtained by the competent authorities by law, but as is the case here, the Police Act no. 90/1996. In the second paragraph. Article 1 of the Act states that the role of the police is, among other things, to safeguard public security and maintain law and order, seeks to ensure the legal security of citizens and protect property rights, public interests and all kinds of legitimate activities, curb crime and prevent activities that disrupt the security of citizens and the state, work to expose crimes, stop illegal behavior and follow up cases in accordance with what is laid down in the Code of Criminal Procedure or other laws, pay the citizens' street as appropriate and assist them when there is a danger. In view of the above, this is therefore processing for law enforcement purposes, cf. 8. tölul. Article 2 Act no. 75/2019, and the above processing therefore falls within the scope of that Act. stop illegal conduct and follow up cases in accordance with the provisions of the Code of Criminal Procedure or other laws, pave the way for citizens as appropriate and assist them in times of danger. In view of the above, this is therefore processing for law enforcement purposes, cf. 8. tölul. Article 2 Act no. 75/2019, and the above processing therefore falls within the scope of that Act. stop illegal conduct and follow up cases in accordance with the provisions of the Code of Criminal Procedure or other laws, pave the way for citizens as appropriate and assist them in times of danger. In view of the above, this is therefore processing for law enforcement purposes, cf. 8. tölul. Article 2 Act no. 75/2019, and the above processing therefore falls within the scope of that Act.

The competent authority that determines, alone or in collaboration with others, the purpose and methods of processing personal information is called the responsible party, cf. Number 4 Article 2 Act no. 75/2019. As such, the office of the chief of police in the capital area is considered to be responsible for the processing in question.

With reference to the above, it is clear that the processing of personal data by the police in question involves the processing of personal data by the competent authority that takes place for law enforcement purposes and therefore falls within the competence of the Data Protection Authority as defined in Article 30. Act no. 75/2019.

2.
Legality of processing
All processing of personal data for law enforcement purposes must comply with the principles set out in Article 4. Act no. 75/2019. It states that in the processing of personal data for law enforcement purposes, care shall be taken to ensure that it is processed in a lawful and fair manner, that the processing is necessary for the competent authority for law enforcement purposes, that information is obtained for clearly stated, lawful and objective purposes and not further processed. other and incompatible purposes, that they are sufficient, appropriate and not far beyond what is necessary for the purpose of the processing, as well as that they are reliable and updated as necessary. It also states that personal information that is unreliable or incomplete for the purpose of its processing shall be deleted or corrected without delay,

In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 6 Act no. 75/2019, i.e. that it has a special authority in other laws, that it is capable of protecting the urgent interests of the data subject or another individual, or that it protects information that the data subject has made public himself. Sensitive personal information within the meaning of the law includes personal information about a person's race or ethnic origin, political views, religion, religious beliefs, trade union membership, health information, human sex or sexual orientation, genetic information and biometric information. Only such personal information will be processed if there is an urgent need for the processing, in addition to which it fulfills at least one of the aforementioned conditions.

As such, personal information was processed in accordance with the role of the police according to the second paragraph. Article 1 Police Act no. 90/1996. It is also to be considered that according to i. paragraph 1 Article 5 of the Act, the police keep a register of complaints they receive about crimes with all the necessary information concerning cases, a diary with information about complaints to the police and their resolution, a list of arrested persons and other files necessary for law enforcement interests to avert imminent danger or deterrence. we commit crimes. Then in Article 7 Act no. 75/2019 provides for such processing, provided that it is in accordance with other provisions of the Act. In view of the above, it must therefore be considered that the processing of personal information for the purpose in question is generally permitted, provided that it is carried out in accordance with the provisions of the previously cited law.

At the same time, however, Article 14 should be considered. Act no. 75/2019, which states that the storage of personal information is in accordance with Act no. 90/2018 on personal data protection and the processing of personal data and the Act on Public Archives. According to Act no. 90/2018, Coll. Article 44 of the General Data Protection Regulation, (EU) 2016/679, it is not permitted to process personal data in such a way that copies of communications are kept outside the European Economic Area, provided that such processing is not based on the sources of Chapter V of the Regulation. Regarding the interpretation of the provisions of Chapter V, it should be borne in mind that according to Art. of the Regulation, all the provisions of the Chapter shall be applied so as to ensure that the protection of individuals guaranteed by the Regulation is not undermined.

In this context, the Data Protection Authority points out that communications through Facebook are stored there without the possibility for users, at least without special agreements with Facebook, to adequately delete the information contained therein. Therefore, communication via Facebook cannot be compared to communication via traditional telecommunication devices, your own portal, small programs or e-mail. Privacy also points out that inThe terms of Facebook, which are accepted by the users of the medium, state that Facebook collects the information that is shared through the site. When personal information is shared with the police via Facebook, it is shared with Facebook at the same time. It is also clear that Facebook shares personal information with companies related to Facebook, as well as other parties (ie third parties), in further specified circumstances. Those who use such social media generally do not have full control over the content posted there.

It has been stated during the operation of the case that when processing personal data in the four cases that are specifically examined here, that processing was not based on the sources of Chapter V of the General Data Protection Regulation. Furthermore, it has been stated that the processing that took place went against the stated procedures of the office of the Chief of Police in the capital area and without an assessment of the impact on personal protection due to the processing, cf. Article 26 Act no. 75/2019 and Article 29. Act no. 90/2018, or that a production agreement has been made, cf. Paragraph 3 Article 25 Act no. 90/2018 and the third paragraph. Article 20 Act no. 75/2019, with Facebook.

In view of the above, the conclusion of the Data Protection Authority is that the chief of police in the capital area's processing of personal information, requesting information and suggestions from the public, via private messages on Facebook, due to incidents that may be related to law and / or concerning certain individuals of, has not complied with Act no. 75/2019, on the processing of personal information for law enforcement purposes.


Definition:
The processing by the chief of police in the capital area of ​​personal information requesting information and suggestions from the public, via private messages on Facebook, due to incidents that may either be related to law or concerned certain individuals whose picture was published, was not in accordance with Act no. 75/2019, on the processing of personal information for law enforcement purposes.


In Privacy, March 10, 2021


Ólafur Garðarsson
acting chairman


Björn Geirsson Vilhelmína Haraldsdóttir


Þorvarður Kári Ólafsson