Hello, hello, damn and damn! We faithfully attend our appointment on Tuesdays to answer your questions about the digital world. Today we have a potpourri on privacy, image rights and cybersecurity, so stay until the end because it is very likely that you have also asked yourself some of these questions.
As you well know, this office exists to answer your questions, so be sure to send your questions to email [email protected], Twitter and Facebook or write down this form. Every week we answer them here.
Why can this be a source of discomfort? Because those images may end up posted on the social networks of a stranger and you may not feel like appearing in them. If we don't want to, we don't have to expose ourselves to someone recognizing us in a photo or video that we haven't consented to, let alone appearing on the internet. In addition, what we are telling you applies the same to a bar, to the subway or to a super.
According to the Organic Law on Data Protection (LOPD), the image is personal data because it identifies us, and therefore it is protected. However, beyond this norm, in Spain we have Law 1/1982 on the civil protection of the right to honor, personal and family privacy and one's own image, which directly says that you cannot take photos or make videos of a person without their permission.
He explains it to MalditaSamuel Parra, a lawyer specializing in data protection in ePrivacy: “Before recording, the person should have asked for your consent, what happens is that person probably doesn't even know the law and, most likely, it is that he has a misconception that he can do it because he is in a public place”.
Contrary to what you might think in general, a restaurant or a bar are private spaces, no matter how much you share them with more people. According to the regulations, anyone who wants to record images inside has to ask permission from the people who may appear in them, even if they are not the main objective for which they are taken. This also happens on a beach or even in the field, even if they are open spaces.
Parra explains that the exceptions contemplated by Law 1/1982 only refer to photos or videos taken of public figures or news events and the taking of “accessory” images. For example, in a campaign event, the photographers and cameramen who cover it do not have to ask permission from the politicians who speak (they are public figures) or from the people who come to see it (it is a news event and their presence at the event is "accessory").
The problem with this situation, apart from the general ignorance of data protection laws and regulations, is that the 1982 self-image law did not count on the appearance of social networks three or four decades later. From its entry into force, people had this tendency to share their entire lives in a public space, such as the Internet.
“A social network in which we have a lot of friends or followers and an open profile is not a domestic environment and if we want to process data, either upload a photo with more people to Facebook or tag someone in it. someone is going to require the consent of those people”, explains Parra. "If we don't have it, it's going to be an infraction."
Ah, friend! Maybe you didn't know this! Have you ever asked your grandmother for permission to upload her photo vaccinating herself to social networks or to your friends' friends to appear in that birthday video? Technically, you need it.
For those people who find themselves in this situation, there are two ways to request the removal of the images: with a complaint to the Spanish Agency for Data Protection (AEPD) or by civil means, alluding to Law 1/ 1982. The complaint before the AEPD is simpler and free, since there is no trial involved, while by civil means at least you will need a lawyer and cover the costs. Parra recalls that with the agency we only aspire to a fine, while with a trial we can receive compensation.
You have asked us how it is possible that a search engine for which we do not have to pay is able to earn money and, on top of that, plant trees with it. All this while claiming to be more respectful of our privacy than others, such as Google, which is the most widely used tool for searching the Internet. This is the case of Ecosia, a search engine that works as an extension for our browser or using an application on our mobile.
The first thing to know is that Ecosia does not work with its own structure, but rather uses the Bing search system, owned by Microsoft. That is to say, that all the results that it offers us when searching for something are the same that we would obtain when searching on Bing.com. Starting from that base, we already know that some data does or does have to be transferred to Microsoft: our searches, from where we do them, in what language, our IP address, etc. because if not they could not give us the service.
With that information, Ecosia shows us ads that, in turn, have been provided by Bing. Every time users click on one of those ads, Ecosia (and Bing) take a percentage. What the organization says is that with this income they pay other members to plant trees. In addition, they also sell clothing and other custom products.
Ecosia ensures that personal data such as names, dates of birth or addresses are not stored, but less specific data about our devices is. For example, it saves the language in which we search or the IP address from which we connect, as well as the location data of our phone (if we give it access), which it collects to "improve the experience" or to "show most relevant search results or ads.” In the end, Ecosia acts as an intermediary, which adds another layer of privacy for users, despite not being foolproof.
“This company has the ability to reduce many operating costs because it does not have to maintain an infrastructure or a spider to go looking for the results,” Carlos Fernandez Barbudo, professor of Political Theory and Cybersecurity at the Rey Juan Carlos University, told Maldita. and technology researcher. “It has a very simple business model: it makes business from the ads it serves through Bing.”
Barbudo explains how most free services that generate revenue from advertising operate: “In this case, they say they don't store the information or collect data about your behavior, which is quite true. The problem is that they do transmit information to Microsoft: they attach a unique identifier to you and each time you use their search engine they transfer it to them, so it is this company and specifically Bing and its advertising system that carry out this personalization ”.
You're sure to find a zoom style for you.https://t.co/TL3hmZ6xA2
— FutureShift Tue Jul 20 17:00:28 +0000 2021
That personalization is what companies then pay for, because they want to know who exactly to target in order to increase the chances that someone will buy their product. In this sense, adds Barbudo, this search engine "is less intrusive, less of a threat to privacy because they act as an intermediary, adding one more layer, but in the end it is still based on your searches, what you click on or what ads are most useful, They personalize your content.
Apart from using Microsoft's Bing infrastructure, Ecosia uses other services from large technology companies: for example, they use trackers from Facebook, Google or Amazon to measure whether an advertising campaign has been successful when displayed on different web pages. In the end, there is always a dependence on smaller services towards these large companies because they are the ones that monopolize the infrastructure at a global level and there is no possible competition for them.
What good is it for these big tech companies to have a much smaller service take advantage of their tools and sell it as an alternative? "Many times the benefits of offering certain services are not necessarily economic," recalls Barbudo. "Everything that has to do with competing to be the reference platform for web searches reinforces its position," he adds.
Remaining the leading company in the technology market is essential for the GAFAM calls: Google, Amazon, Facebook, Apple and Microsoft. But it is not just about maintaining their dominant position: it also allows them to continue training their content and advertising personalization models, because even if there is an intermediary as in the case of Ecosia, they continue to receive behavioral data.
When it comes to getting into the world of data protection and cybersecurity (which can seem a bit intimidating if the subject is completely foreign to us), it is convenient that each business make a first evaluation to see in what situation it is. In other words, it is necessary to assess whether the personal information of many or few people is going to be processed, with whom we will share this data (and why it will be necessary to do so) and what electronic devices we will use in our day to day.
To focus these first steps, Sergio Carrasco, an expert lawyer in privacy and digital affairs and a computer engineer, recommends that all small and medium-sized companies (SMEs) take a look at the website of the Spanish Agency for Data Protection (AEPD) , and more specifically to the information related to the registration of data processing activities.
The essential thing, according to the expert, is to identify "what data is processed, for what, using what bases of those allowed by the European General Data Protection Regulation and the conservation period". "And from there work," he adds. When we speak of "permitted bases", we refer to the cases in which companies can rely to collect and process our data.
The 'bible' to turn to when we talk about data protection is, naturally, the law that regulates the matter. In Spain, the Organic Law for the Protection of Personal Data (LOPD) does so, a regulation that came marked from Brussels with the General Data Protection Regulation (RGPD). They have been operating in our country since 2018.
Ángel Benito Rodero, an expert lawyer in data protection, encourages all those responsible for an SME to go to this AEPD portal that details the actions necessary to comply with the law.
"Likewise, if the company carries out very simple or basic data processing, it can use the AEPD's own tool called 'Facilita RGPD'. This tool will provide you, after entering some basic data and answering some questions, some documents of adaptation to the GDPR: very basic documents, yes, but after all validated by the agency itself”, adds the lawyer.
In the event that the daily activity of the company includes a slightly more complex treatment of clients' personal data (and therefore you cannot use this tool), the agency stresses the need to review it periodically the security measures around this data management, offer guarantees to customers so that they can access the personal information that we keep about them and propose emergency mechanisms to activate in case there is a security breach in the databases of data.
One of the figures included in the law (and which can be more confusing for small businesses) is that of the data protection officer. Is it necessary to name one? What criteria determine whether or not to do so? We return to the AEPD, which contemplates a list of cases in which it would be necessary to appoint a person who is specifically dedicated to ensuring compliance with the regulations. In this Maldita article we also explain what this figure is for and when a company must have it.
There are multiple scenarios that would legally force you to name one. For example, it is mandatory if you work in private security, grant credit or if the business carries out "large-scale processing of special categories of personal data".
The two lawyers consulted by Malditaa advise going to an expert in case the obligations of the SME are not entirely clear: it is better to look at it with a professional before facing a possible fine for irresponsibly treating the data of the clients.
Regarding cybersecurity, Ángel Benito explains that for all those who manage an SME that “does not provide any essential or strategic service, there are no obligations other than those that derive from data protection regulations”.
In the professional field, it is always advisable to exercise extreme caution and not do anything that you would not do with your computer in the private sphere. In this complete guide from the National Institute of Cybersecurity (INCIBE) several keys are given about online image, electronic commerce or responsibilities with respect to the client.
Among the basic recommendations we find things like "keep systems updated free of vulnerabilities", "make employees aware of the correct use of corporate systems" or "use secure networks to communicate with customers, encrypting information when necessary ", among other.
And if you want to go deeper, INCIBE itself offers you at this link a self-diagnosis tool for businesses in which you can identify threats that you may not have on your radar.
We are not technicians or engineers but we have a lot of help from people who are experts in their field to answer your questions. Nor can we tell you which service to use or stop using, we only inform you so that you can decide which one you want to use and how. Because definitely, together and together it is more difficult for them to sneak it into us.
If you have any questions about this information or any other related to the way you relate to everything digital, send it to us: