Global menu

Our global pages

Close

Have you read the draft EDPB guidelines for the use of video devices (eg CCTV)? Perhaps you should – if you use such video devices

  • United Kingdom
  • Privacy, data protection and cybersecurity

23-08-2019

Quick Read

Many readers may have chosen to skip looking at the Guidelines that the EDPB published for consultation recently, if you are one of them, and you routinely use CCTV (or other similar devices) within your business – you may want to have a read and potentially get ready to submit representations to the EDPB. The approach and interpretation of the EDPB may, for many, result in a significant chilling effect on the use of surveillance. Whilst the writing of the law has not changed, it is the interpretation to that law that the EDPB is giving (via the Guidelines), that is likely to narrow the lawful use of CCTV. It is possible that the Guidelines, as currently drafted, cater more toward the wider, or continental EU approach to the use of CCTV and surveillance tools, where their use and adoption is not quite as prevalent as they are in the UK. However, if you are in the UK and the Guidelines are adopted, this is likely to be a step change which could be a struggle to comply with, to the point of potentially having to change the way CCTV/video devices are used in the UK.

Key issues / point arising from the draft Guidelines are:

• the consultation is open until 9 September 2019. Comments should be submitted to EDPB@edpb.europa.eu.

• aimed at all organisations, other than those involved in law enforcement, where the Law Enforcement directive EU2016/680 applies.

• GDPR level transparency obligations still need to be met when using video devices:

o consider a layered approach with key information on the first layer;

o ensure that the notice about the use of video devices is provided before an individual enters into the area recorded by the video device.

• that relying on the legitimate interest basis for processing video surveillance is not an easy option.

o Is there evidence showing why video surveillance is the most appropriate proportionate and necessary solution to address the reason for its installation?

o Using this lawful basis opens a controller up to having to comply with data subject requests objecting to such processing and to the restriction of such processing pending a decision on the request to object.

• In relation to special category personal data:

o just because an image is captured on video – does not mean that special category personal data is being processed

o not all video images constitute biometric data; and

o if biometric data is being processed to ensure that a controller doesn’t do something, this still constitutes processing of biometric data.

The Briefing

In the middle of July, the European Data Protection Board (EDPB)1 published draft Guidelines for the processing of personal data through video devices (the Draft Guidelines). If you thought this will be “more of the same” and have chosen not to read or consider it necessary to submit representations, you may want to reconsider that approach. This is especially true for those companies that use/rely on CCTV/video surveillance type equipment within their businesses. While the law remains largely the same in this area, what the Draft Guidelines do is indicate the interpretation and approach of the EDPB which is a change, especially for businesses operating in the UK. However, it is not too late – you still have a chance to read the Draft Guidelines and submit representations to the EDPB. The deadline for such submissions is 9 September 2019, so there is still just over 2 weeks for you to have your say on this topic. Submissions can be made by e-mail to the EDPB email address EDPB@edpb.europa.eu.

There is a lot of information within the Draft Guidelines, so we are not going to touch on all of it, but focus on some key points that users of video capture equipment will want to consider and potentially make representations on.

The starting point

The Draft Guidelines opening paragraph is important to note, as this sets the tone for the Draft Guidelines:

The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive. [our emphasis] (The Draft Guidelines paragraph 1.)

The language indicates the EU Data Protection supervisory authorities concern with how frequently video capture devices are used, and whether such use is done in a data protection compliant manner. This is particularly true given that the focus of the Draft Guidelines is on non-law enforcement use of video devices, ie use by shop owners, parking garage operators, construction site operations, or even home owners (amongst many others). The Draft Guidelines make clear that law enforcement use of video devices is subject to the Law Enforcement Directive (EU2016/680), not the GDPR. Additionally, the Draft Guidelines also note that while there is a “domestic purpose” exemption that may apply to domestic use of such equipment, this exemption is to be construed narrowly. So if a domestic video device is installed, it is incumbent on the home owner to ensure that the equipment, its focus and angles are such that they don’t unintentionally capture public space, if they do – the domestic purpose exemption may no longer be applicable, and a home owner may need to comply to all the obligations set out in the GDPR.

Transparency

Having clear signage that “CCTV is in use” has always been a requirement under data protection law, so there is no surprise that the Draft Guidelines require that signage is used. However, the Draft Guidelines provide information about what the EDPB expects should be included on those signs to meet the Article 13 (fair notice) obligations. There is also some information about when the signage should be presented. How a controller practically complies with these expectations will be key.

Sign content

The EDPB, aware of the volume of data that is expected to be provided to individuals in compliance with Article 13, clearly endorse the layered approach to signage. The example provided in the Draft Guidelines uses a QR-code in the corner of the signage, in addition to including the key information immediately visible on the sign. The EDPB also expects that there is a “hardcopy” version of the additional information available. This is either in hardcopy at, for example an information stand, or in the form of a sign with the full additional information.

As for the information which should be presented on the signage, there are certain mandatory bits of information that the EDPB suggest must be on the immediately visible sign:

i. the name of the controller;

ii. the purposes for processing (note the Draft Guidelines advises that a sign simply saying that the processing is for “safety” only will not be appropriate);

iii. the existence of the data subjects rights in relation to the processing; and

iv. any other information which could surprise a data subject about the use of the video device footage.

In relation to iv above, the Draft Guidelines notes that information which may fall within this category could include information about international transfers of the data; potential third party disclosures; and possibly the storage periods for the footage. What is interesting about these three points, is the Draft Guidelines advise that if this information is not indicated, then a data subject should be able to trust that the video device will not record the information, but will be used for live monitoring purposes only. Why or how the EDPB have come to this conclusion is not certain, and this often goes against how many private companies deploy CCTV/video surveillance equipment. It is also unclear whether the assumption remains the case, if the further detail is provided in the second layer of the notice, although, that seems to be the implication.

The assumption which the Draft Guidance makes does not align with how a lot of companies deploy CCTV/video capture equipment. In many instances, the images are recorded for recourse later in the event of an incident, rather than having manpower to actively review the footage. If this is how your organisation deploys CCTV/Video capture equipment, you may want to make submissions on this point, or at minimum look to obtain clarity on whether the assumption would fall away if the listed information is captured at the second layer.

Timing to present the signage

Signage for the use of video devices must be presented before an individual will be captured on the video device. As the data are being collected “directly from the data subject”, this means that the delayed presentation of the fair processing notice information as set out in Article 14 GDPR will not apply, and people should be made aware in advance that they are entering into an area where they will be monitored. That way they can make an informed decision whether to continue to go into the area or not.

Practically – how would this work. Let’s say you operate a shop in a shopping centre. There is likely to be the shopping centre wide CCTV operated/managed by the shopping centre (this will need signage). Then there may also be individual shop CCTV equipment, operated by that individual shop (which will need signage). Often shops will have CCTV cameras looking at the entrance and exit points of their shops. This will mean that the shops would need clear signage outside their shop/in their window display or somewhere equally visible, before a shopper is captured in frame. It is unclear whether an “over-arching notice” of CCTV/video surveillance equipment within the shopping centre would work, but this seems unlikely, as this would not necessary provide the necessary specifics that the GDPR transparency obligations require. As such, each shop would then need to issue its own clear signage.

This will also mean that operators of such equipment (ie the individual shops) will need to ensure that the types of video devices, and the directions that they are facing will need to be carefully monitored, so as not to capture images before and individual has had the opportunity of seeing the sign. If that is not possible, then those organisations will need to either consider whether the use of video capture is appropriate, or potentially speak to neighbours to help them present their transparency notices, ie have Shop A present Shop B’s CCTV notice in their window so that a shopper is aware that they are about to enter Shop B’s image capture zone.

The obligation to provide notices of the use of CCTV/video surveillance equipment is not new to the GDPR, but the application and assumptions that the EDPB are putting forward is more conservative than has been used in the past and may cause some organisations difficulty in complying with. This added to the higher fines, and a more active and educated data subject population should make this a bigger consideration/concern for some organisations that use and rely on CCTV/video devices for security purposes, and is perhaps something that those organisations may want to make submissions on.

Of course, there will be some organisations for which, meeting the obligations will not be a big issue, other than a change of signage. For other organisations, the practicalities of meeting the above requirements may require more work and consideration, or perhaps lobbying for a softening of the timing for displaying signage?

Lawful basis for processing

The Draft Guidelines look at different possible lawful basis for processing personal data via video devices. We are only looking at a couple of the points that have been made in relation to the legitimate interest lawful basis. In this regard, the Draft Guidelines advise that before surveillance is undertaken on the basis of a legitimate interest, there needs to be a “real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting surveillance” (the Draft Guidelines paragraph 20). The Draft Guidelines go on to note that a controller should, in order to meet their accountability obligations, keep a record of such incidents (eg date, the nature of the incident, the financial loss or other harm, and any charges brought as a result) to aid demonstrating, or evidencing the existence of this “real-life” issue.

Necessity

It is clear from the Draft Guidelines that relying on anecdotal information, or just doing what is “the norm” in relation to the use of CCTV/video surveillance, without being able to evidence necessity is going to be key. In this regard, the Draft Guidelines makes clear that “video surveillance is not by default a necessity when there are other means to achieve the underlying purpose” (the Draft Guidelines paragraph 5). As such, the deployment of CCTV/video devices, because it is easy or what is normally done, is not going to be sufficient going forwards. The need to evidence the thinking, and showing why video input is the most appropriate way of addressing a risk will be key going forwards. This goes along-side the need to undertake careful consideration of the type of equipment used. Ie is the device audio enabled, or is there only video? Is it a static camera, or must it be able to track movement, and critically, what are the angles of image capture, and do they achieve the purpose? If too much information is captured, this will result in a breach of the data minimization obligations within the GDPR. If there is too little data captured, that of itself undermines necessity, as if the need is not met how can the equipment be necessary?

This is clearly a new requirement, and one that many organisations could struggle to demonstrate. The assumption being – if you cannot demonstrate or evidence that there is a real need for the use of CCTV/video capture devices, as opposed to an anecdotal concern, then it will be hard to meet the “necessary” criteria of the legitimate interest basis for processing the information. As such, the lawful basis will not exist and, unless an organisation can rely on some other lawful basis for processing the personal data, the use of the CCTV/video capture equipment will not meet the first GDPR principle that processing is “fair, lawful, and transparent”. This is another key point where we suspect many organisations may want to consider making a submission to the EDPB, as it could impact the use of CCTV/video capture devices for many organisations.

Data Subject expectation

Additionally, when relying on the legitimate interest lawful basis for processing personal data it is important to remember that this is not absolute, it has to be balanced against the fundamental rights and interests of data subjects, ie all those individuals who may be caught on the video device. What this means, is that depending on the device, or where it is placed there may be a different balancing test to be undertaken which will be influenced by the expectations of the data subjects.

For example, having a video device capturing individuals entering and exiting a high end jewellery store, and over the counters where the jewels are displayed may be expected. However, cameras over dressing rooms in a clothing store would not be reasonably expected. This will not be new to users of CCTV/video capture devices, and these examples are two fairly clear instances where the expectations of the individuals may be easier to identify, but there are always going to be grey areas which will need to be considered. In this regard the Draft Guidelines requires that the consideration of data subject expectations are indicated as objectively as possible, but the Draft Guidelines does not go so far as to describe what the objective criteria are, or could be, in making this determination – perhaps something for the next draft EDPB?

The section on data subject expectations also ends with the comment, that “Signs informing the subject about the video surveillance have no relevance when determining what a data subject objectively can expect.”(the Draft Guidelines paragraph 39). We are unsure what the EDPB means by this, they could be saying that a sign notifying data subjects of surveillance will not be sufficient to remedy surveillance that objectively is unexpected. This does not seem to logically make sense, as the notice has to change what can be expected, by giving notice of the action. However, if what the EDPB are trying to say is that if the surveillance is both objectively unexpected by a data subject, and ultimately unnecessary – no signage will be able to remedy the fact that the lawful basis for processing is not viable. Either way, we think the wording on this point could do with some finessing in the next round of drafting.

Another key observation which the Draft Guidelines make, regarding the use of the legitimate interest basis for processing, is the fact that the use of this basis also enables a data subject to exercise their right to object to the processing of their personal data.

The right to object

What this means, is that an individual can object to having their images captured on video devices. This right, as the Draft Guidelines point out, can be exercised either before, during, or after the data has been collected. If such an objection is raised – it is then up to the controller to demonstrate compelling reasons why the controller’s legitimate interest trumps an individual’s right to object to the processing. It is important to remember that the right to object works hand in hand with the right to restrict processing – namely that if an objection to processing has been made, then it is possible for the right to restrict to be made simultaneously effectively meaning that until proof of the compelling legitimate interest has been made, a controller may be limited to just storing the personal data, without being able to further process it.

What does this mean in real world terms? Can an individual write to a controller to object to processing before, for example, they enter a shop? In theory – yes, unless the shop owner can demonstrate their own compelling reasons to continue to record the individual. However, there are some limitations to this – such as the fact that the GDPR affords a controller up to a month (with a possible extension) to respond to such requests. Additionally, an individual would need to provide sufficient information to enable the controller to identify the individual or data relevant to the request. As such, if someone objected to the processing of their images as they entered a bank on multiple occasions, and from multiple angles, at multiple times on different days – there may well be compelling reasons why such footage could be kept. There may be other considerations in how to handle such request, however, the starting position will have to be that the controller will need to respond to such requests, and have the necessary processes and procedures in place to do so, as well as installing equipment that makes undertaking such tasks possible. The ability to obfuscate images in a quick, easy, efficient and cost effective manner is something which all controllers should always consider, as not having this in place can result in unnecessary cost and delay in responding to such requests. This should be part of meeting the “privacy by design and by default” obligations within the GDPR, and thus – if you are currently considering deploying CCTV/video capture devices, is something that you should actively be considering when choosing equipment for use. It is unlikely that submissions to the EDPB will change the considerations here, as this is a data subject right, but being aware of the concern, and the right, and being able to deal with it, should the time come, is key.

Special category personal data

There are a couple of interesting observations that come out of the Draft Guidelines in relation to special category personal data (SCPD) and the use of biometrics which we think worth noting. The first, is the fact that the EDPB has noted that “video surveillance is not always considered to be processing of special category personal data”. This is helpful, as in the past, there has been some concern that there may be some occasions where the use of surveillance would always capture SCPD because it would naturally capture, for example, if someone had health issues because they were in a wheelchair, or had a white cane, or their religion because of what they were wearing. However, the Draft Guidelines make it clear that is not the case, unless the data gathered is then used to make such a determination. In other words, if such information is “incidentally” captured on video equipment, that is not a problem, but as soon as the data is used to make a determination or deduction in relation to SCPD, then the processing would be considered processing of SCPD. This may seem like an artificial distinction in some instances. As, the initial use of the images may just be for security purpose, but if they are later used to determine if incidents were only happening to a certain category of individual, then – all such processing will need to meet the requirements for processing SCPD, which could be problematic. In our view, it would be very helpful if there was further clarification around this point. To some extent similar to the position adopted within the GDPR in relation to consent, more particularly where consent is withdrawn and where the lawful processing before consent is withdraw remains lawful. It would be helpful if the EDPB adopted a similar sort of approach here, and made that clear in the guidance.

Biometric data

The other interesting observations in relation to SCPD relates to the use of biometrics which may be overlaid onto video devices. On its own, the use of video devices will not necessarily mean an organisation is processing biometric data. This is a point that the Draft Guidelines agree with. However, it is possible that some video surveillance will result in the processing of biometric data.

In a non-law enforcement context an example of this may be using biometric data to transpose an image of an individual onto an advertising board in a shop (you’d definitely need explicit consent for this). However, what the Draft Guidelines make clear is that, if the biometric data of anyone entering that shop is collected in order to determine that they aren’t the individual who consented to the use of their biometrics, that too will constitute the processing of SCPD. In other words the use of biometrics to discount someone from something will naturally result in the processing of biometrics. In our example of the store using biometrics to superimpose the image of a prospective client consent would be required from everyone entering the store before the technology we’ve suggested above could be used, even for those who do not see their image superimposed wearing the latest fashion.

With all the recent publicity on the use of facial recognition software (in the UK in particular), companies considering deploying such equipment should look at the direction of travel which the EDPB are putting forward in the Draft Guidelines. It would seem unlikely that these proposals will change, and they offer some helpful guidelines for organisations to consider before deploying facial recognition software (or in some instance any other biometric processing for that matter), if the organisations can lawfully process such personal data.

Conclusion

While this briefing does not cover all aspects of the Draft Guidelines, in relation to what it does cover, there are some areas where more guidance would be gratefully received and other where clarifications offered are helpful. There are also some areas where business using CCTV/video capture devices may want to consider the Draft Guidelines carefully and potentially make submissions to the EDPB, as some of the proposals could have a significant impact on organisations ability to use CCTV/video capture equipment in a manner that they can evidence to the EU data protection supervisory authority as being compliant with these Draft Guidelines and thus the GDPR.

However, as this is only in draft – you do have an opportunity to review and comment on the document directly to the EDPB. So if you, or your business regularly uses CCTV or any other video devices, it is worth your while reviewing the Draft Guidelines in full and providing your comments to help guide the drafting before the deadline on 9 September 2019.


1. This is the Genera Data Protection Regulation’s (GDPR) replacement for the previously known Article 29 Working Party

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings