GDPR Compliance in Mobile Mapping Systems: Protecting Privacy in Large Photo Collections

Robert Bateman

Mobile mapping systems can collect a large number of photos, many of which likely contain personal data. If you operate in the European Economic Area (EEA) or the UK, the General Data Protection Regulation (GDPR) will likely apply to your mobile mapping system. 

Panoramic photos can capture faces, license plates, and other identifiers. GDPR compliance is essential to avoid legal roadblocks and reputational damage when developing a mobile mapping system.

This article outlines the privacy implications of mobile mapping and 360-degree photos, identifies the parts of the GDPR most relevant to mobile mapping systems, and explains how you can remove your large photo collection from the GDPR’s rules altogether.

Mobile Mapping Systems and Privacy Concerns

Mobile mapping systems can pose serious privacy risks. Even when people are out in public, they still have privacy rights—particularly in the EEA and the UK, where the GDPR protects publicly available personal data.

Photos collected by mobile mapping systems have revealed some highly sensitive information about people, including:

There are countless further examples. Poorly implemented mobile mapping systems have led to many privacy violations and legal problems.

Case Study: Google Street View

Google Street View has reportedly captured images from over 10 million miles of roads across over 80 countries.

Google faced many objections and lawsuits throughout Street View’s development as individuals and governments accused the company of invading people’s privacy. Street View succeeded only after Google implemented privacy-preserving techniques to protect people’s identities.

In 2008, the UK’s data protection authority considered banning Street View. But the regulator allowed Google to proceed, partly due to the company’s practice of blurring identifiers such as faces and car license plates.

Street View faced even more significant challenges in privacy-focused Germany and Austria. As a result, these nations have much patchier Street View coverage than neighboring countries.

However, Apple reassured German authorities about its GDPR compliance and privacy-preserving techniques and successfully launched its “Look Around” Apple Maps feature across several German cities in 2022.

Protecting Privacy in Panorama Photos and 360 Degree Photos: Techniques for Anonymization and De-Identification

Mobile mapping can involve photographing locations from all angles using 360-degree cameras.

  • Under the GDPR, personal data means information relating to an identifiable individual.
  • If panorama photos or 360-degree photos are not adequately anonymized, they will likely reveal a lot of personal data.
  • In mobile mapping systems, the most common types of personal data include images of people’s faces and license plates.

A simple, effective way to anonymize panorama photos is through blurring

Proper blurring techniques will remove identifiers while leaving other parts of a video or image untouched. Automated image-blurring software can anonymize 360-degree photos efficiently and reliably.

Balancing Accuracy and Efficiency When Anonymizing High-Resolution Photos

Camera manufacturers continue to make improvements to lenses, sensors, and image processing. But as photos get clearer and more detailed, anonymization gets harder.

Ten years ago, some panoramic photos did not require blurring to achieve anonymization. If a person was far enough away from the camera, zooming in to view their face might reveal nothing but a clump of indistinguishable pixels.

But even a relatively modest camera can now produce detailed, well-lit, high-resolution panoramic photos. This creates a challenge for automated anonymization software.

Reliably finding smaller faces and license plates in high-resolution photos or videos requires a lot of processing power. This is true even for a 24-megapixel image. 360-degree photos and videos are typically higher quality and even more demanding on system resources.

Traditional approaches to face detection involve searching for facial features in a downscaled version of the image and then transposing the result back into the original. Compared to processing the full-size original photo, this technique can be quicker and less resource-intensive.

But this kind of detection model can overlook smaller details in the low-resolution version that are visible in the original photo. As such, the software leaves a higher proportion of faces and license plates unblurred.

From a GDPR perspective, accuracy—the ability to reliably detect personal data—is a crucial feature of anonymization software. 

A sufficiently finely tuned detection algorithm can process high-resolution images efficiently. Higher accuracy means less risk of violating the GDPR. If you plan to use automated software to anonymize your photos, make sure it can process high-resolution images.

Blurring identifiers is crucial to protect privacy in panorama photos. But there are other data protection considerations, too.

Managing Large Photo Collections: GDPR Considerations and Data Retention Policies

When carrying out a mobile mapping project or handling photos and other images in general, some of the most relevant parts of the GDPR relate to:

  • Data minimization
  • Storage limitation
  • Data protection by design
  • Data processors

Data Minimisation

The GDPR’s principle of “data minimization” has important implications for mobile mapping.

Data minimization means limiting how much personal data you collect, store, or otherwise process. You should only collect, store, or otherwise process the amount of personal data that is necessary for a specified purpose.

In the mobile mapping context, this means blurring identifiers quickly and efficiently and avoiding sharing unblurred images with other people where possible.

Unless you need to include personal data in your panoramic photos, the principle of data minimization means that you must anonymize them.

Storage Limitation

Another GDPR principle, “storage limitation”, requires that you do not keep personal data longer than necessary. Once you no longer need personal data, you must erase it.

The European Data Protection Board (EDPB), which represents every EU data protection regulator, says:

“ for instance blurring (a) picture with no retroactive ability to recover the personal data that the picture previously contained, the personal data are considered erased in accordance with GDPR.

In other words: If you effectively blur all identifiers in your 360-degree photos, they will no longer contain personal data. From a GDPR perspective, blurring identifiers in photos “erases” the personal data

If your blurred photos contain no personal data, the GDPR does not apply

You can keep anonymous images for as long as you want (unless another law requires you to erase them), and you won’t need to apply the GDPR’s other requirements in respect of your anonymous photos.

Of course, the GDPR still applies to the original, unblurred photos. If you need to keep unblurred images, set a “retention period” that reflects your purposes and delete the unblurred photos once this period expires.

Data Protection by Design

“Data protection by design” (sometimes called “privacy by design”) means designing products and systems in a way that best preserves people’s privacy and other rights.

The GDPR sets out data protection by design requirements in Article 25. You must:

  • Take “appropriate technical and organizational measures” to meet the GDPR’s principles, such as data minimization.
  • Apply these measures according to the resources and technology you have available and the level of risk.
  • Integrate these measures into your systems, products, and services from the earliest stages of development onwards.

In the context of mobile mapping, this might mean:

  • Blurring identifiers such as faces and license plates.
  • Notifying people about your activities, where possible.
  • Training employees and creating policies on data protection
  • Erasing original (unblurred) photos as soon as you no longer need them.
  • Restricting access to the original photos so that only people who need to can access them.

Data protection by design means you should always choose the least intrusive way to achieve your goals. If you can access affordable technology that protects people’s privacy while still enabling you to meet your objectives, you must use it.

Data Processing Agreements

Choose your photo anonymization software carefully. Many anonymization software providers process photos “in the cloud”—on servers operated by the software provider. 

Using cloud service providers is permitted under the GDPR, but only under certain conditions.

  • The GDPR restricts how you share personal data. “Sharing” can include uploading photos containing personal data to cloud-based services.
  • If you use a software-as-a-service (SaaS) product to anonymize your 360-degree photos, the service provider will likely be a “data processor” under the GDPR.
  • Before sharing personal data with a data processor, you must implement a Data Processing Agreement (DPA)—a contract that meets the requirements of Article 28 of the GDPR.

You can avoid this compliance hurdle by using anonymization software that runs on your own computer or hardware or in a private cloud that you control. 

If you don’t share any personal data with a service provider, there’s no need for a Data Processing Agreement.

International Data Transfers

If you choose to use a SaaS anonymization software provider based outside the EEA (or outside the UK, if you’re based there), you must also consider the GDPR’s rules on “international data transfers”.

  • Before making personal data accessible to another person or company outside of the EEA (or UK), you must ensure they protect the personal data to EU standards.
  • If the other person is based in a country with “adequate” data protection standards according to the European Commission (or the UK government), these rules don’t apply.
  • If the other person is not based in an “adequate” country, you’ll need to carry out a risk assessment and put a special contract in place before allowing them to access any personal data.

Conducting an international data transfer is one of the most complex GDPR compliance tasks. 

But again, you can avoid this extra work by running photo anonymization software on private infrastructure or by using a company based in the EEA, the UK, or an “adequate” country.

The Role of Technology in Ensuring GDPR Compliance in Mobile Mapping Systems

Technology can help ensure your mobile mapping system meets the requirements of the GDPR. Remember that the GDPR does not apply to anonymous data. Your panorama photos will be anonymous if you properly blur any identifiers, such as faces and license plates.

But to meet the GDPR’s strict anonymity standards, you must use an effective and reliable anonymization software tool.

  • Advanced anonymization software can automatically identify and blur faces and license plates in images and videos. 
  • AI-driven anonymization software can reliably detect almost all faces and license plates in a photo or video, reducing the risk of privacy violations.
  • Automation removes the need to manually blur identifiers, saving many hours of work.

The GDPR will still apply to any unblurred versions of photos that you retain and will apply when you are taking the photos.

Balancing Mobile Mapping System Functionality with GDPR Compliance and Data Protection

Despite its broad application and relatively strict compliance requirements, the GDPR provides a flexible framework that enables companies to do business while reducing risk.

To operate in the EEA or UK, you must consider how you can protect people’s personal data and respect their privacy at every stage of your mobile mapping project.

Some straightforward ways to ensure your mobile mapping system complies with the GDPR include:

  • Blurring identifiers such as faces and license plates in 360 photos.
  • Using reliable and accurate photo anonymization software.
  • Using photo anonymization software that runs on your own computer, infrastructure, or private cloud.
  • If you need to retain unblurred original photos, deleting them as soon as you no longer need them.
  • Limiting access to any photos that contain personal data.