4

I recently read of a man who had a Google account. His son's doctor asked for photos of a medical issue his son was having around his groin area, so his wife used his phone to take some. Google flagged up the images as potential child sexual abuse, locked his account and reported him to law enforcement.

Law enforcement subsequently requested the content of his Google account, including emails and photos. The criminal investigation eventually ended with no action taken, although the investigator was unable to communicate this to the victim because his Google email address and Google Fi phone number no longer worked. Google has so far refused to unlock his accounts.

If this happened in a GDPR country, would there be a data protection issue? There are similar cases of mistaken identity, such as parking enforcement firms mis-reading licence plates and sending invoices to the wrong people, which are considered an abuse of that data that can be remedied by compensating the victim. Given that Google was mistaken here, and provided private data to law enforcement, and interfered in a child's medical care, would there be any liability for them?

Improve this question
3
  • 1
    Under GDPR, data may be processed for purposes prescribed by law. Law enforcement is excepted from both consent and proportionality requirements (Article 6). I seriously doubt that Google is liable for the initial report, and for their subsequent cooperation with law enforcement. Their failure to unlock might be construed a violation of Article 16 (correction of wrong entries) but I doubt that, too.
    – o.m.
    Commented Aug 22, 2022 at 16:09
  • 1
    But if the report was mistaken, the image was actually a medical image and not child abuse, does that not make the initial sharing of the data, and indeed its access by Google employees for the purpose of reporting it, a contravention? Similar to the parking example, the initial mistake invalidates any legal basis for subsequently processing the information.
    – user
    Commented Aug 22, 2022 at 19:25
  • By your reasoning, no data could be shared until there was a conviction, which would probably prevent any convictions. Also, most GDPR countries have a different slant on the 'fruit of a poisoned tree' doctrine.
    – o.m.
    Commented Aug 23, 2022 at 4:15

1 Answer 1

Reset to default
-1

There is no liability

This is not to say that there might or might not be a breach of the GDPR, it’s just that the GDPR does not give individuals a right to sue. Only the national regulator can take action.

Indecent images of a child

The photos showed a nude child. Therefore, under UK law they are prima facie indecent child abuse material. It is illegal to make, possess, and distribute such material. Fortunately the police probably decided you had a legitimate reason:

Prosecutors are reminded that where an intimate image is made, published, sent or stored for clinical reasons in accordance with the operational guidance led by NHS England and Improvement, this will normally amount to a “legitimate reason” in relation to the patient and/or carer and to any clinician involved in the process. 

Did you follow the “operational guidance led by NHS England and Improvement”? Do you even know what they are?

You were lucky not to be charged and your doctor is an idiot. Catch a different police officer on a different day in a different mood and you could have found yourself trying to convince a jury of your legitimate reason.

Google was not mistaken in determining that you had potentially posted child abuse material.

Is there a breach of GDPR?

Maybe.

The photos are PII and special category data.

It is lawful to share such data with law enforcement if there is a lawful basis for doing so under Article 6 and a condition for processing under Article 9. Without knowing Google’s reasons for sharing the data, it’s impossible to know if they complied with this.

Their privacy policy does say that they will share data to “Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”

Based on your description, it appears that Google did not share any PII until law enforcement requested it. Now, it’s obvious that by reporting that they potentially had indecent images of a child that such a request would follow but the distinction is significant.

Google still need to comply with the GDPR but they are more likely to meet the balancing test for legitimate interest if they are responding to a request. Google probably should have shared only the photos for the police to assess if further investigation was warranted - the GDPR requires the sharing of only required information.

Google’s actions probably warrant investigation even though it’s likely they can justify them to the regulator.

Improve this answer
4
  • 1
    Isn't there a GPDR exception for criminal justice enforcement activity?
    – ohwilleke
    Commented Aug 22, 2022 at 23:28
  • @ohwilleke yes - for law enforcement itself. Private actors must still have a lawful basis for disclosure, usually legitimate interest.
    – Dale M
    Commented Aug 23, 2022 at 0:08
  • 1
    I don't think you are right about it being prima facie indecent child abuse material. Your link outlines the conditions for it being indecent, and it seems that there are enough exceptions, combined with the material presumably not being overtly sexual in nature, that this would be a stretch.
    – user
    Commented Aug 23, 2022 at 19:05
  • 1
    Also you should edit your answer so that it isn't accusatory or use "you", as it sounds like you are having a go at me and this is actually a question based on events I read about in the news which happened in the United Stated.
    – user
    Commented Aug 23, 2022 at 19:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .