"Does collecting the Bluetooth IDs which are present constitute collecting an person registry"

IANAL, I would argue that Bluetooth address by itself is not regarded as an inherent property of a person ("personal characteristics") - at least not yet, so Bluetooth MAC addresses themselves will probably not constitute a person registry, as they cannot by itself be connected to a person. The law says: "personal data means any information on a private individual and any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household". However, if and when there is an image that shows the person whose phone's BT address is included in the picture, most probably this will be a personal data registry as then it will be "identifiable as concerning him/her".

Because "personal data file means a set of personal data, connected by a common use and processed fully or partially automatically or sorted into a card index, directory or other manually accessible form so that the data pertaining to a given person can be retrieved easily and at reasonable cost", just having information of nearby BT MACs does not constitute a personal data registry unless the database contains information that connects these BT MACs to physical persons.

"- and do you commit a violation of the Finnish law by posting an image with Bluetooth IDs onto a public website?"

Again, IANAL. A single image with the depicted person's Bluetooth ID is not a person registry as such but it definitely is personal data. Also, a photography (and publication of photos) taken in public space is lawful. However, the uploader is working as an agent of the Controller of the database, and hence would probably ensure that the basic requirements are satisfied for processing personal data. I do not think that the requirements would be satisfied in this case, if the image of the person contains the person's BT ID.

Moreover, "personal data may be transferred to outside the European Union or the European Economic Area only if the country in question guarantees an adequate level of data protection" so the company that runs the public website, if located outside EU/EEC, needs to subscribe to the Safe Harbour principles (http://www.export.gov/safeHarbor/checklist.htm) in order for the uploader not to break the law in this respect as well.

If the website is within EU/EEC, then it is supposed to have a directive-compliant privacy policy in place.

(English translations from FINLEX)

--avs, 22-Apr-2006

yikes. good post.

--PhilWilson, 23-Apr-2006

Thanks, avs and Phil.

Just in case you don't know, IANAL means "I Am Not A Lawyer", but I do trust avs's opinion on this, even if he isn't officially certified ;-)

--JanneJalkanen, 23-Apr-2006

More info...     Add comment   Back to entry
"Main_comments_210406_1" last changed on 20-Nov-2006 19:28:18 EET by JanneJalkanen.