The images of the US Capitol being stormed by a crowd of demonstrators seeking to stop Joe Biden’s certification as President are still fresh in our mind. On top of the social and political unrest, the incident has had other consequences in various fields, including technology law.
Don’t miss our content
SubscribeThe images of the US Capitol being stormed by a crowd of demonstrators seeking to stop Joe Biden’s certification as President are still fresh in our mind. On top of the social and political unrest, the incident has had other consequences in various fields, including technology law.
Shortly after these traumatic events, FACESOFTHERIOT.COM (Faces of the Riot) appeared. This website took advantage of a security breach on the Parler social network and used machine learning tools and open-source facial recognition software to isolate, extract and duplicate the faces of all demonstrators in over 800 videos related to the Capitol storming posted on the social network.
Faces of the Riot has been set up as a directory, showing the faces of everyone who appeared in the videos (along with the clips in which they appear) one by one. These individual images do not only include rioters, but everyone appearing on camera. They show the US Capitol attackers, but also peaceful demonstrators, journalists and law enforcement officers, among others. According to the website’s homepage, the image directory is made available to users so they can report any faces they recognize to the FBI, using a link provided on its homepage.
The unauthorized use of the videos that were originally posted on Parler and the use of facial recognition technology raise many legal concerns. Below we assess what the consequences would have been if Spanish and EU law had been applicable.
Regarding the right to one’s own image, provided in article 18 of the Spanish Constitution, the website’s use of the individuals’ image is more than questionable. Obviously, the website published the facial images without the consent of those affected.
The unauthorized use of individual images on that website could be a violation of Act 1/1982 regarding civil protection of the right to honor, personal and family privacy and one’s own image. Any of the affected individuals could bring judicial proceedings asking (i) that the image be removed from a publicly accessible website; and (ii) for compensation for any damages arising from the publication.
Considering that the images were taken from audiovisual recordings including other people, the images could be showing public events or characters, so the appearance of the individuals could qualify as incidental, and thus justified and not unlawful, under article 8 of Act 1/1982. However, this is a weak argument considering that the images have been taken from their original context and individualized in order to clearly identify the affected individuals.
There is another significant legal angle to the case: the right to personal data protection. The Faces of the Riot creator downloaded the audiovisual content posted by Parler users to identify the rioters through information technology tools. This clearly constitutes data processing without an appropriate legal basis.
Processing the obtained data to identify individuals through their image in order to report them to law enforcement violates the individuals’ right to privacy. As noted above, any of the 6,000 individuals whose faces appear individually on Faces of the Riot could file a complaint.
In the absence of a lawful legal basis, this processing could qualify as a very serious infringement under articles 83(4) of the General Data Protection Regulation and 72 of the Spanish Data Protection and Digital Rights Guarantee Act. Note that publishing individuals’ images in a directory of alleged rioters in a political demonstration will probably be considered unauthorized processing of highly sensitive data, since it involves these individuals’ political affiliation (Republicans supporting former President Trump). This would make the infringement even more serious, since under article 9 of Act 3/2018 not even the data subjects’ consent would make this a lawful processing.
This incident could give rise to serious liability. In this case there are legal risks for: (i) Parler, the social media where users first posted the content and from which the content could be downloaded directly due to Parler’s security breach; (ii) anyone who downloaded and processed the content to identify the individuals’ faces appearing on video; and (iii) potentially, both Parler’s and Faces of the Riot’s hosting provider, depending on the provider’s knowledge of the hosted content and its response to that awareness. Parler’s hosting provider’s decision last week, terminating its hosting services and practically shutting down the website since then, evidences the importance of the hosting provider’s response.
Below we outline the potential implications of such an incident, considering the potential liability of digital service intermediaries in the context of the recent Proposal for a Regulation on a Single Market for Digital Services (Digital Services Act).
Given the increasing use of communication networks to disseminate all kinds of content online (including openly illegal content), the liability of online intermediaries will probably be central when it comes to digital service regulation. The Digital Services Act seeks to regulate and specify the liability of intermediary service providers (such as website hosting providers like Face of the Riot’s). Articles 13 to 17 of the Spanish Information Society Services and Electronic Commerce Act already provide a liability regime. However, the future Regulation will add specific obligations, probably triggering quicker responses by intermediary service providers to avoid liability.
As discussed above, this case has many legal implications, including some unforeseeable ones. According to recent news, some demonstrators at the US Capitol storming have been fired on the spot because their picture appeared on Faces of the Riot. Under Spanish labor law, these dismissals are questionable. Revealing the information justifying the dismissals violates the employee’s right to personal data protection and, if the employers accept that information as grounds for dismissal, they could be undermining the employee’s right to privacy.
This case is legally complex and challenging. We will pay attention to these situations and ensure that the law strikes a difficult balance between simplifying complex investigations and appropriately protecting individuals’ digital rights.
Authors: Albert Agustinoy and Mònica Ferrer
Don’t miss our content
Subscribe