The Ways Google Glass Users Risk Breaking UK Privacy Laws

On Friday, the privacy watchdog, the Information Commissioner’s Office (ICO), issued a blog postwarning about the use of wearables and the subsequent potential for breaches of the Data Protection Act, without getting into the nitty-gritty of how that might happen. But looking at the language of the Act there will be many opportunities for illegal use of Google Glass, which just went on sale in the UK for £1,000 ($1700), and the problems will be felt most by business users, not the average consumer.

On Friday, the privacy watchdog, the Information Commissioner’s Office (ICO), issued a blog postwarning about the use of wearables and the subsequent potential for breaches of the Data Protection Act, without getting into the nitty-gritty of how that might happen. But looking at the language of the Act there will be many opportunities for illegal use of Google Glass, which just went on sale in the UK for £1,000 ($1700), and the problems will be felt most by business users, not the average consumer.

Techno-progressives might argue Glass is no different from the average smartphone, but that would be a tad disingenuous. Despite Google’s assurances around privacy, it’s patent for the device allows for quicker and easier capturing of personal data than other devices on the market. It’s also easier to tell when someone is capturing video on a phone than with the glasses, which can start recording with a secretive whisper command. Anxieties around this functionality have already led to cinemas reportedly banning Google Glass due to the potential for copyright theft.

This wider scope for collection of data in more surreptitious fashion means there’s more chance of breaking UK law with Glass than with most other consumer devices. One potential outcome is that every user becomes a data controller, defined in the legalese as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”.

Though there is an exemption from punishment for domestic use of other people’s data, such as names and addresses on a Christmas card list, what happens when a Google Glass user is a sole trader or part of a small business and is deemed to be operating the device for organisational use? They might not know it, but this would require them to register themselves with the ICO as a data controller. If they don’t, they’ve broken the law and could be fined thousands of pounds.

The exemption for domestic use is also troublesome when one considers the Bring Your Own Device (BYOD) world in which we live. If an employee is wearing Google Glass and processing business information with it, whether via images, video or through some of the augmented reality features, the exemption could well be nullified. “If Glass works in the same way as any other BYOD device used in the workplace, the employer has to be able to manage the data protection risks. Failing to do this can lead to multiple data protection law breaches,” says Stewart Room, a barrister and solicitor who specialises in data protection law.

Things could get really messy if the user has more malign intentions towards the business. “Wearers might gather sensitive personal data in the workplace that belongs to their employer, perhaps as a whistleblower or as a rogue insider. That would breach the Act and would put the employer in grave legal jeopardy,” says Room.

Workers themselves would be within their rights to complain about their employer if information taken from Google Glass is used in any major decision affecting them. The Act says no decision can be “taken by or on behalf of the data controller which significantly affects that individual … based solely on the processing by automatic means of personal data”. Such decisions could relate to the employee’s “performance at work, his creditworthiness, his reliability or his conduct”. That means any business that decides to fire a member of staff having seen some misdemeanor recorded by Glass could land themselves in deep legal trouble.

Then there are the dreaded ‘right to be forgotten’ and data storage issues. The UK’s basic rule is that personal data has to be accurate and it cannot be retained for “longer than necessary” for the processing purpose. That nebulous terminology means anyone capturing people’s data via Glass could be asked to remove it at any time. Perhaps Virgin Atlantic, which has given some of its staff Glass to provide a better service to customers, can expect to receive complaints from hordes of passengers who don’t want their image kept on file or there personal prefereces stored on the servers feeding Glass devices their information. Presumably once the plane lands, that’s when the “necessary” data retention period ends…

Simon Rice, group manager for technology at the ICO, frets about too much data being stored by Glass users, who would likely forget about the reams of personal data they are collecting. “Most of the debate on Google Glass has focused on the camera, which is only a part of its functions. If it replaces your watch or non-smart device then, whilst you’re not forced to carry it around with you, it’s more likely to be on you  24/7,” says Rice.

Google itself is unlikely to ever be punished in the UK for any illegal use of Glass. The Act only applies to UK firms or those that use equipment in the United Kingdom for processing the data, which would provide Google with some protection. Looking at the Google Street View case, where the company’s mapping cars slurped up people’s information over unprotected Wi-Fi networks without telling people, an action that has not received punishment from the ICO, it’s apparent the firm has little to worry about when it comes to paying for illegal acts related to privacy.

But business users really do have to worry about Google Glass and its inevitable copycats. These new devices might  just lead them into embarrassing and costly court battles.