Emily Overton — @RMGirl on Twitter; follow her — asked an interesting question:

Are you intruding on someone’s privacy is you are actively doing OSINT on someone?

I shared some thoughts (which will be auto-deleted in a week), and Emily asked:

Is the site that collects the data responsible or do their terms and conditions remove their accountability?

Also, should it be expected that if you put something in the public domain, someone may gather data about you?

Is there a difference between profiling & OSINT?

These questions are too broad for Twitter, but I’d like to give a stab at an off-the-cuff answer.

So here we are.

Is the site that collects the data responsible or do their terms and conditions remove their accountability?

The question implies that, but for a site’s terms, they would be (legally?) responsible. I’m unconvinced.

I don’t see an obligation on a site, from an English law point of view at least, to inhibit OSINT.

To the extent the site’s function entails the processing of personal data, then they have obligations relating to security, which includes preventing unauthorised access to personal data. However, I am sceptical that that extends to preventing secondary use of personal data which has been accessed lawfully / with authorisation.

For example, if I upload my photographs to a site, so that they are a publicly available, I am struggling to see from where a legal obligation would come for the site to prevent someone accessing my photographs for OSINT purposes.

Also, should it be expected that if you put something in the public domain, someone may gather data about you?

What is the “public domain” here? Are you thinking in the copyright sense of the term (i.e. the place to which copyright works revert (or land, depending on your view of the implications of the automatic imposition of copyright) once the term of restriction has expired), or something else?

If you mean merely “being in a public place”, then, sure, someone may expect that others might gather data about you.

Does it make that data gathering lawful? That’s a fact specific exercise.

For example, someone who seeks death by suicide in a public place but is caught on CCTV?

Or someone who is photographed on a public street leaving an addiction meeting?

Or whose child is photographed in their pushchair on a street?

#Is there a difference between profiling & OSINT?

I’m assuming here that you are using the GDPR’s definition of “profiling”. If not, then there is even more scope for discussion.

If so, then the GDPR’s definition is relatively narrow:

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

If, for example, Person A follows Person B home, and sees where they live, they are not “profiling” Person B. Indeed, the data protection regime may not be triggered at all.

If Person A “stalks” Person B online, trying to follow up on links, making educated guesses as to where they might find further information, pre-texting to obtain additional data, and so on, I’m sceptical it would meet the requirement of automated processing.

Could some OSINT fall within the definition of “profiling”, yes.

Does it matter? Article 22 is also limited in scope:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

To be relevant, there would need to be a decision, and that decision would need to be based solely on the automated processing, and that decision would have have a sufficiently significant effect.