The video surveillance system adopted to monitor vehicles by a taxi company has been considered by the Finnish privacy authority to be in breach of the data protection law.
The GDPR case relating to video surveillance of taxi vehicles
On 26 May 2020, the Finnish data protection authority issued a GDPR fine against a well-known Finnish taxi company for implementing a video surveillance system in its vehicles in violation of the privacy laws.
The fine follows an investigation launched in November 2019 by the Finnish data protection authority, following which the authority found deficiencies in the taxi company’s processing of personal data concerning risk identification, data protection principles, and the implementation of data subjects’ rights. In particular, among others, the authority noted that the company had recently implemented a new video and audio surveillance system in its vehicles.
The privacy-related challenges raised against the taxi company
This data processing had not been previously assessed either by a data protection impact assessment (‘DPIA’) or by a balancing test concerning the possibility to rely on the legitimate interest of the company to carry out the processing over the conflicting interests of the data subjects involved (i.e., drivers and customers). The lack of such fundamental activities for the processing had led to the absence of an adequate weighting relating to how the video-surveillance system had been configured, and the authority had found that audio data were not necessary for the pursuit of the company’s purposes. This circumstance was confirmed by the fact that the audio recording function was active only in some of the vehicles, showing that the processing carried out by the company was not in line with the principle of data minimization principle.
It was also found that the company had not adequately informed the data subjects about the data processing carried out. Neither did the “short data protection notices” inside the vehicles provide any information about the audio recordings, nor was it expressly indicated to data subjects where they could find more information about the processing. According to the authority, such practice violated the GDPR provisions according to which the data controller is required to provide, in an easily accessible manner, clear, complete, and exhaustive information about the processing of personal data carried out.
Based on the above, the authority imposed an administrative fine of € 72,000 on the company, an amount considered proportionate, effective, and precautionary for all the violations found.
My takeaways from this decision
We are receiving several requests for assistance on data protection issues relating to the surveillance of vehicles for efficiency purposes and avoiding frauds and thefts. These systems are exponentially becoming invasive, and they are often manufactured in a manner allowing employers to have real-time access to any information relating to the vehicle. Unfortunately, it usually ends up that we need to request the client to implement some technical changes that, if considered at the time of the manufacturing of the technology would have been considerably cheaper for the business. A privacy by design approach is essential for these technologies to avoid potential fines and liabilities and ensure the achievement of the same results in a GDPR compliant manner. Also, employment law-related issues shall be considered in this assessment.
On this topic, you may find interesting the article “Privacy by design, how to do it at the time of the GDPR?“.
Image Credit Marco Verch