With the growing popularity of smartphones, dashcams and video surveillance for access control, cameras are increasingly becoming a part of daily life. In particular, video surveillance conducted by private companies – to prevent and solve crimes, for example – is a much-discussed topic in data protection law. On 29 January 2020, the European Data Protection Board (EDPB), the EU body responsible for harmonising the enforcement of the General Data Protection Regulation (GDPR), published a revised version of their guidelines on the processing of personal data through video devices in accordance with the GDPR. A few weeks earlier, the European Court of Justice (ECJ) had issued a ruling on a case of surveillance of public spaces. This article explains what you now need to know about video surveillance.
The supervisory authorities on lawfulness of video surveillance
In their “Guidelines 3/2019 on processing of personal data through video devices”,1 the European supervisory authorities state that not all types of video recordings entail the processing of personal data. As such, the GDPR is not applicable to video cameras that provide parking assistance in cars, for example, as long as the camera is designed or modified so that no information relating to a natural person is collected.
When personal data is processed, the guidelines note that two provisions are most likely to be used as a legal basis: the legitimate interests of the data controller (Article 6(1)(f) of the GDPR), and – of particular relevance for authorities – performing a task carried out in the public interest (Article 6(1)(e) of the GDPR). A legitimate interest may exist, in particular, if the purpose of the video surveillance is to protect property against burglary, theft or vandalism. The EDPB specifies that these dangers must be real and present issues. In addition, the scope of video surveillance – both in terms of the area monitored and the duration of monitoring – must be limited to what is necessary.
ECJ ruling on private video surveillance
The EDPB’s views correspond to ECJ case law: the court recently dealt with the data protection requirements of private video surveillance in a preliminary ruling procedure (judgment of 11 December 2019, C-708/18).2 In this judgment, the ECJ specified the conditions under which processing of personal data by means of a video surveillance system may be based on the legitimate interests of the data controller. The case concerned the surveillance of private premises in a residential building (the lift and foyer) and the building’s exterior by a man whose family had been repeatedly attacked by persons unknown.
The ECJ ruled that processing could be justified by the legitimate interests of the data controller, provided that there was a legitimate interest in video surveillance in the individual case concerned, that this processing was necessary to pursue the legitimate interest, and that the opposing interests of the data subjects did not outweigh the legitimate interest.
Video surveillance to detect and prevent criminal offences
According to the ECJ, the legitimate interest – for example, protection of property or health and safety – must already exist and be a present issue at the time of processing; it must not be merely hypothetical. However, it is not necessary for the security of the property or person to actually have been compromised beforehand.
According to the court, data processing must also be restricted to that which is “strictly necessary”. If other measures are available to the data controller, the processing of personal data to protect legitimate interests can only be considered necessary if other measures have previously been attempted and have proven to be inadequate. In particular, the court requires an assessment of whether video surveillance only at night-time and outside regular working hours is sufficient, or whether footage of certain areas must be blocked out or blurred. The restriction of the area monitored also has special significance for natural persons: exactly five years earlier, the ECJ had ruled that video surveillance by private individuals must be restricted to their own property, otherwise data protection law applies in full (judgment of 11 December 2014, C-212/13).3
The legitimate interests of the data controller must be weighed against the interests and rights of the data subjects in each individual case. In particular, consideration must be given to whether the data in question is publicly accessible. In addition, the type of personal data and the legitimate expectations of the data subjects must be weighed against the importance of the legitimate interest of the data controller. With respect to the data subjects, factors to be considered are whether or not the data is sensitive and how many people will have access to the video footage.
Sensitive data and information obligations
Another challenge, which has not yet been addressed in ECJ case law, is the processing of special categories of personal data under Article 9(1) of the GDPR, which entails increased risks for data subjects. For example, video surveillance to monitor a patient in an appropriate facility constitutes processing of health data. Facial recognition will typically constitute processing of biometric data. The processing of such data is only permitted if one of the additional requirements given in Article 9(2) of the GDPR is fulfilled. In contrast, video footage coincidentally capturing a data subject wearing glasses or using a wheelchair is not considered to constitute processing of special categories of personal data. According to the EDPB, however, “other sensitive data” not listed under Article 9(1) of the GDPR should also be given special protection, which is why the risks for data subjects associated with video surveillance must be minimised.
Entirely separate from the question of legitimacy is an issue which is frequently not sufficiently addressed in practice: fulfilling the information obligations under Article 13 of the GDPR. Often, only pictograms are used to inform the public about the use of video surveillance. However, the other information obligations laid down in Article 13 of the GDPR – for example, about the period for which the data will be stored, the legal basis for processing, and the recipients of the data – must not be neglected. In this respect, the EDPB proposes a so-called layered approach to the information obligations. First, a symbol drawing attention to the video surveillance should be prominently displayed and key information provided; all other information required by law can then be made available through other means.
Impact on practice
While the ECJ judgment was issued with regard to the Data Protection Directive (Directive 95/46/EC), it should be fully transferable to the GDPR. Incidentally, it is also in line with German case law on private video surveillance: most recently, the German Federal Administrative Court declared the special German regulations in Section 4 of the German Federal Data Protection Act to be illegal under European law and therefore inapplicable to the processing of public bodies.4 The central legal basis for video surveillance therefore remains the appeal to legitimate interests under Article 6(1)(f) of the GDPR. Companies must state their legitimate interests in video surveillance, restrict both the area they monitor and the duration of the surveillance as much as possible, and consider opposing rights and freedoms. This consideration should be carefully documented, not least in light of a possible audit by data protection supervisory authorities.
Despite the judgment and the EDPB guidelines, some questions remain regarding the lawfulness of processing and the information to be provided to data subjects. In particular, complex application scenarios such as connected cars or technologies such as real-time audience targeting and augmented reality require clear and precise evaluation in terms of data protection law. The information obligations also pose a particular challenge in these scenarios; it may be advisable to take a layered approach and to issue the information in multiple steps using different media.
Dr Alexander Golland, Attorney-at-law (IP, IT, Commercial) at PWC legal (Düsseldorf) and editor of the journal “Datenschutz-Berater”.
Dr. Jan-Peter Ohrtmann, Partner (IP, IT, Commercial) at PWC legal (Düsseldorf).