The European Data Protection Board has recently (29 January 2020) adopted its Guidelines on Video Surveillance. There have been changes since the consultation version. These guidelines are very detailed but helpful. Useful real life examples are included and all aspects of data protection are covered. This piece is just an overview of very detailed guidance and those needing the full detail should read the guidance.

Video Surveillance for personal or household activity

The Guidance starts by covering the use of video surveillance for purely personal or household activity, such purposes being outside the scope of the GDPR. However, care must be taken not to assume that the GDPR is irrelevant to any home use. The Guidance stresses:

‘12. This provision – the so-called household exemption – in the context of video surveillance must be narrowly construed. Hence, as considered by the European Court of Justice, the so called “household exemption” must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. Furthermore, if a video surveillance system, to the extent it involves the constant recording and storage of personal data and covers, “even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity.’

It is worth reading the guidance for further examples of when home use can be within the GDPR.

Lawfulness of Processing

The guidance makes it clear that the requirement for transparency means being specific about the reason for the use of cameras:

‘Video surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific (Article 5 (1) (b)). It is furthermore contrary to the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (see Article 5 (1) (a)).’

In practice, the use of cameras will usually be justified on the basis of legitimate interests and the guidance helpfully reminds the reader to make a proper assessment:

‘Given a real and hazardous situation, the purpose to protect property against burglary, theft or vandalism can constitute a legitimate interest for video surveillance.

20. The legitimate interest needs to be of real existence and has to be a present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance. In light of the principle of accountability, controllers would be well advised to document relevant incidents (date, manner, financial loss) and related criminal charges. Those documented incidents can be a strong evidence for the existence of a legitimate interest. The existence of a legitimate interest as well as the necessity of the monitoring should be reassessed in periodic intervals (e. g. once a year, depending on the circumstances).’

In practice, such analysis and the second stage of balancing the legitimate interests of the Controller against those of the individuals whose images are captured can be done using a Legitimate Interest Assessment following the template on the ICO website. Part of the exercise in balancing the legitimate interests of the Controller against those of the individual will involve an assessment of the reasonable expectations of the individual. This is where the new guidance makes some very useful comments:

‘Data subjects can also expect to be free of monitoring within publicly accessible areas especially if those areas are typically used for recovery, regeneration, and leisure activities as well as in places where individuals stay and/or communicate, such as sitting areas, tables in restaurants, parks, cinemas and fitness facilities. Here the interests or rights and freedoms of the data subject will often override the controller’s legitimate interests.’

‘Signs informing the data subject about the video surveillance have no relevance when determining what a data subject objectively can expect. This means that e.g. a shop owner cannot rely on customers objectively having reasonable expectations to be monitored just because a sign informs the individual at the entrance about the surveillance.’

Consent

Everybody has probably seen a sign along the lines of ‘ by entering these premises you consent to video surveillance’ and considered that they are being presented with little choice in practice. The new guidance is very helpful on this issue:

’44 Regarding systematic monitoring, the data subject’s consent can only serve as a legal basis in accordance with Article 7 (see Recital 43) in exceptional cases [My emphasis]. It is in the surveillance’s nature that this technology monitors an unknown number of people at once. The controller will hardly be able to prove that the data subject has given consent prior to processing of its personal data (Article 7 (1)). Assumed that the data subject withdraws its consent it will be difficult for the controller to prove that personal data is no longer processed (Article 7 (3)).’

‘46 If the controller wishes to rely on consent it is his duty to make sure that every data subject who enters the area which is under video surveillance has given her or his consent. This consent has to meet the conditions of Article 7. Entering a marked monitored area (e.g. people are invited to go through a specific hallway or gate to enter a monitored area), does not constitute a statement or a clear affirmative action needed for consent, unless it meets the criteria of Article 4 and 7 as described in the guidelines on consent.’

’47. Given the imbalance of power between employers and employees, in most cases employers should not rely on consent when processing personal data, as it is unlikely to be freely given. The guidelines on consent should be taken into consideration in this context.’

Special category data including biometric data

The new guidance clarifies that a video surveillance system is not processing special category data just because, for example, it captures a wheelchair user (i.e potentially information about health). However, if the system is being used for the purpose of processing health information e.g. in a hospital setting, then it would be processing special category data and the usual need for justifications under both articles 6 and 9 of the GDPR apply.

Similarly images of faces do not automatically count as biometric data, only when the image is used to identify an individual does it become biometric data.

Coming back to the issue of consent in the context of the processing of biometric data, the new guidance is very clear:

‘Finally, when the consent is required by Article 9 GDPR, the data controller shall not condition the access to its services to the acceptance of the biometric processing. In other words and notably when the biometric processing is used for authentication purpose, the data controller must offer an alternative solution that does not involve biometric processing – without restraints or additional cost for the data subject.’

Subject Access Requests

There is much coverage of this topic including expectations as to redaction of other individuals but one of the most helpful snippets is the statement that an individual ought to be assisting the controller to find the requested images:

‘…… the data subject should (besides identifying themselves including with identification document or in person) in its request to the controller, specify when – within a reasonable timeframe in proportion to the amount of data subjects recorded – he or she entered the monitored area. The controller should notify the data subject beforehand on what information is needed in order for the controller to comply with the request.’

Privacy Notice/Signage

Anybody who has already considered this issue will realise that displaying a compliant full privacy notice in relation to the use of cameras is most impractical given what such a notice should cover. The new guidance supports the use of a layered approach with the most important information on the initial sign. However, it should be noted that the expectation is still for a considerable amount of information on the initial sign so ‘Cameras in Use – for further details see our Privacy Notice’ is not good enough. An example sign is included in the guidance.

Much of this new guidance is, in practice, already covered by the available ICO guidance, including the need to assess whether the system is needed at all and to make sure that the system is only used for the stated purpose. However, the new guidance adds an important layer of extra detail and clarification.