CCTV cameras and in general, video surveillance systems are exponentially becoming intrusive but generate substantial data protection law issues according to the EDPB.
The European Data Protection Board (EDPB) issued guidelines on the processing of personal data through video devices which covers basic CCTV cameras merely collecting images. But the guidelines also apply to more invasive technologies such as smart cameras and devices, collecting biometric data whose operation shall be continuously reassessed because of the potential risks connected to their malfunctioning.
I try to address the issues covered by the EDPB, enriching them with my takeaways and taking some insights from the article published by my colleagues of DLA Piper Privacy Matters blog:
When is the GDPR applicable to video surveillance devices?
The GDPR does not apply:
- If an individual cannot be identified directly or indirectly, e.g. the use of fake cameras. But for instance, the Italian Supreme Court held that there is a crime of violation of labor laws if cameras are installed on a workplace without an agreement with trade unions, even if they are switched off;
- to processing of personal data by competent authorities for prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding and the prevention of threats to public security as these fall under the scope of the Law Enforcement Directive;
- To processing by a natural person in the course of purely personal or household activities ie, the “household exemption”. However, this exemption must be construed narrowly, so that it may not apply to the publication of such data on the Internet so that it is accessible by an indefinite number of people. And the applicability of the exemption at a private person’s premises will need to be assessed on a case by case basis for instance with scenarios where CCTV cameras are used to monitor cleaners and baby sitters during their working activity.
What is the appropriate legal basis of the data processing for the usage of CCTV cameras?
Interestingly, the EDPB takes a very straight forward position indicating legitimate interest as the most appropriate legal basis of the data processing for video surveillance devices, limiting the possibility to rely on consent to “rather exceptional cases“. I fully agree with such an approach that however has been differently interpreted also by competent data protection authorities in the past with reference to cases where consent is unlikely to be free e.g. in relation to employees and to access to buildings.
Legitimate interest can be the appropriate legal basis for the data processing of images processed through CCTV cameras provided that
- The legitimate interest is meant to address a “real” issue. The purpose of protecting property against burglary, theft, or vandalism can constitute a legitimate interest for video surveillance. But, in the light of the principle of accountability, controllers should document the relevant issue, statistics or incidents as strong evidence for the existence of a legitimate interest;
- Controllers should assess where and when video surveillance measures are strictly necessary, or the same goal can be achieved through less intrusive solutions. And the EDBP also emphasizes the possibility to use black box solutions where the footage is automatically deleted after a precise storage period and only accessed in case of an incident. In other situations, it might not be necessary to record the video material at all but more appropriate to use real-time monitoring instead;
- Where video surveillance is essential, it is mandatory that the controller conducts a so-balancing of interest (also known as balancing test) to maintain the legitimate interest, on a case by case basis. The elements to consider in the assessment are the following (i) to what extent the monitoring affects legitimate interests, fundamental rights and freedoms of individuals, (ii) if this causes negative consequences with regard to the data subject’s rights and (iii) what are the reasonable expectations of the individual when the data processing activity is performed. This is an important reminder since we are repetitively encountering companies which rely on legitimate interest for a large number of data processing activities but are not able to justify them and have not performed any balancing test.
Can video recording be disclosed to third parties under data protection laws?
This scenario is quite frequent. CCTV cameras are installed in a parking lot for security reasons, but guests require images to solve disputes relating to a car accident. In such a scenario, the disclosure is considered a separate kind of processing and the controller needs to have a legal basis for such processing.
The actual purposes of the data processing indicated in the privacy information notice set out the perimeter within which CCTV footage can be used. The disclosure can occur in most of the cases upon request from competent authorities, but when no official request is in place, an assessment is always necessary.
Are CCTV cameras processing biometric personal data lawful?
This topic is extremely sensitive at the moment as several video surveillance technologies analyzing the biometric features of images are being launched.
I had already discussed in a previous article (Read on the topic “Are your customers’ images biometric data under the GDPR?“) about the limits in which images (and consequently their video recording) can be qualified as biometric data. And such a restrictive interpretation is confirmed by the EDPB.
The European Data Protection Board holds that there is no processing of special categories of personal data when the purpose of the processing is not to collect them, and they are only incidentally recorded (e.g., CCTV cameras installed for security purposes that incidentally record an individual on a wheelchair). But when the objective is to collect special categories of personal data, it is necessary to identify the appropriate legal basis of the processing among those of article 9 of the GDPR, such as consent.
With reference to biometric data, according to the EDPB, the camera video recording of an individual cannot however in itself be considered as biometric data, if it has not explicitly been technically processed “for the purpose of uniquely identifying a natural person”.
If video surveillance systems process biometric data to access to a building, the EDPB requires that “the controller must always offer an alternative way to access the building, without biometric processing, such as badges or keys“. This scenario creates significant issues in case of usage of biometric data of employees whose consent to the data processing activity is unlikely to be free in any case.
The same issue arises in the case of cameras that are used in the retail and fashion sectors to identify the categories of individuals visiting their shops. If the system is structured so that it is not able to uniquely identify an individual but only to cluster them, no processing of personal data would occur.
A case by case assessment would be necessary. And it is crucial to understand the way CCTV cameras work to identify the data protection law implications.
The EDPB also recommends the encryption of the database in which biometric data extracted from digital images are stored, segregating different types of data and limiting the access to them and the deletion of raw data (face images, speech signals, the gait, etc.).
What rights of individuals whose personal data is processed through video devices?
The European Data Protection Board emphasized that all data subject rights will apply to the processing of personal data using CCTV cameras and video devices and provides clarifications in relation to some of these rights:
- Access rights: complying with access rights in relation to video surveillance could adversely affect the rights of other data subjects who are also identifiable from the recording. Image editing and scrambling should be employed to protect these third parties. Controllers can also ask the data subject to specify reasonable timeframes to help with searches;
- Right to erasure: the EDPB notes that blurring a picture with no retroactive ability to re-convert the picture into an identifiable image constitutes erasure under the GDPR;
- Right to object: in case of video surveillance, this right could be exercised either prior to entering, during the time in, or after leaving the monitored area. This means that unless the controller has compelling legitimate grounds, monitoring an area where persons could be identified is only lawful if either: (1) the controller is able to stop the camera from processing personal data when requested immediately, or (2) the monitored area restricted so that the controller can assure the approval from the data subject prior to entering. If using video surveillance for direct marketing purposes (admittedly unlikely in practice), the right to object is absolute.
- Right to be informed: the EDPB recommends a layered approach in light of the amount of information required by Article 13 of the GDPR. The most important information should be displayed on the warning sign, which is the first layer, and further mandatory information on the second layer.
- First layer: the warning sign may be provided in combination with an icon, such as a picture of a surveillance camera, as recommended by the Italian data protection authority before the GDPR. The information should be positioned in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area. This layer should convey the most important information e.g. details of the purposes of the processing, the identity of the controller and the existence of data subject rights, together with information on the most significant impacts of the processing.
- Second layer: this layer (containing all information under Article 13 of the GDPR) must be available at an easily accessible place like the information desk or displayed on an easily accessible poster. It is best if the first layer refers to a digital source (e.g., QR-code or a website address) of the second layer but, in guidance which may prove practically challenging to many organizations, the information should also be available non-digitally.
How long shall video recorded images be stored?
Personal data should, in most cases, be erased, ideally automatically after a few days. The longer the retention period is set (especially when beyond 72 hours), the more difficult it will be to show the legitimacy of the purpose under data protection laws and the necessity of storage. Storage periods need to be clearly defined and must be necessary to achieve the objective.
This issue has frequently been addressed by the Italian data protection authority that recommended a 24-hour storage period, requesting the presence of exceptional circumstances when a longer retention period applies.
What technical and organizational measures shall be adopted for video surveillance devices?
The EDPB guidance touches on the ‘privacy by design’ principle by recommending that privacy safeguards be built into the design specifications of the technology (such as systems that allow masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons) as well as organizational practices, and that default setting minimise data processing (Read on the topic “Privacy by design, how to do it at the time of the GDPR?“). In case an organization plans to acquire a commercial video surveillance system, they need to include these requirements in the purchase specification.
The Guidelines include considerations that controllers should make when creating their video surveillance policies and procedures such as:
- Who is responsible for the management of the system, purpose, and scope of the surveillance project?
- What are the appropriate and prohibited uses?
- What transparency measures are implemented? How is video recorded and for what duration, including archival storage related to security incidents?
- Who must undergo relevant training and when?
- Who has access to video recording and for what purposes, operational purposes, e.g., who monitors surveillance and what happens in case of a data breach incident?
- What procedures external parties need to follow to request recording?
- What procedures for denying or granting such requests, incident management, and recovery procedures?
Also, given the requirements of Article 35 of GDPR, it is reasonable to assume that many cases of video surveillance will require a data protection impact assessment (Read on the topic “When and how shall a data protection impact assessment be run?“).
And a question that is not addressed in detail by the EDPB is whether the usage of CCTV cameras triggers per se the need to appoint a data protection officer. The guidelines merely state that the requirement would apply “if the processing operation by its nature entails regular and systematic monitoring of data subjects” which requires a further deep assessment.
My top 3 best practices on assessing data protection law issues of CCTV cameras
Based on the assessment above and my personal experience in dealing with data protection law issues relating to CCTV cameras, the main points to consider are
- A full understanding of the operation of the video surveillance device is essential to perform a detailed privacy law assessment. Technicians are likely to provide confusing information, but it is necessary to convey the right message to the business that, in the absence of such assessment, substantial data protection law issues can arise;
- The privacy information notice, the data protection impact assessment and the technical and organizational measures to be adopted are not mere bureaucratic tasks, but lawyers and technicians need to work together to find solutions that can be deemed data protection law compliant. Indeed, it frequently happens that we recommend minor technical changes which can considerably strengthen the level of compliance;
- The rush to the innovation requires a higher level of transparency and awareness of privacy law implications. We are working on several projects where companies want to build smart offices and buildings. But this innovation cannot be faced without a change in the approach to data protection law compliance.