d1.3 - privacy, ethical and legal constraints...privacy, ethical and legal constraints’ of wp1...

ThisprojecthasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnovationprogrammeundergrantagreementn°720417

D1.3-Privacy,ethicalandlegalconstraints

WPnumberandtitle WP1–ProjectManagement

LeadBeneficiary CERTH

Contributor(s) ENG,ADM

Deliverabletype Report

Planneddeliverydate 30/06/2017

LastUpdate 24/07/2017

Disseminationlevel PU

SURVANTProject

H2020-FTI-Pilot-2015-1–FastTracktoInnovationGrantAgreementn°:720417Startdateofproject:1January2017Duration:24months


2

Disclaimer

Thisdocumentcontainsmaterial,whichisthecopyrightofcertainSURVANTcontractors,andmaynotbereproduced or copied without permission. All SURVANT consortium partners have agreed to the fullpublication of this document. The commercial use of any information contained in this document mayrequirealicensefromtheproprietorofthatinformation.

TheSURVANTConsortiumconsistsofthefollowingpartners:

PartnerName Shortname Country

1 EngineeringIngegneriaInformaticaS.p.A. ENG Italy

2 EthnikoKentroErevnasKaiTechnologikisAnaptyxis CERTH Greece

3 InnovationEngineeringsrl INNEN Italy

4 UnitedTechnologyResearchCentreIreland,Limited UTRC Ireland

5 AyuntamientodeMadrid ADM Spain


3

DocumentHistory

VERSION DATE STATUS AUTHORS,REVIEWER DESCRIPTION

V0.1 19/04/2017 Draft CERTH ToC

V0.2 28/04/2017 Draft CERTH,ENG,ADM FinalToC

V0.3 06/06/2017 Draft CERTH Firstdraft

V0.4 20/06/2017 Draft CERTH,ENG,ADM Firstcompletedraft

V0.5 26/06/2017 Completedversion

CERTH Version ready for peerreview


CERTH Revisedversion


CERTH AdditionsinSection2


CERTH Readyforpeerreview


ENG Final document forsubmission


4

Definitions,AcronymsandAbbreviations

ACRONYMS/ABBREVIATIONS DESCRIPTION

CoE CouncilofEuropeCFR TheCharterofFundamentalRightsoftheEUCNN ConvolutionalNeuralNetworksDL DeepLearningDPA DataProtectionAuthorityECHR EuropeanConventiononHumanRightsECtHR EuropeanCourtofHumanRightsEU EuropeanUnionGDPR GeneralDataProtectionRegulationLEA LawEnforcementAgencyLEP Privacy,EthicalandLegalOECD OrganisationforEconomicCo-operationandDevelopmentOWL WebOntologyLanguagePbD PrivacybydesignPETs PrivacyEnhancingTechnologiesPII PersonallyIdentifiableInformationRNN RecurrentNeuralNetworksSURVANT SURveillanceVideoArchivesiNvestigationassisTantSWRL SemanticWebRuleLanguageTEU TreatyonEuropeanUnionTFEU TreatyonthefunctioningoftheEuropeanUnion


5

TableofContents

ExecutiveSummary...........................................................................................................................................81 Introduction................................................................................................................................................92 OverviewofrelevantLEPprinciples.........................................................................................................10

2.1 Scopeoftheanalysis.........................................................................................................................102.1.1 DataCollection...........................................................................................................................102.1.2 DataAnalysis..............................................................................................................................112.1.3 Validation...................................................................................................................................12

2.2 Overviewoftheethicalissuesrelatedtovideosurveillance............................................................122.2.1 Theconceptsofprivacyanddataprotection.............................................................................13

2.3 Legalframeworksfortheprotectionofprivacyandofpersonaldata..............................................132.3.1 Protectionofprivacy..................................................................................................................132.3.2 Protectionofpersonaldata........................................................................................................132.3.3 EUdataprotectionreform.........................................................................................................15

2.4 Bestpracticesforprotectingprivacyandpersonaldata...................................................................172.4.1 Privacybydesign........................................................................................................................172.4.2 PrivacyEnhancingTechnologies.................................................................................................182.4.3 PrivacyImpactAssessment........................................................................................................18

3 KeydifferencesbetweenSURVANTandADVISEaffectingLEPaspects...................................................193.1 Differencesinrequirements..............................................................................................................19

3.1.1 UseCases....................................................................................................................................193.1.2 Investigationareasoffocus........................................................................................................193.1.3 RepositoryManagement............................................................................................................203.1.4 Facilitytosearchforpeoplewithoutcriminalincident..............................................................203.1.5 Anonymizationasoptional.........................................................................................................20

3.2 Technicaldifferences.........................................................................................................................203.2.1 DifferencesinArchitecture.........................................................................................................203.2.2 DifferencesinModules...............................................................................................................22

4 Monitoringofprivacy,ethicalandlegalconstraints................................................................................244.1 ADVISEDataset..................................................................................................................................244.2 SURVANTDataset..............................................................................................................................25

5 Conclusions...............................................................................................................................................276 References................................................................................................................................................287 AnnexI–ADVISEConsentFormtemplate...............................................................................................298 AnnexII–SURVANTConsentFormtemplate..........................................................................................31


6

ListofFigures

Figure1:EUdataprotectionreformtimeline.................................................................................................16Figure2:ComparisonofthelogicalarchitectureofSURVANT(left)andADVISE(right)................................21Figure3:VideoscontainedintheADVISEdataset..........................................................................................25


7

ListofTables

Table1:ModuledifferencesbetweenADVISEandSURVANT........................................................................23


8

ExecutiveSummary

AnalysisandmonitoringofPrivacy,EthicalandLegal(LEP)constraintsinSURVANTwillbeconductedwithinTask 1.3. The task’s primary objective consists of two complementary parts: first, ensuring that R&Dactivitieswithintheprojectwillbecomplianttorespective lawsandethicalpractices,second,supportingsystem development so that the SURVANT system does not generate ethically unwanted effects, isrespectful of human rights, and complies with the applicable legislation. It must be noted that, sinceSURVANT is the followupof the researchprojectADVISE, the intentionof theanalyseswithinT1.3 is tobuildupontheethical/legalworkdonewithinADVISE.

The scopeof the analyseswithin T1.3 is the SURVANTproject and systemand its context. For example,regardingdatacollection,sincetheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutas a video analysis toolset, all ethical/legal obligations related to the data capturing phase of the datalifetimelieprimarilywiththeinitialowner/creatorofthedata.

The initial stage of the analysis was the preparation of an overview of ethical issues related to videosurveillanceaswell as theapplicable legal frameworks (international andEuropean).At theheartof theethicalanalysislietheconceptsofprivacyanddataprotectionwhichareanalysed.Similarly,internationaland European legal frameworks for the protection of privacy and personal data are presented andanalysed. A significant aspect of the SURVANT project is that it will be running in parallel with thefundamental change of the EU regulatory and legal frameworkwhich is taking place currently. The newRegulation(EU)2016/679shallapplyfrom25May2018whilethenewDirective(EU)2016/680hastobetransposedintonationallawoftheEUMemberStatesby6May2018(M17outof24oftheproject).Asaconsequence,theSURVANTprojectwillpartlyrunwiththepreviousEUprivacy/dataprotectionframeworkinforce(uptoM17)andpartlywiththenewEUprivacy/dataprotectionframeworkinforce(afterM17).

A significant part of the present document and of the effort within T1.3 is devoted in identifying anddescribingthekeydifferencesbetweenSURVANTandADVISEthatareconsideredtoaffectLEPaspects.Thedifferencesarepresentedinthisdocumentseparatedindifferencesinwhatthesystemwillberequiredtodoanddifferencesinhowthesystemwilldowhatisrequired.

Finally,besidesprovidinganoverviewof LEPprinciples thatare relevant in thecontextof SURVANTandsupporting the development of an ethically and legally compliant system, T1.3 team is also taskedwithmonitoring R&D activities with regards to LEP compliance. Therefore, we want to make sure that dataprocessingconductedwithinSURVANTwillberespectfulofanypersonaldatathatmightbeincludedintheproject datasets. To this end, a detailed discussion regarding the project datasets is presented in thisdocument.


9

1 Introduction

AnalysisandmonitoringofPrivacy,EthicalandLegal(LEP)constraints inthe‘SURveillanceVideoArchivesiNvestigationassisTant’ (SURVANT)projectwillbeconductedwithinTask1.3 ‘Analysisandmonitoringofprivacy,ethicalandlegalconstraints’ofWP1‘ProjectManagement’.

The task’s primary objective consists of two complementary parts. First, ensuring that research anddevelopmentactivitieswithintheproject(mainlymanagement1ofdatasets)willbecomplianttorespectiveNational andEuropean laws, andbestethicalpracticesand rules/standards. Second, support theprojectconsortiumindevelopingatechnicalprototype,i.e.theSURVANTsystem,thatdoesnotgenerateethicallyunwantedpersonalorsocialeffects,isrespectfulofhumanrights(particularlytherighttoprivacyanddataprotection),andcompliestotheapplicableNationalandEuropeanlegislation.

Theanalyseswill,on theonehand,monitor researchanddevelopmentactivitieswithin theprojectwithregards to respective laws, and best ethical practices, and on the other hand, identify any legalrequirementsapplicabletothetechnicalsystemandarchitectureitselfandmonitortheirimplementation.

Itmustbenotedthat,sinceSURVANTisthefollowupoftheresearchprojectADVISE(GA285024)2aimingtoprovetheADVISEsystematoperationalenvironmentandcommercializeit,theintentionoftheanalyseswithinT1.3istobuildupontherespectiveworkdonewithintheADVISEprojectandidentifyonlyadditionalorredundantrequirementsincomparisontotheonesidentifiedwithinADVISE,fortheSURVANTtechnicalsystemandarchitecture.

InSection2ofthisdeliverableweprovideanoverviewofprivacy,legalandethicalrulesandprinciplesthatare relevant in the context of the SURVANT project. We define the scope of our analysis, presentinternationalaswellasEuropeanframeworksandbestpractices.Section3providesahigh-levelcaptureofthe key differences between SURVANT and ADVISE that are considered to affect LEP aspects. Section 4deals with ethical, legal and privacymonitoring of research and development activities focusing on themanagementofthedatasetsthatareplannedtobeused intheproject.Finally,thedocumentconcludeswithSection5.

Section6providesalistofallreferencestothetextwhileAnnexesIandIIpresentconsentformtemplatesfortheADVISEandSURVANTprojects.

1 The term ‘management’ is used here in a sense that covers the whole dataset lifetime, from inception tocreation/discoveryandtolongtermstorageorproperdestruction.2AdvancedVideoSurveillancearchives searchEngine for securityapplications (ADVISE,GA285024), co-financedbyEU in the FP7 Work programme in the SEC-2011 call. For more details please refer to:http://cordis.europa.eu/project/rcn/102502_en.html.


10

2 OverviewofrelevantLEPprinciples

Thissectionprovidesanoverviewofprivacy,legalandethicalrulesandprinciplesthatarerelevantinthecontextoftheSURVANTproject.

2.1 Scopeoftheanalysis

SURVANT– SURveillanceVideoArchives iNvestigation assisTant – is a researchproject co-fundedby theHorizon2020FrameworkProgrammeoftheEuropeanUnion.

Allaroundtheworld,organizationsandagenciesdeployvideosurveillancetomonitorandprotectpropertyandpublicinfrastructure,drivenbynumerousfactorslikeincreasingcrimerate,securitythreats,terrorismactsandevenmonitoringoflawenforcement.Theinfluxofsurveillancefootagefromagrowingnumberofcamerasoperatingathigherresolutions,suchasHD,coupledwiththedesiretoincreasetheretentiontimeofthatfootageisexplodingthevolumeofthefootageavailable.Organizationsthathaveinvestedheavilyinsurveillanceinfrastructurearekeentoexploititfortheautomationofsurveillanceproceduresusingvideoanalyticssolutions.

SURVANT aims to deliver an innovative system that will collect relevant (i.e. surveillance) videos fromheterogeneous repositories, extract video analytics, enrich the analytics using reasoning and inferencetechnologies, andoffer aunified search interface to theuser. The SURVANT system functionalitywill beprimarily adjusted for Law Enforcement Agencies (LEAs), critical infrastructure operators and privatesecurityorganizationsbuttheprojectwillalsotrytoadjustthesystemtootherusersthatsharecommonneeds.

SURVANTisthefollowupoftheresearchprojectADVISE(GA285024),co-financedbyEUintheFP7WorkprogrammeintheSEC-2011call.ItintendstocommercialisetheresultsachievedinADVISEandprovethefinalsystematoperationalenvironment(TRL9).

2.1.1 DataCollection

Currentproceduresforperforminginvestigationsinvideoarchivesarecumbersomeandtimeconsuming.Theinvestigatorhaseithertocollectalltherelevantvideofootageinoneplaceoridentifythevideosonebyoneandaccesstheminadedicatedinterface.Inmulti-cameraenvironments,theinvestigatorisusuallyforced to identify the exact camera location and viewing angle utilizing separate resources, limiting theoverallsituationalawareness.

Existingvideosurveillancemanagingsystemsfocusonrealtimeoperations,disregardingthechallengesofvideoarchivesearch.Theirprovisiontoassistinvestigatorsduringsearchislimitedtothumbnailextractionto speed up the detection of relevant segments, visualization of the location of the viewed camera andcreationofcustomplayliststoassistinvestigation.

SURVANT aims to provide a unified interface for advanced, content-based search capabilities, evidenceminingandsmartinvestigationassistancefunctionalities,withincollectionsofmultiplevideoarchives.TheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutasavideoanalysistoolset,especiallyefficient for very large volumes of video data coming from heterogenous sources (i.e. cameras orsurveillancesystemsofdifferentspecificationsandtechnologies).


11

Therefore,allethical/legalobligationsrelatedtothedatacapturingphaseofthedatalifetimelieprimarilywiththeinitialowner/creatorofthedata(e.g.legalsurveillance,notificationofbypassersetc.).Ofcourse,the SURVANT system will be subsequently processing3these enormous amounts of videos and mustthereforecomplytoalllegalandethicalrulesthathavetodowiththeprocessingofsuchdata(thatmightbealsoincludingpersonal4orevensensitive5data).

2.1.2 DataAnalysis

2.1.2.1 AutomatedAnalyses

The SURVANT systemwill perform video (and image) analysis employing Deep Learning (DL) techniquessuchasConvolutionalNeuralNetworks(CNN)andRecurrentNeuralNetworks(RNN),usedtoanalysestaticandmotioncontentrespectively. Inter-cameratrackingandre-identification(ofdetectedcontent)willbeat thecoreofattention.Optimalbalancebetweenspeedandaccuracywillbepursued.DLsystemshavebeen already successfully deployed in applications such as object classification, object detection andtracking, activity recognition and modelling etc. They are already deployed in commercial applicationsenablingnew functionalities due to impressiveperformance. Especially regarding indexingof the content(videoandimages),SURVANTwilluseadvancedmultimediaindexingtools(e.g.suchasthosedevelopedbytheEU-FP7LASIEproject6)thatwillbeleveragedandvalidatedforlargerscaledeployments.

The SURVANT system will also apply event enrichment and reasoning. It will deliver an inferenceframeworkabletocombinetogetherlow-levelinformationandsemanticannotationstoenableautomatedreasoningmechanismstodiscoverhigh-leveleventsand/orinvestigativehypotheses.Specifically,SURVANTwillevolvetheOWLtableaureasoningframeworkdevelopedinADVISE,basedonaSWRL(SemanticWebRuleLanguage)approach,applyingtheeventcalculusformalisminordertoallowtheeventreconstructioninanarrativewaytakingintoaccountspatial-temporalcoordinatesusefultotrackthecrimeandpredictitsevolutioninthetimeandspace.OWLreasoningparallelizationusingconcurrentcomputationofinherentlyindependentproofstepswillbeutilizedtooptimizeperformanceandensurethescalabilityofthesystem.

3Accordingtothe[GeneralDataProtectionRegulation]:“‘processing’meansanyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or combination, restriction, erasure ordestruction.”4According to the [General Data Protection Regulation]: “‘personal data’ means any information relating to anidentifiedor identifiablenaturalperson (‘data subject’); an identifiablenaturalperson isonewhocanbe identified,directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,locationdata,anonlineidentifierortooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.”5Ingeneral,EUlegislationidentifiesspecialcategoriesofpersonaldatathataresubjecttoadditionalprotections,i.e.‘sensitive(personal)data’.Accordingto[Directive95/46/EC]:“‘sensitive(personal)data’arepersonaldatarevealingracial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and dataconcerninghealthorsexlife.”Accordingtothe[GeneralDataProtectionRegulation]:“‘sensitive(personal)data’arepersonal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-unionmembership;dataconcerninghealthorsexlifeandsexualorientation;geneticdataorbiometricdata.Datarelatingtocriminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislativecompetence).”6LargeScaleInformationExploitationofForensicData(LASIE),EUFP7IP,http://www.lasie-project.eu/.


12

2.1.2.2 NonautomatedAnalyses

Finally, in contrast to the above automated analyses, the SURVANT system will also leverage humanintervention(human-in-the-loop)capabilities–suchasGIS-basedGUIallowingtheusertoexecutetargetedqueries,advancedrelevantfeedbacktools,etc–andaugmentthemwithamoreuser-friendlymultimodalinterface and more advanced reasoning capabilities. Topology-driven reasoning will have a key role inlearning from the trajectory of temporal events (the geographic positions of the retrieved events) andproviderecommendationstotheuser.

2.1.3 Validation

The SURVANT system will be validated through live prototype demonstrations (pilot tests) in LEAoperationalenvironment.

2.2 Overviewoftheethicalissuesrelatedtovideosurveillance

A concise but yet complete list of key ethical issues related to video surveillance has been provided inDeliverable2.2‘Reportofrelevantlegalandnormativestandardsandtheirevolution’oftheADVISEproject[ADVISED2.2]:

• Privacy and the person. Theprimary ethical issue invokedby surveillance activities in general isthatofprivacy.Privacyinethicaltermsinvokesthenotionthatthereisasacrosanct“person”atthecoreofanyandeveryobjectofhumansurveillance.Thisperson isdifferentthanthe informationaboutthepersongatheredthroughsurveillanceandcannotbereducedtothesurveillancedata.

• Sub-categories of privacy (e.g.privacyof thebody,ofpersonalbehaviour,of communication,ofpersonaldataetc)arethesubjectofethicaldebateandnodefinitivecategorisationexists.

• Criteriaforassessinginvasiveness(intermsofprivacyviolation)ofaspecificsurveilanceactionortechnologycanvaryaccordingtocontext.

• Dataprotection–fromanethicspointofview–concernsthemeansavailabletosafeguardprivacyandinvokesseveralissuessuchas:theactualdatathatiscollectedandstored,storageconditions,durationofstorage,metadata, informedconsent (or, inotherwords,authorisationbythesubjectwhosedataisbeingprocessedfortheprocessingofthedata),riskassessment(ofthepossibilitiesandconsequencesofdatatheft,disclosureetc),(DPA)notificationrequirementsaspernationalorEuropean law, dual use (i.e. unintended secondary use) of the data, and proportionality as thegoverningprinciple indicating thatonlydatanecessary to theendenvisaged shouldbe collectedandnotmore.

• BiometricdatagenerateseveralproblemsthatarenotyetadequatelycoveredbyEUregulations.• Fundamentalrightsoftheperson7.

It isworthnotingthatguaranteesofprivacyarecentral tenetsof theEuropeanCharter forFundamentalRights[CFR]andemergefromadeontological8approachtoethicsthatplacestheinterestsandrightsoftheindividual at the forefront. The European Commission has taken steps to safeguard and attempt toguarantee personal privacy. This is evidenced by the new General Data Protection Regulation (GDPR)7E.g.theCharterofFundamentalRightsoftheEuropeanUnionenshrinescertainpolitical,social,andeconomicrightsforEuropeanUnion(EU)citizensandresidentsintoEUlaw.8Deontology (also referred to as Kantian ethics) is based onmoral beliefs and values and, the obligations of theindividualtowardsothers.OftenusedincontrasttoTeleology,i.e.results-orientedethicsthatdeterminesanactiontobeethicallysoundifitsresultsproducebenefitsandhappinessforothers.


13

[GDPR]thatsetsoutnewrulesdeemedtobe‘future-proof’,theaimsofwhicharetoprotectthepersonaldataofindividuals.

2.2.1 Theconceptsofprivacyanddataprotection

Intheclassicalunderstanding,privacyisusuallydefinedastheabilityofanindividualtobeleftalone,outofpublicview, free fromsurveillanceor interference fromothers (individuals,organisationsor thestate)and incontrolof informationaboutoneself.However,whileprivacysetsprohibitive limitsthatshieldtheindividualagainstthestate,publicauthoritiesandotherpowers,dataprotectioncontrolslegitimateuseofsuchpower, imposinga certain levelof transparencyandaccountability. Inotherwords,dataprotectioncontrolsandchannelslegitimateprocessingofpersonaldata.

Hence,privacyanddataprotectionarenotequivalents.There isa substantivedifferencebetween thesetwo. On the one hand, privacy is broader than data protection; the latter is just a tool to protect theformer.Ontheotherhand,whilebothfundamentalrights–toprivacyandtodataprotection–participateintheprotectionofthepoliticalprivatesphere,thisisdoneinseparateways;privacysetsprohibitivelimitsthatshieldtheindividualagainstpublicauthoritiesandotherpowers(warrantingacertainlevelofopacityof the citizen), whilst data protection channels legitimate use of power (imposing a certain level oftransparencyandaccountability).[PRESCIENTD1]

2.3 Legalframeworksfortheprotectionofprivacyandofpersonaldata

2.3.1 Protectionofprivacy

Attheinternationallevel,therighttoprivacyisprotectedbyArt12oftheUniversalDeclarationofHumanRights (1948) [UDHR], however non-binding. Art 17 of the International Covenant on Civil and PoliticalRights(1966)[ICCPR],i.e.abindinginternationalhumanrightsinstrument,offersprotectionofprivacy.In1980, theOrganisation for EconomicCooperationandDevelopment (OECD) issued (and revised in2013)theGuidelineson theProtectionofPrivacyandTransborderFlowsofPersonalData(non-binding) [OECDPrivacy].

ProtectionofprivacyattheEuropean(regional)levelisbasedontwosystems:

• The first one, i.e. the Council of Europe (CoE), is based onArt 8 of the European Convention onHumanRights(ECHR)[ECHR].TheECHRestablishestheEuropeanCourtofHumanRights(ECtHR)inStrasbourg. While the ECHR itself is silent about protection of personal data, the Court hasdevelopeditfromtherighttoprivacy.

• Thesecondone,i.e.theEuropeanUnion, isbasedonArt7CFR.However,thescopeoftheCFRislimited to “the institutions, bodies, offices and agencies of the Union with due regard for theprincipleof subsidiarityand to theMemberStatesonlywhen theyare implementingUnion law”(Art52(1)CFR).

2.3.2 Protectionofpersonaldata

Whenitcomestopersonaldata,protectionintheEuropean(regional)levelisagainbasedontwosystems:

• Forthefirstsystem,i.e.theCouncilofEurope(CoE),thereisthe1981ConventionfortheProtectionof Individualswith regard to Automatic Processing of Personal Data (No 108)with an additionalprotocolregardingsupervisoryauthoritiesandtransborderdataflows(No181).


14

• Theothersystem,i.e.theEuropeanUnion,isbasedonitsTreaties(TEUandTFEU),theCharteroftheFundamentalRights(CFR)andsecondarylegislation,namelytheDirectives.

BasicinstrumentsofEUlegislationonthematerare:

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on theprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(knownsimplyasthe1995DataProtectionDirectiveorDirective95/46/EC).

• Directive2002/58/ECoftheEuropeanParliamentandoftheCouncilof12July2002concerningtheprocessingofpersonaldataandtheprotectionofprivacyintheelectroniccommunicationssector(Directiveonprivacyandelectroniccommunications).

• Directive 2006/24/EC of the European Parliament and of the Council of 15March 2006 on theretention of data generated or processed in connection with the provision of publicly availableelectroniccommunicationsservicesorofpubliccommunicationsnetworksandamendingDirective2002/58/EC.

• Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personaldataprocessedintheframeworkofpoliceandjudicialcooperationincriminalmatters.

• Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing ofpersonaldatabytheCommunity institutionsandbodiesandonthe freemovementofsuchdata(i.e.lyingdowndataprotectionrulesapplicableonlyfortheEUinstitutionsandbodies).

2.3.2.1 EUdataprotectionframework

The core instrument for data protection in the EuropeanUnion is thewell-known 1995Data ProtectionDirective.Directive95/46/ECsetsupathree-levelsystemfortheprotectionofpersonaldata.Thefirstlevelis the general one that applies to any processing of personal data. The second level,which needs to beappliedon topof the first level, is applicablewhen sensitivedataarebeingprocessed.The third level isapplicable when personal data are being processed to third countries, i.e. outside the EuropeanUnion/EuropeanEconomicArea.

This Directive does not apply to the processing of personal data in the course of an activitywhich fallsoutsidethescopeof(former)Communitylawandbyanaturalpersoninthecourseofapurelypersonalorhouseholdactivity.

AsadirectiveisanEUlegalinstrumentthatisnotdirectlyapplicableintheMemberStates,eachofthemneeded to implement it in their legal systems.Therefore,we have at least 27 national laws governingdataprotectionintheEU.

Directive95/46/ECusesfourcoredefinitions:

Personaldatashallmean“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson”(i.e.thedatasubject).

Anidentifiablepersonis“onewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortooneormorefactorsspecifictohis

physical,physiological,mental,economic,culturalorsocialidentity.”


15

Thedatacontrollerisa“naturalorlegalperson,publicauthority,agencyoranyotherbodywhichaloneorjointlywithothersdeterminesthepurposesandmeansofthe

processingofpersonaldata.”

Thedataprocessoris“anaturalorlegalperson,publicauthority,agencyoranyotherbodywhichprocessespersonaldataonbehalfofthecontroller.”

2.3.3 EUdataprotectionreform

TheSURVANTprojectisplannedtoberunningfortwoyears,thatisbetweenJanuary2017andDecember2018.AfundamentalchangeoftheEUregulatoryandlegalframeworkistakingplacewithinthatperiod.

In January 2012, the EuropeanCommissionput forward an EUDataProtectionReformaiming “tomakeEuropefitforthedigitalage”.

On15December2015,theEuropeanParliament,theCouncilandtheCommissionreachedagreementonthenewdataprotection rules,establishingamodernandharmoniseddataprotection frameworkacrossthe EU. The European Parliament's Civil Liberties committee and the Permanent RepresentativesCommittee (Coreper) of the Council then approved the agreements with very large majorities. TheagreementswerealsowelcomedbytheEuropeanCouncilof17-18Decemberasamajorstepforward intheimplementationoftheDigitalSingleMarketStrategy.

On8April2016,theCounciladoptedtheRegulationandtheDirective.Andon14April2016theRegulationandtheDirectivewereadoptedbytheEuropeanParliament.

On4May2016,theofficialtextsoftheRegulationandtheDirectivehavebeenpublishedintheEUOfficialJournalinalltheofficiallanguages:

• Regulation (EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotection of natural persons with regard to the processing of personal data and on the freemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation).–http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG

• Directive (EU) 2016/680 of the EuropeanParliament andof theCouncil of 27April 2016on theprotection of natural persons with regard to the processing of personal data by competentauthoritiesforthepurposesoftheprevention, investigation,detectionorprosecutionofcriminaloffences or the execution of criminal penalties, and on the free movement of such data, andrepealing Council Framework Decision 2008/977/JHA. – http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG


16

Figure1:EUdataprotectionreformtimeline.

WhiletheRegulationwillenterintoforceon24May2016,itshallapplyfrom25May2018.TheDirectiveenters intoforceon5May2016andEUMemberStateshavetotranspose it intotheirnational lawby6May2018.

Theobjectiveof this new set of rules is to give citizensback control over of their personal data, and tosimplifytheregulatoryenvironmentforbusiness.ThedataprotectionreformisakeyenableroftheDigitalSingle Market which the Commission has prioritised. The reform will allow European citizens andbusinessestofullybenefitfromthedigitaleconomy.

2.3.3.1 AnoverviewofthemainchangesunderGPDRandhowtheydifferfromthepreviousdirective

The EUGeneral Data Protection Regulation (GDPR) replaces theData ProtectionDirective 95/46/EC andwasdesignedtoharmonizedataprivacy lawsacrossEurope,toprotectandempowerallEUcitizensdataprivacyand to reshape thewayorganizationsacross the regionapproachdataprivacy.TheenforcementdateoftheGDPRis25May2018atwhichtimethoseorganizationsinnon-compliancewillfaceheavyfines.

Theaimof theGDPR is toprotectallEUcitizens fromprivacyanddatabreaches inan increasinglydata-drivenworldthatisvastlydifferentfromthetimeinwhichthe1995directivewasestablished.Althoughthekeyprinciplesofdataprivacystillholdtruetothepreviousdirective,manychangeshavebeenproposedtotheregulatorypolicies.KeychangesrelatedtotheSURVANTprojectcanbefoundbelow:

• Increased Territorial Scope (extra-territorial applicability). Arguably the biggest change to theregulatorylandscapeofdataprivacycomeswiththeextendedjurisdictionoftheGDPR,asitappliestoallcompaniesprocessingthepersonaldataofdatasubjectsresidingintheUnion,regardlessofthecompany’slocation.

• Penalties. UnderGDPR organizations in breach ofGDPR can be fined up to 4% of annual globalturnoveror€20Million(whicheverisgreater).

• Consent.Theconditionsforconsenthavebeenstrengthened,andcompanieswillnolongerbeabletouselongillegibletermsandconditionsfulloflegalese,astherequestforconsentmustbegiven


17

inanintelligibleandeasilyaccessibleform,withthepurposefordataprocessingattachedtothatconsent.

• RighttoAccess.PartoftheexpandedrightsofdatasubjectsoutlinedbytheGDPRistherightfordatasubjectstoobtain fromthedatacontrollerconfirmationastowhetherornotpersonaldataconcerning them is being processed, where and for what purpose. Further, the controller shallprovideacopyofthepersonaldata,freeofcharge,inanelectronicformat.

• Right to be Forgotten. Also known as Data Erasure, the right to be forgotten entitles the datasubjecttohavethedatacontrollererasehis/herpersonaldata,ceasefurtherdisseminationofthedata,andpotentiallyhavethirdpartieshaltprocessingofthedata.

• Privacy by Design. Privacy by design as a concept has existed for years now, but it is only justbecoming part of a legal requirementwith theGDPR. At its core, privacy by design calls for theinclusionofdataprotection fromtheonsetof thedesigningof systems, rather thananaddition.TheADVISEandSURVANTprojectshadPrivacybyDesignintheircorefromtheverybeginning.

• Data Protection Officers. Currently, controllers are required to notify their data processingactivitieswith local DPAs, which, formultinationals, can be a bureaucratic nightmarewithmostMemberStateshavingdifferentnotificationrequirements.UnderGDPRitwillnotbenecessarytosubmitnotifications/ registrationstoeach localDPAofdataprocessingactivities,norwill itbearequirementtonotify/obtainapprovalfortransfersbasedontheModelContractClauses(MCCs).Instead, there will be internal record keeping requirements and DPO appointment will bemandatory only for those controllers and processors whose core activities consist of processingoperationswhichrequireregularandsystematicmonitoringofdatasubjectsonalargescaleorofspecial categories of data or data relating to criminal convictions and offences. Importantly, theDPO:

o Must be appointed on the basis of professional qualities and, in particular, expertknowledgeondataprotectionlawandpractices

o Maybeastaffmemberoranexternalserviceprovidero ContactdetailsmustbeprovidedtotherelevantDPAo Must be providedwith appropriate resources to carry out their tasks andmaintain their

expertknowledgeo Mustreportdirectlytothehighestlevelofmanagemento Mustnotcarryoutanyothertasksthatcouldresultsinaconflictofinterest.

2.4 Bestpracticesforprotectingprivacyandpersonaldata

Several tools and methodologies exist that can be used either for ensuring privacy/ personal dataprotectionorformonitoringtheimpactofasystemwithregardstolegal,ethicalandprivacyprinciples.

2.4.1 Privacybydesign

Privacy by design (PbD) is a concept developed and subsequently promoted by Dr Ann Cavoukian, theInformation and Privacy Commissioner of Ontario, in 1990s, to address the ever-growing and systemiceffectsof informationandcommunicationtechnologies(ICT),andof large-scalenetworkeddatasystems.Daviesobservedthattheemergenceofprivacybydesignpresentsasubstantialopportunitytoraisethebaronprivacyprotectionandtoreducetheextentofsurveillanceofpeople’sdataandtransactions.Privacybydesignadvancestheviewthatthefutureofprivacycannotbeassuredsolelybycompliancewithregulatory


18

frameworks; rather,privacyassurancemust ideallybecomeanorganization’sdefaultmodeofoperation.[Davies]

2.4.2 PrivacyEnhancingTechnologies

PrivacyEnhancingTechnologies(PETs)aretechnologiesthataredesignedforsupportingprivacyanddataprotection.TheobjectiveofPETsistoprotectpersonaldataandensuretheusersoftechnologythattheirinformationisconfidentialandthatmanagementofdataprotectionisaprioritytotheorganizationswhowithhold responsibility for any personally identifiable information (PII). PETs address among other theprinciples of data minimisation, anonymisation and pseudonymisation. Examples of PETs arecommunicationanonymizers,encryptiontools,cookie-cutters,etc.

2.4.3 PrivacyImpactAssessment

APrivacyImpactAssessment(PIA)isaprocesswhichassistsorganizationsinidentifyingandminimizingtheprivacyrisksofnewproducts,projectsorpolicies.Theorganizationauditsitsownprocessesandseeshowtheseprocessesaffectormightcompromisetheprivacyoftheindividualswhosedataitholds,collects,orprocesses.APIAisdesignedtoaccomplishmainlythreegoals:

• Ensureconformancewithapplicablelegal,regulatory,andpolicyrequirementsforprivacy;• Determinetherisksandeffects;and• Evaluateprotectionsandalternativeprocessestomitigatepotentialprivacyrisks.

PIAsareconsideredagoodmeanstoaddresschallengesposedbyemergingtechnologiesandinparticular,videosurveillance.[Raabetal]

AnumberofPIAmethodologiesandtemplateshavebeendevelopedtohelporganisationscarryingoutaPIA.


19

3 Key differences between SURVANT and ADVISE affectingLEPaspects

Thischapterprovidesahigh-levelcaptureof thekeydifferencesbetweenSURVANTandADVISE thatareconsidered to affect LEP aspects. The differences are separated into differences in requirements (user,systemetc.),orinotherwordsdifferencesinwhatthesystemwillberequiredtodo,andpurelytechnicaldifferences(e.g.architecturaldifferencesordifferencesinspecificmodules),orinotherwordsdifferencesinhowthesystemwilldowhatisrequired.

3.1 Differencesinrequirements

3.1.1 UseCases

Commercially focusedusecaseshavebeende-prioritized inSURVANT.ADVISEtackledthreeusecasesofcriminal activity on commercial premises – vandalism of company property (graffiti, fuel theft and carvandalismincarparks).InSURVANTwerecognisethatcriminalincidentsoncommercialpremisesarejustparticular scenarios of use cases observed in the community. The same use cases are valid for streetsurveillancebutherethecircumstancesaregenerallymorechallengingwitha largerdiversityofcamerasand busier scenes. Tackling the more challenging scenarios that occur in uncontrolled environmentspromisestodeliveramorerobustplatformthatoffersincreasedreusabilityacrossstreetandcommercialsurveillance.

ThefocusofSURVANThasshiftedtousecasesandscenariosthatoffergoodreuseacrosssectorsandforwhichtheconsortiumcanleveragedecentqualitytrainingfootagestagedwithactorsinreallifechallengingenvironments.

3.1.2 Investigationareasoffocus

Wehavelearnedthatinvestigatorsroutinelyrequestsurveillancefootagethatencompassesbiggerspatialand temporal areas than the actual time and place of the reported incident. Investigators are not onlyinterested in the actual scene of the crime but also in activities in the surrounding area in the timesimmediatelyprecedingandfollowingtheincident.Thereasonsforthisinclude:

• Poorsurveillancefootageoftheareawheretheincidentactuallyoccurredwheredefinitivesuspectidentificationisdifficult

• Identificationofaccomplices thatmaybecomeevidentas theyaccompany thesuspect innearbyareasbeforeand/orafterthecrime

• Construction of an incident timeline which captures the geographical and temporal path of thevictimand/orsuspect(s)

ADVISEworksundertheprinciplethatan investigator identifiesatimeandareaandthen itanalysesthisentireareaandtimeperiodforevidenceofaparticularevent.Notonlydoesthisresultinneedlessanalysisof footage for event detection (e.g. looking for evidence of pick pocketing in block Bwhenwe know itoccurredinblockA)butitalsoincreasestheamountofinformationclutterpresentedtotheenduser.

InSURVANTwerecognise the investigator’sdual intentof firstlyanalysingaspecific incidentareawherethe crime occurred and secondly, analysing a surrounding time and area for the presence of particular


20

objects(people,cars).Tothisendweallowinvestigatorsto identifyanexplicit incidentzoneandawideranalysiszone.Theincidentzoneisusedtocapturethesuspectonfilmwhichisthenusedtoseedasearchofthesuspectinthewideranalysiszone.

3.1.3 RepositoryManagement

ADVISEworkedundertheprinciplethateachcamerasisattachedtoasinglerepository.Multiplecamerasmay be attached to the same repository.When investigators include a camera in an investigation theyspecify a timeperiod andADVISEwould thenquery the associated camera repository for that subset offootage. In discussions with the end user we discovered that repositories are actually assembled perinvestigation. The base repository to which street surveillance cameras are connected to is strictlycontrolledbyanofficialvideocontrollerwithin theLEAorganisation.Access tosubsetsof footagewithinthisrepositoryareonlygiventoinvestigatorsuponpresentationofofficialauthorizationbyahighrankingLEA. In effect, investigators are given smaller bespoke repositories which are extracted from the mainrepository.Asimilarprincipleappliestocommercialsurveillancefootage–subsetsoffootageareextractedby commercial organisations and handed over to investigators upon official request. We observed,therefore,thatthedataavailabletoSURVANTisdispersedacrossa largeanddynamiccollectionofsmallindependentrepositoriesratherthanconcentratedinasmallnumberoflargeintegratedrepositories.

We can see the same pattern with mobile phones and other portable video devices where capturedfootagedoesnotallexistinasinglerepositorybutisinsteaddownloadedandmanagedinsmallindividualrepositories.

A new model of repository management is proposed for SURVANT in which bespoke repositories areidentifiedandattachedtoaninvestigation.Thismodelhasthebenefitofpreventingdataleakagebetweeninvestigationsasaccessislimitedtothedataexplicitlyattachedtoagiveninvestigation

3.1.4 Facilitytosearchforpeoplewithoutcriminalincident

ADVISEwasbasedon thepremise that therewasanexplicit criminal incidentbut therearecaseswheresurveillancefootageneedstobeanalysedbasedonaparticularphysical location(toobservewhovisitsacertainbuildingforexample)orthelastsightingofaparticularperson(elderlypersonwithAlzheimer’sforexample).

3.1.5 Anonymizationasoptional

In ADVISE, anonymization of surveillance footage was an integral part of the processing pipeline.Discussions with investigators revealed that this is unnecessary (and often unwelcome). SURVANT willmake the anonymization step optional – a configuration setting that can be enabled or disabled by theSURVANTplatformadministrator.

3.2 Technicaldifferences

3.2.1 DifferencesinArchitecture

SURVANT’smainpurposeistodevelopasystemthatwillbereadyforthemarketusingasastartingpointthesystemdeveloped in theEUFP7projectADVISE. Itsarchitecture isbasedontheADVISEarchitecturebut it integrates some essential changes that will render the system ready for use in a real-world


21

environment.Thearchitecturaldifferences,aswellastheevolvedparts,aimingto improveperformance,efficiencyandauserintuitiveinterfacearepresentedinthissection.

The main difference between the two projects is about the software design. While ADVISE follows amonolithicdesign,SURVANTisbeingdevelopedasamicro-servicemulti-containerapplication.Amonolithisasoftwareshippedasasinglebigblockanditspartsshowahighdegreeofcoupling,whichmeansthatthey havemany dependencies among themselveswith the disadvantage that if the developerswant toapply any modification to the platform they have to build and redeploy the whole software. On thecontrary,micro-servicesarelowincouplingandhighincohesion:theyareself-containedcomponentswithzero or very low dependencies among them, devised to meet per-business requirements. The mainadvantagesofthisarchitecturearesummarizedhere:

l Self-containedmodulesarepronetoreusability.

l Thewholesystemismorerobustbecausethelackofdependenciesbetweenmodulesimpliesthatthefailureofoneofthemdoesn’taffecttheintegrityoftheothers.

l Micro-servicescanbescaledeasily(theyareactuallymadeforbeingscaledout),scalingamonolithicapplicationcanbeapainfulchallenge.

l Oncetheinterfaceamongmicro-serviceshasbeendecided,micro-servicescanbeimplementedusingdifferenttechnologiesinsteadofadoptingauniqueframeworkforthewholeapplicationlikehappensinmonolithicapplications.

Hereisanin-depthsightintoSURVANTandADVISEarchitectures.

Figure2:ComparisonofthelogicalarchitectureofSURVANT(left)andADVISE(right).

SURVANTbgf ADVISE


22

Analysingthediagramsfromthetop,thefirstdifferencecanbefound inthe implementationoftheuserinterface logical blocks. While ADVISE has a “legacy” user interface design, SURVANT inherits thecharacteristics of the Backend-For-Frontend (BFF) architectural paradigm that helps to tailor a backendsystemforend-user interfaces,enhancingtheuserexperience(theGateway)onmultipledevicessuchasmobileandwebclients.This choicehasbeenmade toallow frontenddevelopers to focuson their taskswithouthavingtotakeintoaccountotherself-containedpartsofthesystem.Moreover,thetechnologicalsolutionsemployeddon’taffectothercorrespondingBFFs(ifpresent).

Moving to the service layer, eachworking service such as theGIS and theVideoAnalysis is going to bedecoupled, improved and containerized according to the micro-service specification, earning all theadvantages described above. SURVANT will use Docker containers to host each micro-service to takeadvantage of their flexibility, expandability and the easy management they offer. This choice allows toeasilydeploy theSURVANTsystem inclient infrastructurewithouthaving toworryabout systemspecificproblemsanddependencies.Moreover,itallowsthedeploymentofmultipleinstancesofthesameservicestoimprovesystemperformanceinthesameorevenremoteinfrastructure,assuringsystemexpandability.

Another significant evolution consists in the fragmentation of the responsibilities of the Content accessnegotiator across all themicro-services. Thismeans that the systemdoesn’t have a centralized requestsnegotiator anymore, but each module implements independently the access to its own entities, inaccordancetothekindofuser,therole,thepermissionsandtheaccesslevel.Lastbutnotleast,theoverallsecurityinSURVANTisfinelytunedbecauseitimplementsthefollowingadditionalcomponents:

l UserAuthenticationAuthorityServer:managestheauthorizationandtheauthenticationoftheusersontheportal.

l Micro-servicesAccessControlList:managestheauthorizationofthegatewayinrelationshipwitheachregisteredmicro-service.

3.2.2 DifferencesinModules

TheSURVANT system reuses themodules thathavebeen identifiedanddeveloped inADVISE.However,mostofthemarere-designedtocovertherequirementsoftheend-users.Newtechnologiesareemployedto improve their efficiency and performance, extending in some cases their functionality. The followingtableillustratesthedifferencesofeachmoduleinthetwoprojects.

ModulesFunctionalmodules

Typeofchange

Details

VideoProcessing

Objectdetection&tracking

Redesign

Performance: Employ Deep Learning techniques toimproveobjectdetectionandtracking.Speed: Improve processing time to less than realtime

Eventdetection Redesign

Performance: Employ Deep Learning techniques toimproveeventdetection.DetectmoreeventsSpeed: Improve processing time to less than realtime

Indexing VisualDescription RedesignPerformance: Employ Deep Learning techniques toextract more distinctive descriptors for objectsdetected.


23

Indexing RedesignPerformance:ImprovequeryresultsSpeed:Improvesearchtimeinthedatabase

Anonymization

Selective

Anonymization

Improve

Performance:Improvetheanonymizationprocesstohide unnecessary personal data during theinvestigationSpeed:Provideontheflyanonymizedvideoresults.

Knowledgemodelling

Ontology RedesignPerformance: Improve the expressiveness andflexibility of the ADVISE ontology to better modeltheknowledgeextractedfromthevideosexamined.

Geographicalanalysis

SpatialReasoner RedesignPerformance: Improve reasoning capabilities usingspatio-temporalconstraintscombinedwithsimilaritymetrics(what,where,whenworkflow)

TrajectoryMining NewPerformance: Improve Re-Identification usinggeographicaltrajectories

Reasoning

Rulebasedreasoningengine

ImprovePerformance: Improve the expressivity capabilitiesofthesystemformorecomplexrulesSpeed:Fasterreasoningcapabilities

ProbabilisticRuleEngine

NewPerformance:Allow the creationof elastic rules forcomplexeventsthatarebasedonprobabilities

Rulesfromexamples

NewPerformance:Allow the creation of rules based onexamples

ComplexqueryQueryFormulator Redesign

Performance: Allow the creation of queries frommultiplemodalitiesandtheuseoffilteringoperators

Crossmodalqueryexpansion

NewPerformance: Allow the expansion of queries inmodalitiesdifferentfromtheoriginalone

Services&Applications

Portalmicro-service

ImprovePerformance: Investigationsandrelatedentitiesareself-contained

SearchbyImage NewPerformance:Enablestheusertoaddressthesearchprocessstraighttoaspecificfeature

Eventsummarizer ImproveSpeed:Offersanoverviewof therelevantdetectedeventsextractedbyavideoataglance.

Visualization

NaturalQueryUI ImprovePerformance: Allows the user to compose queriesmoreintuitively

Gateway ImproveSpeed: The “one-page application” structureimproves the responsiveness of the user interfaceimprovingtheoveralluserexperience.

Table1:ModuledifferencesbetweenADVISEandSURVANT.


24

4 Monitoringofprivacy,ethicalandlegalconstraints

BesidesprovidinganoverviewofLEPprinciplesthatarerelevantinthecontextoftheSURVANTprojectandsupportingtheprojectconsortiumindevelopinganethicallyandlegallycomplianttechnicalprototype,i.e.theSURVANTsystem,Task1.3alsoaimsinmonitoringresearchanddevelopmentactivitiesthroughouttheprojectwithregardstorespectivelawsandbestethicalpracticesandmakingsurethatprivacy,ethicalandlegalprinciplesarerespected.

Tothisend,wewanttomakesurethatdataprocessingthatwillbeconductedbytheSURVANTconsortiumduring theproject is respectful of anypersonal data thatmightbe included in theproject datasets. TheSURVANTprojectisplanningtousetwodatasets:

• TheADVISEdataset,inheritedbytheADVISEproject,and• TheSURVANTdataset,whichwillbecreatedwithintheSURVANTproject

Thetwodatasetsaswellasalltheproceduresfollowedinordertocapturethesedatasetsaredescribednithefollowingsections.

Thekeypointsthatareimportantintermsoflegal/ethicalcompliancearethat:

• Both datasets were/ will be created within the controlled environment of a European researchproject(ADVISEinthefirstcase,SURVANTinthesecondcase)andwithinacontrolphysicalspace(areaswithinor rightnext to thepremisesofMadridMunicipalPoliceorareascontrolledby theMadridMunicipalPolice)

• Bothdatasetswere/willbestaged,meaningthatonlyvolunteer‘actors’aredepictedinthevideoscomprising thedatasetsandnootherperson isdepicted; thisensures thatallpeopledepicted inthevideoscomprisingthedatasetsareawareoftheirparticipationandnooneisdepicteddespitehiswill.

• All‘actors’participatinginthevideoscomprisingthedatasetshavesigned/willsignanappropriateconsentformfortheirparticipationinresearchactivities(i.e.participationinthevideocapturing).TheConsentFormtemplatethatwillbeusedintheSURVANTprojectcanfoundinAnnexII.

• ProperagreementshavebeensignedbetweentheinitialowneroftheADVISEdataset(thepartnerthatcaptured it)andtherestof theADVISEprojectconsortiumregardingtheuseof thedataset.ThesaneprocedureisenvisionedforthecaseoftheSURVANTdatasetanditistheresponsibilityofTask 1.3 to monitor that this procedure is conducted appropriately and completed in a timelymanner (i.e. before the actual processingof thedatasetby technical partnersof the consortiumcommences).

4.1 ADVISEDataset

In themunicipality ofMadrid, CCTV cameras are controlledbymunicipal police and accessible locally ateachofthelocationswheretheyareinstalled.AllsignalsreceivedfromthelocationswhereCCTVcamerasare located, are centralized in the Integrated Centre for Video Signal (CISEVI). For the purpose of theADVISEproject,theMadridMunicipalPoliceperformedvideorecordingsusingtheavailableinfrastructureof camerasdeployed in the city. Theonlyway toensure that recordingswouldmatch the identifiedusecaseswastorecordthemonpurpose,thatis,withactorsmakingarepresentation,onceandagain,oftheuse cases.TheTheatreGroupof theMadridMunicipalPoliceperformed the identifieduse cases for thebenefitoftheproject.Atotalof27actorsactedoutwithdifferentclothing,cars,motorcycles,andluggage.


25

Duringtherecordings,otherpeopleandvehicleswereprohibitedfromenteringthearea.Therecordingsweretakenwithdifferentlightcondition,differentpeople,numberofpeople,etc.tobeasmorerealisticaspossible.ThepoliceofficersworkingatCISEVIwereresponsiblefortherecordings.Thescenariosandusecases were “Pickpocketing”, “Luggage theft” and “Beat and Run Away”. The videos in the availableinfrastructurearesecurelysavedinaproprietaryformatinCISEVI.Forthisreason,extractedvideoswereconvertedtoAVIsothatthetechnicalpartnerscouldworkwiththem.Furthermore, thevideosrecordedwereexamined fromtheMadridMunicipalPolice toexcludesegmentswhere residentsmayaccidentallyappearinascene.Intotal,103videoswereproducedinAVIformatthatcontainedmultipleinstantiationsof the identifiedusecasescenarios,aswellas“noevent”videos for trainingpurposes.EthicalandLegalAspects – as these have been shaped by partner ADM – were taken into consideration since the verybeginning.Theperson, inMadridCityCouncil,responsibleforvideosurveillancecamerasdeployedinthestreetswasadequatelyinformedoftherecordingsfortheprojectthatweretotakeplace.Moreover:

• All actorsperformingon the streethadpreviously signedanappropriateConsentForm thatwasbasedonthetemplateshowninAnnexI.

• Nootherpeople,buttheactorswereshownontherecordings.• AMemorandum of Understandingwas signed between partner ENG, in the name of thewhole

Consortium,andpartnerADM,fortheusageofrecordings.

Figure3:VideoscontainedintheADVISEdataset.

4.2 SURVANTDataset

TheMadridMunicipalPolicewillperformnewrecordings for theSURVANTproject thatwillbebasedonthe use case scenarios identified in D2.1 “Requirements and use cases”. The scenarios that have beenidentifiedarethefollowing:

Storyline1:AggressiononastreetinMadrid.Theaggressorranawayafterbeatingseveraltimesintheface and the body of a tourist in an unprovoked attack, because the victimwould not let go of thebackpacktheaggressorwastryingtostealformhim.

Storyline 2: Theft of a wallet with credit cards, documentation, and 625 euros from a city street inMadrid. The victim was a Japanese citizen who was traveling alone. A thief opened his backpack,removing his wallet from it, while another one (his companion) distracted him by offering cheap


26

sunglasses.

Storyline3:Duetotheconfrontationbetweenofficialcitytaxidriversandnewrentalcarswithdriver(UBER, CABIFY), the later ones are suffering aggressions to their vehicles by taxi drivers, who throwstonesanddamagetheircars.AtaxidriverdetectsanunattendedUbercarandgetsoffhisowncabtomakegraffitiontheUber.Hespoilsthecarpaintandleavesanoffensivemessageatthesametime.Thetaxidriverquicklydrivesaway.

Storyline 4: A couple of youngsters armed with sprays in a not very busy street, and in just a fewminutes,makegraffitionthewallofapublicbuilding,defacingitsfaçade.Theyleavetheareaatafastmovingpace.

Storyline5:Thepoliceknowthatinaparticularbuildingthereisapossiblejihadistgroupthatmeetsinoneoftheapartments.Theinvestigatorswanttomonitorwhoentersandleavesthebuildingduringaperiodoftime.

Storyline6:Thecrimeofassaultonatouristwascapturedonsurveillancevideobutthefootage isofinsufficientqualitytoidentifytheattackeroralloftheiraccomplices.Investigatorexaminessurroundingfootagetoseekmoreinformation

Storyline7:Avulnerableelderlyperson,affectedwithAlzheimer,hasbeenreportedmissing.Lasttimehewasseennearashoppingcentreinastreetnearhishouse.Hewalkswiththeaidofacane.

Basedontheabovescenarios,theMadridMunicipalPolicewillperformnewrecordingswhereofficerswillinstantiate the above scenarios under various conditions. Itwill exploit its previous experience from thedata acquisition and sharing process during the ADVISE project to deliver a dataset according to therelevant legal and ethical regulations. After negotiations with the relevant authorities, the MadridMunicipalPolicehasbeenauthorized toperformthe recordings incrowdedareas to replicate theactualoperationalenvironment. Inallcases, theeventsdescribed in thescenarioswillbe instantiatedbypoliceofficersonlyandnotrealcases.

Please note that the recordings have not taken place at the moment that this deliverable was beingwritten.Therefore,nofurtherdetailsareavailableonthedatasettobeacquired.


27

5 Conclusions

In this report, we presented the analyses and activities taking place within Task 1.3 “Analysis andmonitoringofprivacy,ethicalandlegalconstraints”oftheSURVANTproject.

TheanalysisofLEPprinciples indicates thatamajor issue is thecurrentlyundergoingEUdataprotectionreformwhichwill oblige SURVANT to be partially runwithin two different data protection frameworks.EarlyadoptionbytheSURVANTconsortiummembersofnotionssuchasPrivacybyDesignandPrivacybyDefault evenback from thebeginning of theADVISE project is a powerful tool that the project holds inordertocopewiththecomingchanges.Another importantaspecthighlightedbytheLEPanalysis isthat,sincetheSURVANTsystemisenvisionednotasavideo(data)collectiontoolbutasavideoanalysistoolset,allethical/legalobligations related to thedatacapturingphaseof thedata lifetime lieprimarilywith theinitialowner/creatorofthedata

TheanalysisofkeydifferencesbetweenSURVANTandADVISEthataffectLEPaspectsindicatedashiftfromLEAfocusedusecasestoscenariosthatoffergoodreuseacrosssectorsandforwhichtheconsortiumcanleverage decent quality training footage staged with actors in real life challenging environments. Thischangedoesnotposeadditionalproblemstothelegal/ethicalsidesincetheenvisionedsystemwasinitiallydesignedwithsuchcasesinmind.

Finally,ourLEPmonitoringactivitiesfocusedinidentifyinganddescribingtheprojectdatasetsinordertobereadytoensurelegal/ethicalcomplianceregardingtheirmanagementandofcoursethemanagementofpersonaldatathatmightbecontainedwithin.Bothdatasetsarecreatedwithinacontrolledenvironment,are staged (meaning that only volunteer ‘actors’ participate), all ‘actors’ in both datasets are signingappropriateconsentforms,andproperagreementsaresignedbetweeninitialownersofthedatasets(thepartnerthatcapturedit)andtherestofthepartners.


28

6 References

[ADVISED2.2]Deliverable2.2‘Reportofrelevantlegalandnormativestandardsandtheirevolution’,AdvancedVideoSurveillancearchivessearchEngineforsecurityapplications(ADVISE)ECFP7project(GANo.284024),http://www.advise-project.eu/.

[CFR]CharterofFundamentalRightsoftheEuropeanUnion(theCharterinthelatest(2012)consolidatedversionoftheLisbonTreaty),http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:12012P/TXT.

[Davies]SimonDavies(2010)WhyPrivacybyDesignisthenextcrucialstepforprivacyprotection,InitiativeforaCompetitiveOnlineMarketplace(ICOMP),p13,http://www.i-comp.org/blog/wp-content/uploads/2010/10/privacy-by-design.pdf.

[Directive95/46/EC]Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata.

[ECHR]TheConventionfortheProtectionofHumanRightsandFundamentalFreedoms(betterknownastheEuropeanConventiononHumanRights),http://www.echr.coe.int/pages/home.aspx?p=basictexts.

[GDPR]Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation).

[GeneralDataProtectionRegulation]Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC,http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG.

[ICCPR]InternationalCovenantonCivilandPoliticalRights,http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.

[OECDPrivacy]TheOrganisationforEconomicCo-operationandDevelopment(OECD)GuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalDataasrevisedin2013,http://www.oecd.org/sti/ieconomy/privacy.htm.

[PRESCIENTD1]SergeGutwirth,MichaelFriedewald,DavidWright,EmilioMordinietal.(2010)Legal,social,economicandethicalconceptualisationsofprivacyanddataprotection,DeliverableD1ofthePRESCIENTproject[Privacyandemergingfieldsofscienceandtechnology:Towardsacommonframeworkforprivacyandethicalassessment],p8andp8ff,http://www.prescient-project.eu/prescient/inhalte/download/PRESCIENT-D1---final.pdf.

[Raabetal]CharlesRaabandDavidWright(2012)Surveillance:ExtendingtheLimitsofPrivacyImpactAssessment,inDavidWrightandPauldeHert(eds.)PrivacyImpactAssessment,pp363-384

[UDHR]TheUniversalDeclarationofHumanRights,http://www.un.org/en/universal-declaration-human-rights/.


29

7 AnnexI–ADVISEConsentFormtemplate

SAMPLECONSENTFORMTOPARTICIPATE IN RESEARCH

Consentmustbeobtainedfromanystudyparticipant.Participantsshouldbegiventwocopiesoftheconsentform–onetokeep,andonetosignandreturntotheADVISEConsortium.

CONSENTTOPARTICIPATEINTHEADVISEPROJECT(SEC-2011.5.3-4,No.:285024)

This is to state that I agree toparticipate in a programof researchbeing conductedby theADVISEProject: (Project Coordinator name: Francesco Saverio Nucci, Organization: ENGINEERINGINGEGNERIAINFORMATICASPA,Coordinator’sEmail:[email protected],Coordinator’sFax:+3906-83074200).

A.PURPOSE

I havebeen informed that thepurposeof the research is as follows: {Pleasestatethepurposeoftheresearchclearlyandconcisely,innomorethanoneortwosentences}.

B.PROCEDURES

{Indicateinthissectionwheretheresearchwillbeconductedanddescribeinnon-technicaltermswhatthesubjectswillberequiredtodo,thetimerequiredtodoit,andanyspecialsafeguardsbeingtakentoprotecttheconfidentialityorwellbeingofthesubject}

C.RISKSANDBENEFITS

{Indicateinthissectionallpotentialrisksofparticipationandanybenefitsofparticipation}

D.CONDITIONSOFPARTICIPATION

• IunderstandthatIamfreetowithdrawmyconsentanddiscontinuemyparticipationatanytimewithoutnegativeconsequences.

• Iunderstandthatmyparticipationinthisstudyis{pickappropriateword:CONFIDENTIAL(i.e.,theresearcherwillknow,butwillnotdisclosemyidentity)ORNON-CONFIDENTIAL(i.e.,myidentitywillberevealedinstudyresults)}.

• {Iunderstandthatthedatafromthisstudymaybepublished.OR

• Iunderstandthatthedatafromthisstudywillnotbepublished.}IHAVECAREFULLYSTUDIEDTHEABOVEANDUNDERSTANDTHISAGREEMENT.IFREELYCONSENTANDVOLUNTARILYAGREETOPARTICIPATEINTHISSTUDY.

NAME______________________________________________________________________

SIGNATURE_________________________________________________________________


30

If at any time you have questions about the proposed research, please contact the project’sCoordinator (Project Coordinator name: Francesco Saverio Nucci, Organization: ENGINEERINGINGEGNERIAINFORMATICASPA,Coordinator’sEmail:[email protected],Coordinator’sFax:+3906-83074200).

If at any time you have questions about your rights as a research participant, please contact theproject’sEthicsAdvisoryBoard{Indicateinthissectionthename,andcontactinformationfortheDataProtectionController}.


31

8 AnnexII–SURVANTConsentFormtemplate

d1.3 - privacy, ethical and legal constraints...privacy, ethical and legal constraints’ of wp1...

Documents