New EDPB guidelines on processing personal data through video devices
How does the GDPR apply to the use of video devices?The key takeaway
Businesses that use CCTV and other video monitoring should check that their current practices are compliant with data protection laws.
In July 2019 the European Data Protection Board (EDPB) published their guidelines on data processing in relation to the use of video devices. The public were able to submit their comments on the consultation version of the guidelines until 9 September 2019.
These guidelines come within the context of increased concern from the EPDB about the use of personal data obtained from videos. The EPDB has stated that a significant amount of personal data is being generated and stored and there is growing concern over the potential for misuse – for example, using the data for purposes beyond security which data subjects may not expect (eg marketing or employee monitoring). The introduction of facial recognition technology presents additional privacy challenges, as does combining surveillance systems with other technology (eg biometrics) which make it harder for individuals to remain anonymous.
The guidelines explain that there are a number of scenarios where video footage does not fall within the scope of the GDPR. These include videos where individuals cannot be identified (for example their face or number plate is blurred), or the footage is for law enforcement activity or personal use.
Specific GDPR requirements for use of video devices
In cases where the exemptions do not apply, the guidelines set out a number of key requirements:
- if video devices are being used to monitor a large public area, a data protection impact assessment (DPIA) must be carried out (Article 35(3)(c))
- if video devices are being used to monitor individuals on a regular or systematic basis, a data protection officer must be appointed (Article 37(1)(b))
- every camera in use must be for a specific purpose which is recorded in writing (Article 5(2))
- data subjects must be made aware of the purpose for which they are being recorded and this information must be provided a transparent manner. This will usually involve a installing prominent sign with initial information and then offering more detailed information in an accessible manner (for example, via a link or telephone number).
As with other types of processing, the use of personal data obtained through a video device must have a legal basis. For video devices the EPDB states this is most likely to be a legitimate interest or a task carried out in the public interest.
A legitimate interest must be balanced with the rights of data subjects. Factors that are particularly relevant for this balancing exercise include:
- the size of the area being monitored
- the number of data subjects being monitored, and
- the reasonable expectations of the data subject in relation to the processing of their data (for example, the EDPB states that individuals would usually expect not to be monitored in leisure areas such as gyms and restaurants).
However, the interest will only be a legitimate reason to continue the monitoring if it relates to a current (rather than a speculative) threat.
In line with the principle of data minimisation, personal data collected should also be processed only to the extent necessary. For example, if audio recordings and facial recognition are not required, these video functions should be disabled. The recording should also not take place at times of day or in areas which are not necessary or relevant for the purpose.
In some exceptional cases the data processor may rely on the consent of an individual as their lawful basis. However, in order to be valid, consent must be freely given, specific, informed and unambiguous. Power imbalances, such as those between an employee and an employer, are likely to negate consent.
Particular care must be taken where special category data is being recorded (for example, facial recognition via biometric data might fall within this ambit). In order to process this more sensitive type of information you are likely to have to rely on the consent of the individual. If you are capturing and analysing the image of anyone who has not properly consented, this will be a breach.
The EPDB also provides some helpful examples of ways to protect processed data – compartmentalising it during storage and transmission, using an integrity code, prohibiting external access and storing raw data on a different platform to biometric templates.
Why is this important?
The guidelines published by the EPDB provide greater clarity on the application of the rules on video recording. The examples given are helpful in terms of demonstrating what data controllers need to be considering. Above all, the guidelines emphasise that every situation needs to be considered on its own merits. Now would be a good time for businesses to start assessing (or re-assessing) their practices to ensure that they are working towards the required standards.
Any practical tips?
If you want to use the footage from a video device, ensure that you can justify it with an appropriate legal basis. Only use the video device in the areas and at the times necessary. Provide clear signs which explain to data subjects why they are being recorded and make sure that detailed information on the use of the video devices is available.
Finally, keep an eye out for any updates to the EDPB guidelines following the close of the consultation – there will likely be some fine tuning. Assessments that involve subjective considerations like the reasonable expectations of a data subject are always going to be difficult to interpret, so hopefully more examples to expand our understanding of this concept will follow.