17

If you gather publicly available information on a private individual without ever using prohibited means of gathering that info, and you never use that information for a business purpose or to interact or interfere with their life in any way, can this in any way be considered stalking, spying, or something else that would lead to legal consequences or a lawsuit?

I.e., imagine you discover someone has a creepily detailed collection of information about your entire life, photographs, places you've frequented or been, people you know, etc., but it was mostly gathered from online information.

Does the law fully protect one's right to do that?

Improve this question
10
  • 1
    As I understand this question it is asking about when and how the sharing of public information could be illegal and/or litigious, whereas the proposed duplicate deals with distinguishing between public and private information. Commented Jul 6 at 21:46
  • 13
    OSINT, by the way, is another term for "Open Source Intelligence". Commented Jul 6 at 23:40
  • 3
    This is a completely pedestrian comment, but think of this question in the context of celebrities. Imagine how many (mostly young) people might have "a creepily detailed collection of information" about their favorite actor or singer. Commented Jul 7 at 17:34
  • 1
    @MichaelHall IIUC, the question is about collecting the information, not about sharing it. E.g. a fan making a private compilation of magazine articles about the celebrity. Commented Jul 7 at 19:19
  • 3
    @user45623 Don't know how much it applies to this question, but note that many laws draw the distinction between regular people and "public figures" (e.g. actors & singers). Different criteria for privacy/defamation/etc. may be applied to public figures, as they've effectively "consented" to increased attention by deliberately putting themselves into the public eye. Commented Jul 8 at 20:28

5 Answers 5

Reset to default
19

Does the law fully protect one's right to do that?

If you don't use prohibited means, and there is no harm done to the individual, then it is legal. It may be rude or creepy, but it's not illegal. There are many things that are rude or creepy that are not illegal.

Everything which is not forbidden is allowed. The cute Latin phrase for that that is sometimes used in legal briefs and opinions to sound more impressive and authoritative is Quod non est prohibitum, permis sum.

Doing so could be evidence of some other crime, like stalking or attempted murder, but stalking generally requires some level of implied harassment or threat, and murder requires an intent to kill. Merely gathering open source information about someone doesn't cross the line from being a fan to committing a crime.

If you gather information about someone's creditworthiness and share it with others on commercial basis, you are subject to credit reporting agency regulation, but it isn't illegal per se.

Some countries might make it a crime or grounds for deportation to gather open source intelligence related to national security on behalf of a foreign power without being an accredited diplomat, but there, it is the purpose for which it is gathered, rather than the gathering the data itself, that is the hook for some level of illegality.

In the same vein, people who fail to register as foreign agents while lobbying on behalf of a foreign power commit the crime of failing to register in the United States.

But the information is not used in the question's scenario for any illegal purpose.

There are a handful of very narrow anti-doxing laws at the federal, state, and local level (mostly for federal judges and a handful of other kinds of high profile public officials) but even then, those laws are only invoked if the information is shared publicly, sometimes with some sort of ill-intent. But, those laws are the rare exception and not the rule. It would probably be unconstitutional to prohibit simply collecting information about someone by lawful means if it isn't shared.

Improve this answer
13

and
(and worldwide if your data subject is European or British)

It depends whether "you" are an individual or a group of people.

The General Data Protection Regulations permit such data collection by an individual for purely personal or household reasons, if the data are not transferred outside of that context:

18. This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

So the personal collation in the question probably doesn't infringe GDPR (but may be subject to other laws). Do note that using the collated data is more likely to be infringing, but that's specifically excluded from the question.

For groups or commercial/professional use, then GDPR does apply, and there must be a lawful basis for collecting such data, from the following list (as summarised in Wikipedia):

  • If the data subject has given consent to the processing of his or her personal data;
  • To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
  • To comply with a data controller's legal obligations;
  • To protect the vital interests of a data subject or another individual;
  • To perform a task in the public interest or in official authority;
  • For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
Improve this answer
2
  • 1
    Well, I understand the OP's question as referring to a purely private activity (for example, what a devoted fan may collect about their idol, without sharing it) -- i.e., can the process of collecting as such get you into trouble. I understand your answer as saying that would be legal, in which case you could emphasize that more. Your last sentence seems to say it is "hard to imagine". Commented Jul 10 at 10:24
  • "Personal or household activities could include" yay vaguely defined regulations Commented Jul 10 at 10:59
12

prohibits the public dissemination of such data if it is "capable of making the subject the victim of a crime and by the circumstances intended to do so" (§126b StGB). The law does not require the incitement to a specific crime, just naming somebody an enemy is enough if the context makes this a call to action.

Improve this answer
8
  • 1
    What do you mean when you say "if it is liable"? Commented Jul 7 at 14:17
  • 12
    @ohwilleke, the German term is "geeignet und nach den Umständen bestimmt." Doxing becomes illegal if it is suitable to aim criminals at the victim and if, in context, it appears intended to do so. A statement like the referee who called that strike wrong lives in 42 River Road and you really shouldn't torch his house proclaims no incitement to violence, but any reasonable person understands the intent. Commented Jul 7 at 15:51
  • 3
    @ohwilleke, I tend not to use Google for languages I know. Being "appropriate" has implications of being the right way to do something, while "liable to" is a likelihood of success even if there are better ways. Commented Jul 7 at 17:37
  • 2
    @ohwilleke, more like "capable of." I'll edit. Commented Jul 7 at 18:33
  • 8
    The example in your comment is excellent because it gives a situation where it is quite plausible that all the information to link the soccer referee to their private home address can be publically available and nevertheless a statement like you wrote would be illegal. So, please add it to the answer :-) It is also an example that as I understand it would be legal in the US. Commented Jul 8 at 9:03
7

If it was determined that you collected information about someone with the intent of carrying out an act of terrorism, you could be prosecuted under the Terrorism Act 2006, regardless of whether you actually acted on the information you collected. This might be more likely if the subject was a particularly high-profile person, e.g. a senior politician, and the information you collected included e.g. details of their security arrangements.

If convicted, you could face a sentence ranging from 3 years to life imprisonment.

Improve this answer
5
  • Why would details of their security arrangements be public information in the first place? Commented Jul 8 at 14:00
  • @Barmar it's plausible that they regularly appear in public, where this could be observed directly or gleaned via TV footage etc... Commented Jul 8 at 19:33
  • 1
    Maybe I have a different understanding of what "security arrangements" means. It's public knowledge that POTUS has Secret Service protection, but their operational procedures are not public knowledge. Commented Jul 8 at 19:37
  • Could you say more about how the Terrorism Act covers this? In particular, does the Act have specific provisions covering information collection (and if so, what do they say), or is it simply that the Act criminalises anything done with the intent of terrorism? Commented Jul 10 at 12:02
  • @PeterLeFanuLumsdaine at the very least, it could be considered a form of mindset material Commented Jul 12 at 7:30
6

The GDPR does not include any blanket exemption for publicly available data. It doesn't mean it's forbidden but it does create a number of obligations, including ensuring the lawfulness of the processing.

Improve this answer
5
  • 5
    As mentioned in Toby Speight's answer, GDPR doesn't apply when collecting for personal activities. Commented Jul 8 at 14:01
  • 1
    @Bamar Sure but that's a provision of the GDPR itself and it's not clear whether it applies to what the OP has in mind. My point wasn't to get into all the details of what is or is not allowed under the GDPR, just to point out that the fact the data was publicly available doesn't make a difference, which seemed to be what the question is about. Incidentally, I already upvoted Toby's answer and there is certainly more that could be said on this topic but the starting point is always going to be that the GDPR does apply to processing of publicly available data. Commented Jul 8 at 15:45
  • 3
    In particular, it seems to me that “purely personal or household activity” probably means something like keeping a contact list on your phone, not “anything a natural person does”. In that respect, it also important to understand that the GDPR doesn't regulate publication or sale, it regulates personal data processing generally. Commented Jul 8 at 15:53
  • 1
    IMHO "personal activity" would also include a fan making a collection of articles about the celebrity they're following. Unless and until they start harassing the celeb -- then it becomes stalking. Commented Jul 9 at 17:47
  • @Barmar That's not implausible but IMHO far from obvious and already stretching the definition. Commented Jul 9 at 23:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.