Data protection consequence of missing security actor

[pdehaye]

In #43 I give many examples of deployments of vast meshes of passive Bluetooth antennas, providing easier means of re-identification than relayed in the security analysis.

The deployment of those systems should encourage a more careful assessment around the Breyer test. On page 8 of the Overview of Data Protection and Security, you state:

To underscore the data protective nature of these measures, it is worth noting that the re-identification test set out by the CJEU in ​Breyer (​ C-582/14) as necessary to classify this as personal data would not be met. Firstly, establishing an effective side-database would likely require breaking the law by surveilling individuals without an effective lawful basis (e.g. illegitimately using covert cameras directed outward from the person, see ​Ryneš (C-212/13)). In ​Breyer,​ the Court noted that the test of ​means reasonably likely to be used to identify a natural person would not be met ‘if the identification of the data subject was prohibited by law’. Furthermore, it is also arguable that these specialised attacks would require ‘a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant’ (​Breyer)​ . However, as discussed, we suggest ensuring the obligations applying to personal data are still applied as good practice.

In light of the BLE deployments of #43, the threat you mention (using covert cameras) is reductive of the full threat landscape, which in its fuller extent actually nullifies the first test of Breyer: these databases already do exist, with a legal basis that is actually considered legitimate by many. In addition, these databases reduce the "efforts in terms of time, cost and man-power" so much that it no longer is true that the "risk of identification appears in reality to be insignificant" (in fact, as described above, there are commercial services performing this task). As for the prohibition by law in the Breyer test, it is a very very very thin line to rely on in the current circumstances, and certainly warrants a lot more detailed discussion in scenarios where the threat comes from state actors fetching additional data from private actors to facilitate reidentification.

It seems ill advised to rely on a gap in jurisprudence for such high stakes protocol and not be more forceful in asserting that this data would indeed consist of personal data in some deployment scenarios.

[pdehaye]

For the purpose of full documentation ahead of revising the legal analysis, see also examples here of how such tracking attacks for Bluetooth.

[pdehaye]

Note: There is now an attack PoC shared by @oseiskar at the bottom of #43, leveraging existing BLE meshes. This should now force at the very least a citation in the White Paper of the existence of such a PoC - at least from a data protection standpoint (I don't know if this runs counter the security community culture - but wouldn't think so). Additionally, while from a security perspective the existence of a PoC changes little, it does have an impact on the data protection evaluation of the paper, particularly in light of Recital 26 GDPR.