Ring is being criticised for its tie-up with US law enforcement and how that tie-up facilitates the use in crime detection of the video stream captured by Ring devices.
However, this raises questions under the GDPR for Ring in the EU.
First up: Ring claims in their privacy notice:
“You are the data controller with respect to personal information you obtain when using our products and services (such as video or audio recordings, live video or audio streams, images…)”
If that’s so, an Article 28 Data Processing Agreement needs to be in place. There is no such agreement and neither Ring’s privacy notice nor T&C’s count.
In any event, Ring seem to be determining for their own purposes how data is processed:
“by purchasing or using our Products and Services, you give Ring the right…to access and use your User Recordings for the limited purposes of providing Services to you, protecting you, improving our Products and Services, developing new Products and Services”
This raises numerous questions such as: how does a child ringing the bell get informed of how their personal data is being processed (Article 14 in this case), in a manner that complies with Article 12? And what is the lawful basis for Ring’s processing – surely not consent.
There are enough questions to keep the privacy community engaged in debate for hours, so how can Ring expect the average homeowner or door bell ringer to understand this and make reasoned decisions?