5

I recently read of a man who had a Google account. His son's doctor asked for photos of a medical issue his son was having around his groin area, so his wife used his phone to take some. Google flagged up the images as potential child sexual abuse, locked his account and reported him to law enforcement.

Law enforcement subsequently requested the content of his Google account, including emails and photos. The criminal investigation eventually ended with no action taken, although the investigator was unable to communicate this to the victim because his Google email address and Google Fi phone number no longer worked. Google has so far refused to unlock his accounts.

If this happened in a GDPR country, would there be a data protection issue? There are similar cases of mistaken identity, such as parking enforcement firms mis-reading licence plates and sending invoices to the wrong people, which are considered an abuse of that data that can be remedied by compensating the victim. Given that Google was mistaken here, and provided private data to law enforcement, and interfered in a child's medical care, would there be any liability for them?

phoog
  • 42,299
  • 5
  • 91
  • 143
user
  • 1,896
  • 1
  • 11
  • 23

1 Answers1

-1

There is no liability

This is not to say that there might or might not be a breach of the GDPR, it’s just that the GDPR does not give individuals a right to sue. Only the national regulator can take action.

Indecent images of a child

The photos showed a nude child. Therefore, under UK law they are prima facie indecent child abuse material. It is illegal to make, possess, and distribute such material. Fortunately the police probably decided you had a legitimate reason:

Prosecutors are reminded that where an intimate image is made, published, sent or stored for clinical reasons in accordance with the operational guidance led by NHS England and Improvement, this will normally amount to a “legitimate reason” in relation to the patient and/or carer and to any clinician involved in the process. 

Did you follow the “operational guidance led by NHS England and Improvement”? Do you even know what they are?

You were lucky not to be charged and your doctor is an idiot. Catch a different police officer on a different day in a different mood and you could have found yourself trying to convince a jury of your legitimate reason.

Google was not mistaken in determining that you had potentially posted child abuse material.

Is there a breach of GDPR?

Maybe.

The photos are PII and special category data.

It is lawful to share such data with law enforcement if there is a lawful basis for doing so under Article 6 and a condition for processing under Article 9. Without knowing Google’s reasons for sharing the data, it’s impossible to know if they complied with this.

Their privacy policy does say that they will share data to “Protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”

Based on your description, it appears that Google did not share any PII until law enforcement requested it. Now, it’s obvious that by reporting that they potentially had indecent images of a child that such a request would follow but the distinction is significant.

Google still need to comply with the GDPR but they are more likely to meet the balancing test for legitimate interest if they are responding to a request. Google probably should have shared only the photos for the police to assess if further investigation was warranted - the GDPR requires the sharing of only required information.

Google’s actions probably warrant investigation even though it’s likely they can justify them to the regulator.

Dale M
  • 237,717
  • 18
  • 273
  • 546