Mobile mapping systems can collect a large number of photos, many of which likely contain personal data. If you operate in the European Economic Area (EEA) or the UK, the General Data Protection Regulation (GDPR) will likely apply to your mobile mapping system.
Panoramic photos can capture faces, license plates, and other identifiers. GDPR compliance is essential to avoid legal roadblocks and reputational damage when developing a mobile mapping system.
This article outlines the privacy implications of mobile mapping and 360-degree photos, identifies the parts of the GDPR most relevant to mobile mapping systems, and explains how you can remove your large photo collection from the GDPR’s rules altogether.
Mobile mapping systems can pose serious privacy risks. Even when people are out in public, they still have privacy rights—particularly in the EEA and the UK, where the GDPR protects publicly available personal data.
Photos collected by mobile mapping systems have revealed some highly sensitive information about people, including:
There are countless further examples. Poorly implemented mobile mapping systems have led to many privacy violations and legal problems.
Google Street View has reportedly captured images from over 10 million miles of roads across over 80 countries.
Google faced many objections and lawsuits throughout Street View’s development as individuals and governments accused the company of invading people’s privacy. Street View succeeded only after Google implemented privacy-preserving techniques to protect people’s identities.
In 2008, the UK’s data protection authority considered banning Street View. But the regulator allowed Google to proceed, partly due to the company’s practice of blurring identifiers such as faces and car license plates.
Street View faced even more significant challenges in privacy-focused Germany and Austria. As a result, these nations have much patchier Street View coverage than neighboring countries.
However, Apple reassured German authorities about its GDPR compliance and privacy-preserving techniques and successfully launched its “Look Around” Apple Maps feature across several German cities in 2022.
Mobile mapping can involve photographing locations from all angles using 360-degree cameras.
A simple, effective way to anonymize panorama photos is through blurring.
Proper blurring techniques will remove identifiers while leaving other parts of a video or image untouched. Automated image-blurring software can anonymize 360-degree photos efficiently and reliably.
Camera manufacturers continue to make improvements to lenses, sensors, and image processing. But as photos get clearer and more detailed, anonymization gets harder.
Ten years ago, some panoramic photos did not require blurring to achieve anonymization. If a person was far enough away from the camera, zooming in to view their face might reveal nothing but a clump of indistinguishable pixels.
But even a relatively modest camera can now produce detailed, well-lit, high-resolution panoramic photos. This creates a challenge for automated anonymization software.
Reliably finding smaller faces and license plates in high-resolution photos or videos requires a lot of processing power. This is true even for a 24-megapixel image. 360-degree photos and videos are typically higher quality and even more demanding on system resources.
Traditional approaches to face detection involve searching for facial features in a downscaled version of the image and then transposing the result back into the original. Compared to processing the full-size original photo, this technique can be quicker and less resource-intensive.
But this kind of detection model can overlook smaller details in the low-resolution version that are visible in the original photo. As such, the software leaves a higher proportion of faces and license plates unblurred.
From a GDPR perspective, accuracy—the ability to reliably detect personal data—is a crucial feature of anonymization software.
A sufficiently finely tuned detection algorithm can process high-resolution images efficiently. Higher accuracy means less risk of violating the GDPR. If you plan to use automated software to anonymize your photos, make sure it can process high-resolution images.
Blurring identifiers is crucial to protect privacy in panorama photos. But there are other data protection considerations, too.
When carrying out a mobile mapping project or handling photos and other images in general, some of the most relevant parts of the GDPR relate to:
The GDPR’s principle of “data minimization” has important implications for mobile mapping.
Data minimization means limiting how much personal data you collect, store, or otherwise process. You should only collect, store, or otherwise process the amount of personal data that is necessary for a specified purpose.
In the mobile mapping context, this means blurring identifiers quickly and efficiently and avoiding sharing unblurred images with other people where possible.
Unless you need to include personal data in your panoramic photos, the principle of data minimization means that you must anonymize them.
Another GDPR principle, “storage limitation”, requires that you do not keep personal data longer than necessary. Once you no longer need personal data, you must erase it.
The European Data Protection Board (EDPB), which represents every EU data protection regulator, says:
“....by for instance blurring (a) picture with no retroactive ability to recover the personal data that the picture previously contained, the personal data are considered erased in accordance with GDPR.”
In other words: If you effectively blur all identifiers in your 360-degree photos, they will no longer contain personal data. From a GDPR perspective, blurring identifiers in photos “erases” the personal data.
If your blurred photos contain no personal data, the GDPR does not apply.
You can keep anonymous images for as long as you want (unless another law requires you to erase them), and you won’t need to apply the GDPR’s other requirements in respect of your anonymous photos.
Of course, the GDPR still applies to the original, unblurred photos. If you need to keep unblurred images, set a “retention period” that reflects your purposes and delete the unblurred photos once this period expires.
“Data protection by design” (sometimes called “privacy by design”) means designing products and systems in a way that best preserves people’s privacy and other rights.
The GDPR sets out data protection by design requirements in Article 25. You must:
In the context of mobile mapping, this might mean:
Data protection by design means you should always choose the least intrusive way to achieve your goals. If you can access affordable technology that protects people’s privacy while still enabling you to meet your objectives, you must use it.
Choose your photo anonymization software carefully. Many anonymization software providers process photos “in the cloud”—on servers operated by the software provider.
Using cloud service providers is permitted under the GDPR, but only under certain conditions.
You can avoid this compliance hurdle by using anonymization software that runs on your own computer or hardware or in a private cloud that you control.
If you don’t share any personal data with a service provider, there’s no need for a Data Processing Agreement.
If you choose to use a SaaS anonymization software provider based outside the EEA (or outside the UK, if you’re based there), you must also consider the GDPR’s rules on “international data transfers”.
Conducting an international data transfer is one of the most complex GDPR compliance tasks.
But again, you can avoid this extra work by running photo anonymization software on private infrastructure or by using a company based in the EEA, the UK, or an “adequate” country.
Technology can help ensure your mobile mapping system meets the requirements of the GDPR. Remember that the GDPR does not apply to anonymous data. Your panorama photos will be anonymous if you properly blur any identifiers, such as faces and license plates.
But to meet the GDPR’s strict anonymity standards, you must use an effective and reliable anonymization software tool.
The GDPR will still apply to any unblurred versions of photos that you retain and will apply when you are taking the photos.
Despite its broad application and relatively strict compliance requirements, the GDPR provides a flexible framework that enables companies to do business while reducing risk.
To operate in the EEA or UK, you must consider how you can protect people’s personal data and respect their privacy at every stage of your mobile mapping project.
Some straightforward ways to ensure your mobile mapping system complies with the GDPR include:
