Altering Faces. Data Protection And Sore Thumbs

To those that, contrary to any evidence, still believe that data protection equals privacy, this case will come as a shock: the police of Portland (Oregon – USA)  used Adobe Photoshop to remove tattoos from the picture of a suspect so that he could “blend” better in a photo-based identification. The defense of the suspect claimed that that was a way to “frame” him, while the prosecutor said that the “digital make-up” has been necessary to avoid excessive attention on the face of the suspect itself. The Court still haven’t issue a decision on the matter.

A few issues:

  • Is this a Personal Data Case? Yes. A few things but tattoos identify or make a person identifiable.
  • If happened in the EU, would had it be a GDPR Case? The GDPR doesn’t cover judicial activity and law enforcement investigation. Nonetheless, this is case where the notion of “fair processing” comes into play. Altering reality can hardly be hold as a “fair” behaviour.
  • If not the GDPR, what would have stopped this? This is a case of “reverse fairness” and “investigative malice”. Police wanted to be “fair” toward the suspect and – in the meantime – explore the “possibility” that he disguised the tattoos with a make-up. The due process right prevents (or should prevent) law enforcement from resorting to this trick.


A Real-Life Case of Inefficient Profiling

Amazon knows in extreme detail – thanks to the analysis of purchases – my interests and – thanks to the analysis of how I use my Kindle – my reading habits. Yet he sends me an email to suggest, on the basis of my profiling, to buy a book that I wrote.

If all a giant with a limitless computing might like Amazon is able to extract from my personal data is a suggestion to buy my own books either I’m not actually monitored or profiling just doesn’t work.

The Holy Alliance Between GDPR and Consumer Law

One of the most difficult task in the practical enforcement of the GDPR provisions is to find a fair balancement between the technicality of the legal language and the duty of simplicity settled by the data protection bylaws. Both the GDPR itself and the various “suggestions” coming from the various player are nothing more but a re-phrasing of the legal text, thus leaving the data controller as well as the data subject unable to have clear directions. Continue reading “The Holy Alliance Between GDPR and Consumer Law”

The Data Protection Authorities and the Liability for fines’ early warning

I do not understand the choice of some Personal Data Authorities to publicly anticipate the decision to fine a Data Controller instead of just doing it and then spread the news.

Indeed, many large companies are listed on the stock exchange or may suffer negative consequences from a simple announcement such as “we are thinking of fining…”. What happens, then, if the fine does not come or – worse – if it is cancelled following a judicial appeal? There will be a similar press-release that will say “we are deeply sorry, we were wrong, the judge turned us down?”

Now, if obviously it is not possible to ask for damages for the application (in good faith) of a fine then revoked by the judge, it is not automatically so for behavior that goes beyond the strict observance of the fining procedures.

Attention and care should be paid, therefore, to publicly anticipate decisions that are not definitive, especially without indicating the date when the appeal is no more allowed or the fact that the owner has challenged the fine in Court.

Protecting Personal Information in the High-Tech Business – A Special Lecture at Nagoya University

Special Lecture

Protecting Personal Information in the High-Tech Business
The impact of Privacy and Data Protection on the Japan/EU commercial relationships

Prof. Andrea MONTI «Gabriele d’Annunzio» University, Pescara

July 25, 2019 – 16:30-18:00
Asian Legal Exchange Plaza, Lecture Room 2


For information and registration please contact Prof. Giorgio F. COLOMBO:

This lecture is supported by JSPS Kaken-hi Grant 17H00963