The European Data Protection Board (“EDPB”) has published guidelines on the processing of personal data through video devices (the “Guidelines“) (currently subject to a public consultation process). The EDPB acknowledges the ubiquity of video devices in modern life (everything from smartphone cameras to video-enabled doorbells and home security systems), and accepts that many individuals may be comfortable with the use of such devices for certain purposes such as security.
The Guidelines however emphasise that (i) guarantees must be taken to avoid any misuse of surveillance for a totally different and unexpected purposes (eg marketing, employee performance monitoring); (ii) controllers should carefully consider the data protection principles (Art 5 GDPR) in relation to video surveillance; (iii) controllers should be aware of and take precautions against the risks of malfunction of the devices and the biases they may induce; and (iv) video surveillance will not be ‘necessary’ (for the purposes of establishing a lawful basis) where there are other means of achieving the underlying purpose.
The guidelines provide clarification on a range of issues, in particular:
- the application of the GDPR to processing of personal data through video devices;
- the lawfulness of processing personal data through video devices;
- processing of special categories of personal data, including biometric data through video devices;
- the rights of data subjects in relation to such processing;
- storage and erasure obligations in relation to such personal data; and
- technical and organisational measures required for such data processing.
1. Application of the GDPR
Quite helpfully, the guidelines clearly state that the GDPR does not apply:
- if an individual cannot be identified directly or indirectly eg the use of fake cameras (although some Member States may regulate these);
- to processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding and the prevention of threats to public security as these fall under the remit of the Law Enforcement Directive (LED (EU2016/680);
- to processing by a natural person in the course of purely personal or household activities ie the “household exemption”. However this exemption must be construed narrowly, so that it may not apply to the publication of such data on the internet so that it is accessible by an indefinite number of people. This obviously raises interesting questions about the use of publicly accessible social media and content sharing sites.
2. Lawfulness of processing
Where relying on legitimate interest as the lawful ground for processing personal data using video devices:
- The legitimate interest needs to be tied to a demonstrably ‘real’ issue i.e. not fictional or speculative. Evidence of crime statistics in an area or related to a certain product or experiences of similar controllers would constitute suitable evidence. Controllers should document the relevant issue, statistics or incidents as strong evidence for the existence of a legitimate interest.
- Controllers should assess where and when video surveillance measures are strictly necessary. For instance, where it is necessary to film more than the immediate surroundings of the premises, the controller should consider physical and technical means, e.g. blocking out or pixelating irrelevant areas.
- Where surveillance is necessary, it is mandatory that the controller conducts a balancing of interests (also known as a legitimate interest assessment), on a case by case basis, to consider (i) to what extent the monitoring affects legitimate interests, fundamental rights and freedoms of individuals and (ii) if this causes negative consequences with regard to the data subject’s rights.
- The reasonable expectation (i.e. what an objective third party would expect) of the data subject at the time and in the context of the processing must be taken into account when conducting the balancing of interest. Data subjects are more likely to expect video surveillance in some contexts versus others.
- To a limited extent, other legal basis such as consent and necessity to perform a task carried out in the public interest (Article 6(1)(a) and (f) respective) may also be applicable. Note however that if relying on consent, this must meet the GDPR standard. Entering a marked monitored area is unlikely constitute a statement or a clear affirmative action needed for consent, unless it meets the criteria of Articles 4 and 7 of the GDPR.
3. Disclosure of video footage
The Guidelines emphasis that any disclosure (i.e. disclosure by transmission, dissemination or otherwise making available), is considered a separate kind of processing and the controller needs to have a legal basis for such processing. In addition, where disclosure is made to third countries or international organisations, the provisions of Article 44 (and therefore Chapter 5) GDPR will apply. This is particularly relevant to Internet Protocol (IP) cameras, which are commonly used for surveillance and are likely to be transferring and storing data outside the EEA or in a third country. Controllers should therefore ensure they have appropriate safeguards in place where such disclosures occur.
4. Processing special categories of data, including biometric data
The Guidelines clarify that video surveillance is not always considered to be processing of special categories of personal data. Article 9 GDPR will only apply if the video footage is processed to deduce special categories of data eg political opinions could be deduced from images showing identifiable data subjects taking part in an event.
Video footage of an individual cannot in itself be considered as biometric data if it has not been specifically technically processed in order to contribute to the identification of an individual. In order for it to be considered as special category, the data must be used for the purpose of uniquely identifying a natural person.
5. Rights of the data subjects whose data is processed using video devices
The Guidelines note that all data subject rights will apply to processing of personal data using video devices and provides clarifications in relation to some of these rights:
- Access rights: complying with access rights in relation to video surveillance could adversely affect the rights of other data subjects who are also identifiable from the footage. Image editing and scrambling should be employed to protect these third parties. Controllers can also ask the data subject to specify reasonable timeframes to help with searches.
- Right to erasure: the EDPB notes that blurring a picture with no retroactive ability to re-convert the picture into an identifiable image constitutes erasure in accordance with GDPR.
- Right to object: in case of video surveillance, this right could be exercised either prior to entering, during the time in, or after leaving the monitored area. This means that unless the controller has compelling legitimate grounds, monitoring an area where persons could be identified is only lawful if either: (1) the controller is able to immediately stop the camera from processing personal data when requested, or (2) the monitored area restricted so that the controller can assure the approval from the data subject prior to entering. If using video surveillance for direct marketing purposes (admittedly unlikely in practice), the right to object is absolute.
- Right to be informed: the EDPB recommends a layered approach in light of the volume of information required by Article 13 GDPR. The most important information should be displayed on the warning sign which is the first layer, and further mandatory information on the second layer.
- First layer: the warning sign may be provided in combination with an icon (such as a picture of a surveillance camera). The information should be positioned in such a way that the data subject can easily recognise the circumstances of the surveillance before entering the monitored area. This layer should convey the most important information eg details of the purposes of processing, the identity of the controller and the existence of data subject rights, together with information on the greatest impacts of the processing.
- Second layer: this layer (containing all information under Article 13 GDPR) must be available at an easily accessible place like the information desk or displayed on an easy accessible poster. It is best if the first layer refers to a digital source (e.g. QR-code or a website address) of the second layer but, in guidance which may prove practically challenging to many organisations, the information should also be available non-digitally.
6. Storage and erasure obligations
It is recommended that personal data should in most cases be erased, ideally automatically after a few days. The longer the storage period is set (especially when beyond 72 hours), the more difficult it will be to show legitimacy of the purpose and the necessity of storage. Storage periods need to be clearly defined and must be actually necessary in order to achieve the purpose.
7. Technical and organisational measures
The guidance touches on the ‘privacy by design’ principle by recommending that privacy safeguards be built into the design specifications of the technology (such as systems that allow masking or scrambling areas that are not relevant to surveillance, or the editing out of images of third persons) as well as organisational practices, and that default settings minimise data processing. In case an organisation plans to acquire a commercial video surveillance system, they need to include these requirements in the purchase specification.
The Guidelines include considerations that controllers should make when creating their video surveillance policies and procedures such as: who is responsible for management of the system, purpose and scope of the surveillance project, appropriate and prohibited uses, transparency measures, how video is recorded and for what duration, including archival storage related to security incidents; who must undergo relevant training and when, who has access to video recording and for what purposes, operational purposes (eg who monitors surveillance and what happens in case of a data breach incident), procedures external parties need to follow to request recording and procedures for denying or granting such requests, incident management and recovery procedures.
Finally, given the requirements of Article 35 GDPR, it is reasonable to assume that many cases of video surveillance will require a DPIA. Where this is necessary, it will build on the legitimate interest assessment discussed above.