3

Suppose that a software developer (April) living in the UK,has created a simple browser plug-in that takes screenshots of a user's browser windows and allows the user to enhance and "prettify" these screenshots in various ways.

The "enhancing" part of the screenshot processing is done on April's server, which means that all screenshots are uploaded from people's computers to April's over the internet. April has no control over the data that people take screenshots of: it can be their personal email messages, or some copyrighted material, or even their nude pictures. And all this data ends up on the web server that April owns and contrtols.

Are there some specific kinds of data processing agreement or privacy policy that April needs to offer to users so that she doesn't end up in any kind of legal trouble (with GDPR or any other privacy laws)? Maybe a disclaimer saying something like "by installing this plug-in, you agree not to take screenshots of any illegal/copyrighted material"?

Improve this question
2
  • Does the server keep the screenshots or deletes them as soon as the result is delivered back to the user?
    – Greendrake
    Commented Jan 10, 2023 at 3:25
  • They are permanently deleted as soon as the user downloads the result
    – Adden
    Commented Jan 10, 2023 at 9:32

1 Answer 1

Reset to default
1

Since the developer is also said to be running the website where screen shots to be edited are stored, and is resident in the UK, it would seem that the GDPR-UK applies. (The EU version may also apply when a user is in the EU.) This means that the Data Controller (DC) must have a lawful basis under Article 6

The most plausible basis would seem to be point (b) of article 6 paragraph 1. That reads:

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

For this to apply, the DC would need to include in a ToS document or in some other relevant document that a user must accept, contractual language in which the Data Subject (DS) agrees to submit data for processing, and the DC agrees to recive, process, and return it. There would probably be other provisions as well. One of them might be that the content could not itself be unlawful, another that the DS has all needed rights to submit the content for creation of a modified version, yet another that the service could not be used for any unlawful purpose.

However, other GDPR provisions would also apply. In particular, Article 5, paragraph 1 point (e) reads in relevant part

[Personal data shall be] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ...

this suggest that such screen shots should not be retained indefinitely, but rather deleted securely as soon as the modified versions have been transmuted to ther users who have requested them. While 5. (b) does permit retention for archiving purposes, it is better practice to retain no more thasn needed. Furthermore, if such information is to be retained as an archive, that should be disclosed to the user under Article 13 specifically 13.1(c) and 13.2(a). Those require disclosing the purpose and lawful basis of procession, and the expected time of retention or the criteria used to determine the retention period.

Othre disclosures liosted in article 13 would also apply.

The idea of consent on the basis of "by using this app/site you consent to ..." is not valid consent under the GDPR. Specifically Article 7 requires that consent can be withdrawn at any time, and be easy to withdraw. Recital 32 states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Thus contractual language, explicitly agreed to by the DS, is a much better basis than such implied consent.

Improve this answer
2
  • How can giving/withdrawing consent look in practice? Browser plugins are distributed via plugin galleries/marketplaces that are maintained by browser developers (Google/Apple), and offer limited means of requesting consent when you install anything. Usually the most you can do is put text like this in the description: "By installing this plugin you agree to our ToS: <link>. If you do not wish for your data to be processed anymore, please stop using the plugin." Can this be considered an adequate way to request/withdraw consent?
    – Adden
    Commented Jan 10, 2023 at 11:15
  • @Adden If a plugin captures PI and stores or otherwise processes it on a server, not the user';s device, there may be a problem. I don't know of a court case dealing with GDPR compliance in that sort of situation yet. I would think that writing the ToS so that agreeing to it forms a contract will work much better than calling it "consent by use". Of course, if the plugin does not process personal data, or works only on the user's device, there is no GDPR issue.
    – David Siegel
    Commented Jan 10, 2023 at 16:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .