One cannot deny the massive public security benefits security cameras bring. They are also a great way for businesses especially at risk of crime to help protect themselves. This includes banks, stores and public institutions.
Clearly, the drawbacks and the benefits must be weighed against each other. Indiscriminate placement of security cameras is not the answer, but when intelligently set up, they can be an immense security asset without intruding on individuals’ privacy too much.
The General Data Protection Regulation, a new piece of privacy legislation entering into force on 25 May 2018, contains several provisions regulating video surveillance. The provisions aim exactly at striking a balance between reasonable safety and privacy of the individuals. Therefore, the GDPR introduces some changes that companies who opt for video surveillance should pay attention to in order to comply with its provisions.
A Step Back to 1984?
Compared to 10 years ago, CCTV systems are much cheaper and simpler to install. Thus, they represent a low-cost method for monitoring and protection of property. The first adopters of these systems were financial institutions, but nowadays private individuals can also cheaply install several video surveillance cameras on their premises. Many shops and stores have set up their own systems as well, not to mention the official government surveillance systems (the UK) and police cameras at intersections.
Research from UrbanEye shows that individuals are distrustful of video surveillance systems. Even though two thirds agree that people who haven’t done nothing wrong don’t have much to fear, more than a half understand the potential for misuse of the technology and 40% feel that video surveillance is an invasion of privacy.
‘Public’ CCTV – such as in banks or metros – is seen as a necessary evil, but the use of video surveillance in private spaces – like bathrooms and changing rooms – is frowned upon for logical reasons. People in general recognise the need for limited access to surveillance footage, and would rather that only the police have control over on-street cameras.
In some cases, the GDPR actually presents a step back from the existing privacy regulation in the EU. The German privacy regulation, for example, contains very detailed stipulations on video surveillance, moreso than the general provisions baked into the GDPR.
However, since the GDPR will supersede all the national privacy laws and regulations, the obligations and stipulations of the GDPR will be applied in the entire EU. This harmonisation of privacy rules is a great benefit for companies wishing to expand their business to other Member States.
Under the GDPR, companies will not have to study the complex privacy laws of each country as much – as long as they are compliant in one EU country, they can be certain they will be as compliant in the other. Thus, they will enjoy marked reductions of red tape and other administrative costs.
National Derogations
Bear in mind, though, that the GDPR allows for more specific provisions from EU Member States in some areas. In wake of the recent terror attacks, the German Government has decided to make use of the opportunity by drafting a stronger law that would permit video surveillance of public areas during concerts and events.
This was done with the stated goal of ensuring the protection of life and freedom of the individuals. The law could be applicable even after the GDPR enters into force, but expert German judges cast doubt on its constitutionality, considering it too excessive a measure.
Be that as it may, it is a good example of how the GDPR need not necessarily bring about perfect harmonisation. Still, it will undoubtedly be much simpler to compare the privacy regulations of EU Member States.
Video Surveillance in Practice
Under the GDPR, video surveillance is considered a high-risk operation requiring particular attention, especially if public areas with a large amount of foot traffic are monitored. While proponents stress the ability to deter vandalism and identify criminals, the same technology can be used to ‘identify’ passers-by and compromise their privacy, without them being aware of the fact.
Generally, the legal grounds for video surveillance will be based on legitimate interests of the company (protection of property, prevention of offenses, etc.).
You are required to perform a data privacy impact assessment (DPIA) with help of your data protection officer for every surveillance system you have set up. In it, you should list the specific processing activities you want to perform and the reasons why video monitoring is necessary in the first place. You should then consider the risks to the individuals stemming from video surveillance, as well as any remedial measures you can take to reduce these risks. If the risks are excessive and cannot be reasonably reduced, it is best to contact your data protection authority (regulator) directly.
Only if the assessment results in a ‘balance’ of reasons tipping in favour of video surveillance should you set up such a system. Biometric systems that can detect and automatically identify individuals are restricted to manual checking by the regulators (such is the case in Italy). The same applies to smart cameras that detect unusual behaviour and then begin capturing data.
There is a need to strike a fair balance between the interest of privacy and of crime prevention. Most laws permit the operation of CCTV systems in such a way that they create a minimal intrusion to privacy. The principle of data minimisation applies in all cases. Cameras should cover as little area as possible to fulfil their role. For example, for a bank this includes surveillance of the surrounding walls to prevent vandalism, but not of the pedestrian path across the street.
Keep all records of your DPIAs for easy access, such as when requested by the regulator. Do not forget to notify the individuals entering the area under surveillance that they are being monitored. Simple signs and stickers work well; make sure to set them up in plain view. You should also provide more information on purposes of surveillance if asked by the individuals.
Do not forget that data handling guidelines apply to the recorded material. You must ensure security and privacy of the data for as long as you retain it, especially if individuals can be recognised on the recordings.
Specific Regulations
Even though not specifically listed in the GDPR, most European laws further prohibit workplace surveillance for the purpose of monitoring worker activities and working hours.
In health care, surveillance is allowed only when the benefits for the patient are large (in intensive care units, for example). Only authorised medical personnel should monitor these recordings.
School surveillance systems could hurt the children’s right to privacy, if not installed well. Surveillance should be directed at areas at risk of vandalism and at those areas only. In case of extracurricular activities taking place, recording should be paused.
Public web-cameras for tourism and advertising purposes are legal, and recordings can be broadcast live on the Internet, as long as people cannot be directly identified from the recordings.
A CCTV a day keeps the vandals away – but you can’t use it with impunity.
Video Surveillance: Yes or No?
Generally, the GDPR takes a reasonable approach towards video surveillance. It requires a careful analysis of the potential risks and benefits. The mandatory DPIA makes reaching an informed decision a bit easier.
Our advice is to keep video surveillance to a minimum. People generally react negatively to video surveillance, even though most of us have become habituated to it. If you do install such systems, the rule of minimisation applies: install as few cameras as possible and keep as little data as possible. By doing so, you reduce all the risks that could stem either from unauthorised recording or from data breaches.
However, be wary of individual EU Member State regulations. While the GDPR has done a lot in terms of rule harmonisation, this field in particular seems to be lacking. Overall, the laws in various EU states are a patchwork of similar provisions organised under data protection or police acts, with a few countries having separate laws exclusive to CCTV, like Spain. In any case, adopting the advice in this article puts you on the right track towards compliance with the GDPR.
