New EU Video Surveillance Guidelines - What You Need to Do
By Hadar Kolberg and Dan Or-Hof.
New EU Video Surveillance Guidelines – What You Need to Do
The European Data Protection Board (EDPB), has recently published guidance on the processing of personal data through video surveillance systems (Guidelines 3/2019 on processing of personal data through video devices).
The EDPB guidelines clarify how companies should apply the GDPR when monitoring a specific space by optical or audio-visual means, while collecting pictorial or audio-visual information on persons entering the monitored space that are identifiable on basis of their looks or other elements.
As the guidelines mainly provide a high-level overview of the relevant topics, we have provided our own view about how you should implement in practice the EDPB guidelines.
*This memo is not a legal opinion. Feel free to reach out if you have questions about these guidelines.
THE EDPB GUIDELINES
OUR UNDERSTANDING – WHAT YOU NEED TO DO IN PRACTICE
LAWFULNESS OF PROCESSING
Before using video surveillance systems, companies should specify in detail and document in writing the purpose of processing for each surveillance camera in use.
The data subjects should be informed of the purpose(s) of processing.
Create a digital repository to document details related to the installation and use of surveillance cameras. Create an entry for each installed camera and write down the purpose, whether security reasons or any other purpose.
Companies must have a lawful ground for personal processing data, such as legitimate interest or consent.
Please note that any disclosure of personal data to a third party is a separate type of processing of personal data, for which the company needs to have a legal basis.
The purpose of protecting property against burglary, theft, or vandalism can constitute a legitimate interest for video surveillance in case of a real and hazardous situation.
Namely, the legitimate interest needs to be of real existence and has to be a present issue. A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – before starting the surveillance.
Companies are advised to document relevant incidents (date, manner, financial loss) and related criminal charges as an evidence for the existence of a legitimate interest.
Relying on consent as a lawful ground might impose difficulties, as companies must make sure that every data subject who enters the monitored area has freely given its specific, informed and unambiguous consent.
Please note – entering a marked monitored area by itself, usually does not constitute a statement or a clear affirmative action needed for consent.
Companies monitoring their employees should not rely on consent, as in most cases, the employees’ consent is not considered to be freely given, given the imbalance of power between employers and employees.
Look for criminal, vandalism, terror attacks or other security-related events in the company’s offices or their surroundings and document them to justify the use of the cameras.
Have your counsel verify every order or request by a law enforcement agency or a court, to disclose camera footage. Consult your counsel before sharing the footage with anyone else.
Relying on legitimate interests, rather than on consent, is probably the better course of action.
Personal data should be adequate, relevant and limited to what is necessary to fulfill the purposes for which it is processed.
Before installing a video surveillance system companies should examine:
1. If the purpose of the processing could be fulfilled by other means, which are less intrusive to the fundamental rights and freedoms of the data subject;
2. If video surveillance system is suitable to attain the desired goal, and if it is adequate and necessary for its purposes.
Surveillance cameras are not always the optimal solution. Have a discussion first – Examine the threats or requirements, make a mindful decision and document it.
Before operating a camera system, a company is obliged to assess where and when the video surveillance measures and its recordings are strictly necessary.
Plan well the positioning of the cameras. First, define which areas need to be covered by the cameras (public areas only within the offices or facility).
Then plan the deployment of the cameras to cover the desired areas, while taking in mind not to capture any non-required areas.
If the cameras capture the immediate surroundings of your premises, consider physical and technical minimizing means, for example, blocking out or pixelating not relevant areas.
If recording is not essential, use real-time monitoring instead. Otherwise, if possible, consider using a ‘black box’ solution, where the footage is automatically deleted after a certain storage period and only accessed in case of an incident.
SPECIAL CATEGORIES OF DATA
Companies should always try to minimize the risk of capturing footage revealing sensitive data regardless of the processing purpose.
Cameras installed outside your premises should not capture activities in places that individuals tend to share only with their friends, community or other people that they trust.
These may include (examples only): private property, houses of prayer, medical and health-related facilities, correctional facilities, trade union facilities, political institutes, ethnic-culture activities, abortion clinics and gay clubs/bars.
If a video surveillance system is used in order to process special categories of data, the data controller must identify both an exemption from the general rule that one should not process special categories of data and a legal basis for processing the data.
Every exemption listed in Article 9 to the GDPR is not likely to be usable to justify processing of special categories of data through video surveillance.
More specifically, data controllers processing special categories of data in the context of video surveillance cannot rely on Article 9 (2) (e) to the GDPR, which allows processing that relates to personal data that are manifestly made public by the data subject.
The mere fact of entering the monitored area does not imply that the data subject intends to make public special categories of data relating to him or her.
We find it hard to understand how to apply this guidance. Video systems can capture, for example, a person wearing traditional religious cloths (personal data revealing religious beliefs), or a person having an epileptic seizure (data concerning health). The operator of the video system has no control over these situations.
Our understanding is that in the large majority of the cases, where cameras are installed for security purposes, the only feasible exemption to the processing of sensitive information through video surveillance, is by relying on Article 9(2)(e) to the GDPR (data made public by the data subjects). The EDPB believes that this exemption does not apply.
As a mitigation step, consider adding to the cameras’ signs: “Please do not reveal any sensitive data.”
Another mitigating step would be to delete footage with potentially sensitive information, soon after you have become aware of it.
SPECIAL CATEGORIES OF DATA – BIOMETRIC DATA
When the purpose of the processing is distinguishing one category of people from another but not to uniquely identify anyone, the processing does not fall under Article 9.
The GDPR does not apply to sensors-based systems, that cannot identify specific individuals.
The use of video surveillance including biometric recognition functionality will, in most cases, require explicit consent of all data subjects, however another suitable legal basis in Article 9 to the GDPR could also be applicable.
When the biometric processing is used for authentication purpose, the data controller shall not condition the access to its services by the data subject’s consent to the process of its biometric data.
The data controller must offer an alternative solution that does not involve biometric processing – without restraints or additional cost for the data subject.
Biometric data is sensitive by nature. Equipping surveillance video systems with face-recognition capabilities should be used only in exceptional use cases and following a thorough discussion about the need to use such capabilities.
Even if you have decided to use face-recognition systems, you need to provide a genuine alternative, such as badges or keys, which will not harm or discriminate the individuals who preferred it.
You will need to be able to distinguish between the individuals who consented from those who refused.
Once a match or no-match result has been obtained, biometric templates generated to compare to the ones created at the time of the enlistment must be securely deleted.
The templates created for the enlistment should only be retained for the realisation of the purpose of the processing and should not be stored or archived.
Consult the supplier of the face-recognition templates and receive confirmation that the system deletes the templates after receiving matching results.
Biometric templates cannot be transferred across biometric systems.
Face-recognition databases need to be segregated from other IT network and system, preferably on a dedicated computer server. Data from these databases may not leave the face-recognition systems, without prior consultation with your counsel.
The data controller must consider the most appropriate location to store the data.
Keep the biometric templates stored on an individual device kept by the data subject and under its sole control, for example, on its badge.
Only if this option is not applicable, store the templates in a centralized database, in an encrypted form with a key/secret solely in the hands of the persons who manage the system, to prevent unauthorised access to the template or storage location.
The data controller shall take all necessary precautions to preserve the availability, integrity and confidentiality of the data processed.
Use security measures such as:
· segregate data during transmission and storage
· store biometric templates and raw data or identity data on distinct databases
· define a policy for encryption and key management
· encrypt biometric data
· integrate an organisational and technical measures for fraud detection
· associate an integrity code with the data (for example signature or hash)
· prohibit any external access to the biometric data.
· delete raw data (face images, speech signals, gait, etc.).
o If you need to keep such data, noise-additive method (such as watermarking) should be explored.
· delete biometric data and templates in the event of unauthorized access to the read-comparison terminal or storage server and when the data is no longer useful for further processing.
All rights of data subjects under the GDPR apply to the processing of personal data through video surveillance.
A. Right to Access
A data subject has the right to obtain confirmation from the data controller as to whether their personal data is being processed.
If no data is stored or transferred in any way, then once the real-time monitoring moment has passed the data controller could only give the information that no personal data is being processed any longer.
If, however, data is still being processed at the time of the request (i.e. if the data is stored or continuously processed in any other way), the data subject should receive access and information in accordance with Article 15 to the GDPR.
Exercising the right of access in video surveillance footage is a complicated matter. In most cases, the requesting individual needs to identify when and where that individual was captured by the cameras.
Identifying a specific individual in video footage is not an easy task. Thereafter, blurring or cropping images of other individuals in the footage, may not be easy as well.
When an individual submits a right of access request, you cannot delete the footage related to that individual. Therefore, minimizing the extent of relevant footage would be a good practice.
24 hours of an activated surveillance video system produces 86,400 seconds of footage.
As a general rule, retain video surveillance footage for the minimum time needed, and in any case, not more than 30 days, except when specific footage is needed as evidence.
Limitations on the right of access:
1. The data controller should not, in some cases, hand out video footage where other data subjects, that were captured in the same footage, can be identified.
This, however, should not be used as an excuse to prevent legitimate claims of access by individuals. The data controller should instead implement technical measures to fulfill the access request.
2. If the video footage is not searchable for personal data and the data controller is unable to identify the data subject, the data controller should demonstrate that it is not in a position to identify the data subject and inform the data subject accordingly, if possible.
3. In case of excessive or manifestly unfounded requests from a data subject, the data controller may either charge a reasonable fee in accordance with the GDPR or refuse to act on the request.
Implement technical image-editing measures, such as masking, pixelating or scrambling, and when applicable, use them to blur or erase individuals, other than the data subject requesting to exercises its right.
Record each request. You bear the burden of showing that you have rightfully denied an excessive or unfounded request.
B. Right to Erasure (Right to Be Forgotten)
By blurring the picture with no retroactive ability to recover the personal data the picture previously contained, the personal data is considered erased in accordance with the GDPR.
We believe that this guidance bears a risk. Anti-blurring measures are likely to improve and potentially have increasingly better capability to ‘de-blur’ images. Permanent and secured deletion, using known data deletion standards, are preferable.
C. Right to Object
As data subject may exercise its right to object at any time (prior to entering, during the time in, or after leaving the monitored area), the data controller must either:
a. Have a compelling legitimate ground to monitor the area; or,
b. Restrict and delimit the entrance to the monitored area, so that the data controller can: (a) ensure that all data subjects that entered the monitored area have given their consent; and, (b) immediately stop the camera from processing personal data when requested.
This is another reason not to rely on consent when using video surveillance systems. When relying on consent and not on legitimate interests, you must implement measures to immediately stop processing when receiving an objection request.
TRANSPARENCY AND INFORMATION OBLIGATION – SIGNS AND NOTICES
The data subjects should be informed of the monitoring and the areas covered by that monitoring. The information should be provided in a two-layer manner:
First layer – warning sign
Second layer – further mandatory details provided by other means.
Display a warning sign at a reasonable distance from and outside of the monitored area. The current standard warning signs are not sufficient to comply with the EDPB guidance.
The sign’s text should be in the local language, contain a camera icon and a clear disclosure.
The sign should convey the most important information, such as:
· details of the purposes of processing (e.g.: security, safety);
· the identity of the data controller;
· the data subjects’ rights (e.g.: access, deletion);
· information on substantial impacts of the processing, such as transmission of the data outside the EU and retention period.
· reference to a second layer of the privacy notice through URL, QR-code or otherwise.
You need to provide a second, more elaborated, layer of notice containing all other mandatory information under Article 13 of the GDPR.
Provide the elaborated notice in a digital form through a link to a website or a QR-code, however, the information should also be easily available non-digitally without entering the monitored area.
It means that in addition to the digital form, you need to provide a customer service hotline with either a recorded message containing the elaborated privacy notice, a service representative who will provide such information, or make available a hard copy version of the elaborate privacy notice.
STORAGE PERIODS AND OBLIGATION TO ERASURE
Personal data should not be stored longer than necessary to fulfill the processing purposes.
The longer the retention period is set (especially beyond 72 hours), the more persuasive the legitimacy of the purpose and the necessity of retention must be. Set a retention period for each particular purpose after a thorough discussion on these matters.
As a general rule, retain the footage to the minimum time needed and, in any case, for no longer than 30 days.
TECHNICAL AND ORGANISATIONAL MEASURES
Data controller must secure the personal data.
Our general recommendations (not necessarily an exhaustive list):
· Encrypt the data storage and transmission.
o Keep the encryption keys away from the encrypted data (on a separate server).
· Segregate the video footage database.
· Grant very limited access permissions.
· Verify that the video surveillance system is properly protected from cyber-attacks.
· Do not retain video footage if not needed. If needed, delete it regularly, based on your retention policy.
POLICY AND DESIGN
Data controller should adopt an appropriate management framework and establish and enforce policies and procedures related to video surveillance.
Adopt a suitable internal framework, including designating required personnel and creating a video surveillance policy, addressing the following topics:
· appointment of an owner to the processing of personal data;
· definitions of the purposes for processing personal data;
· angles and monitoring range;
· risks to the rights and freedoms of the data subjects;
· appropriate use of the video surveillance system;
· transparency measures, including means to inform the data subject of the surveillance;
· data retention and deletion;
· access rights to video recordings;
· means to enable data subjects’ requests to exercise rights;
· incident management and recovery procedures;
· means to handle a data breach incident;
· data security measures and controls.
Data controllers should implement appropriate technical and organisational data protection measures before they start processing video footage.
Consider implementing systems that allow masking or scrambling areas that are not relevant to surveillance, or editing out images of third persons, when providing video footage to data subjects.
Implement solutions that do not offer excessive functions that are not required in order to achieve the processing purposes (e.g., unlimited movement of cameras, zoom capability, analysis and audio recordings). Provided functions, which are not necessary, should be deactivated.
DATA PROTECTION IMPACT ASSESSMENT
According to the GDPR, data controllers are required to carry out data protection impact assessments (DPIA) if the processing constitutes a systematic monitoring of a publicly accessible area on a large scale.
In addition, data controllers are required to carry out DPIA if they intend to process special categories of data on a large scale.
Conduct an impact assessment for every change in the deployment of the video surveillance system, including when installing additional camera, when moving to new offices or when purchasing cameras with new capabilities and functionalities.
In any case, we recommend conducting a comprehensive annual assessments.
DATA PROTECTION OFFICER
According to the GDPR, data controllers are required to designate a Data Protection Officer (DPO) if the processing operation by its nature entails regular and systematic monitoring of data subjects.
If you have gone through a GDPR compliance assessment program, then you already know if your organization needs to appoint a DPO. It goes without saying that the DPO’s work should cover the video surveillance system.