New GDPR Guidelines on CCTV Surveillance

News_CT_20190722-084810_1

In today's world, video surveillance has become ubiquitous to the point that most people hardly even notice the presence of cameras and in some instances even expect cameras to be in place. Such an attitude towards the use of cameras belies how commonplace they have become and how accustomed we have grown to being constantly under surveillance. Acknowledging this reality, the European Data Protection Board ('EDPB'), which was established just over a year ago with the introduction of the General Data Protection Regulation ('GDPR'), has recently made available for public consultation its Guidelines on the processing of personal data through video devices ('the Guidelines'), which includes not just CCTV, but also dashcams, private security cameras and mobile phone cameras.

These Guidelines shed light on how video surveillance may be made use of and under what parameters, especially in light of the new GDPR paradigm. First and foremost, it is vital to note that these Guidelines only concern video surveillance wherein personal data, as understood by the GDPR, are actually being processed. Therefore, the surveillance must include information that relates to an identified or identifiable natural person (i.e. a 'data subject'), such as footage of a person's face, name tag, or other distinguishing characteristics that render them identifiable (e.g. unique tattoos or birthmarks). Personal data, in any but especially in this context, would also include car license plates, identification documents and most notably, biometric data. On the other hand, footage lacking any such personal data (e.g. research cameras that solely monitor wildlife creatures, the night sky or microscopic organisms) would fall outside the scope of the GDPR and consequently, of these Guidelines.

The departure point for setting up any kind of video surveillance system should always be an assessment of whether such a system is needed in the first place. The Guidelines suggest considering alternatives wherever possible, depending of course, on the purpose in question. If the camera is going to be installed for security purposes, the data controller, i.e. the person who will be responsible for the video footage that would be collected, should consider what other measures may be implemented instead of a camera system, which measures would be less intrusive on individuals' rights to privacy and data protection. For instance, one should consider whether reinforced walls and glass, better locks, better lighting or hiring security guards would have the same effect.

Furthermore, any installed cameras should only record those areas that need to be surveilled. The typical example provided by the EDPB is that of a shop with a camera installed outside to monitor the entrance to the shop and/or the shop windows, to protect against theft and vandalism. Wherever possible, those cameras should not also monitor the pavement or the road outside, since that would mean that personal data of persons who simply pass by and never even enter the shop are being processed, which would exceed the purpose of installing such cameras i.e. security. Hence, the principle of data minimization – only collecting that data which is strictly necessary - as enshrined by the GDPR, plays a key role in video surveillance.

Another consideration should be whether the persons that will be recorded as a result of the installation of the video surveillance system, would reasonably expect to be recorded in that particular instance. For instance, the Guidelines opine that at the workplace, an employee would in most cases not likely expect to be monitored by their employer, whilst a visitor at a bank or at a jewellery store would be more likely to expect that they would be monitored due to the increased need for security. This is not to say that video surveillance cannot take place when an individual does not always expect it, but there must be even greater transparency and information provided to the recorded data subject in those instances where they are less likely to expect such recording.

Therefore, if one decides that a surveillance system is indeed necessary, this leads to the question of what should be communicated to data subjects about a surveillance system and in what manner must this be achieved. The EDPB has included a helpful template (reproduced below) in the Guidelines that outlines just this: 

Such a notice (which is arguably, much more detailed than what was previously accepted in Malta) would relay important information to the data subject, in a simple and concise manner, specifically:

1. That you are in or about to enter into an area where video surveillance is taking place; [1]
2. Why the recording is taking place (i.e. the controller's justification for installing a CCTV or other video system);
3. The identity of the controller (or its representative) responsible for the video system;
4. The rights that the data subject can avail themselves of in respect to such processing of their personal data;
5. The contact details of a data protection officer or, where one is not appointed, whichever individual would be responsible for the footage being recorded, who would ideally be the same individual whom the data subjects would be able to contact to exercise their rights as mentioned in point 4 above;
6.Where the data subject can find further information regarding the processing of their personal data.

The last point is arguably the most important as it ties in with the "layered approach" of providing information, which was established by the EDPB's predecessor, the Article 29 Working Party. [2] The idea is that data subjects are to be given information in varying levels of detail, with the 'first layer', such as the template above, providing only the most essential information while the second and any subsequent layers, providing the rest of the information that a controller is obliged to provide under Article 13 or 14 of the GDPR. The link between the first and second layer should ideally be provided through digital means, such as a QR code or a URL to a website, as depicted above.

The second layer usually takes on the form of a master Privacy Policy which would explain, in detailed yet clear and simple language, all of the processing operations of the controller, including the personal data collected from the video surveillance. Within this second layer, further information can be provided to the data subject about their rights, about any third parties with whom the controller shares personal data (if any) and inter alia, how long the data subject's personal data are going to be kept for.

Regarding the latter issue, with respect to video surveillance footage, the Guidelines once again reiterate what is stated in the GDPR: that personal data should not be stored for longer than is necessary. What is necessary will often depend on the given circumstances. A recent judgment delivered by the Maltese Court of Appeal has established that the maximum retention period for CCTV footage, in normal circumstances, should not exceed seven (7) days (click here to read Mamo TCV's summary). Nevertheless if footage need not be retained for so long, the retention period should be even shorter. The Guidelines point out that the longer the storage period established "especially when beyond 72 hours", the more difficult it becomes to justify "the legitimacy of the purpose and the necessity of storage." [3]

The notions of legitimacy and necessity permeate throughout the Guidelines, and indeed, throughout the GDPR itself. Recent advances in technology make it especially important for data controllers to be wary when applying said technologies to video surveillance systems. The Guidelines explicitly state that additional features in cameras that enable better privacy should be utilized. Such examples range from masking or scrambling areas in the camera's range which are not required, to manually editing out images of third persons when providing a copy of any footage to a data subject that has requested such copy (and who has a right to receive such copy). On the other hand, technological functions which are not necessary in respect of a particular purpose, such as zoom capability, recording of audio and unlimited camera movement, should be excluded or deactivated.

To summarise, a careful evaluation of any video surveillance that you might carry out or think about carrying out should not be underestimated or taken lightly. Whether you are planning on installing a new system or have been using one for the last decade, these Guidelines, which elucidate the stringent requirements under the GDPR, serve to provide clarifications on the most crucial aspects surrounding the use of such technology. The Guidelines themselves, which contain numerous practical examples of the various facets of video surveillance as discussed above, may be read in full here.

1 – Wherever possible, the Guidelines advise placing the sign outside the area which is actually being surveilled, so that the data subjects are giving the necessary information before they are subjected to surveillance.
2 – WP260, par 35; WP89, p. 22
3 –
EDPB Guidelines 3/2019, par 119 


Disclaimer
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr. Warren Ciantar and/or Dr. Claude Micallef-Grimaud. 

The New Work-life Balance Directive
Rent Reform in Malta: An Overview of the Residenti...

Related Posts