Austria’s First GDPR Fine Is For Video Surveillance

By Charles Rollet, Published Jan 29, 2019, 06:47am EST

Should EU businesses be concerned if police see a business' surveillance cameras filming public areas?

This is what happened with Austria’s first GDPR fine, imposed on a betting shop for filming public areas with its security cameras.

austria gdpr fine

The case racked up a total of almost $6,000 in fines, some of which were for non-GDPR violations. It has been appealed, so is not final. The case is nevertheless an important example of the heightened risk faced by end users in the GDPR era, particularly since it was the GDPR-related fine that was by far the highest.

In this note, we examine:

  • How They Got Caught
  • Alleged Violations
  • GDPR vs non-GDPR Violations
  • How The Fines Were Calculated
  • Why the GDPR Fine was the Highest
  • The frequency of Video Surveillance Fines in Austria
  • Timing & Gravity of Offense
  • Broader Meaning

*** *** **** *** Caught

********* ** ********** **** *******, ***** ****** ******** ******* two ************ ******* ******* public ***** ***** *** entrance ** * ******* shop ** *** ****** of****** ** ***** **, ****. (Betting ***** *** ****** in ***** ** ****** and ******* ******* ** a ***** *****/*** ***** patrons *** *** **** machines ** ***** ****.)

* **** *** ****** which *** *********** ** the ******** **** ********** agency,*** ***, ***** *** **, 2018, *** **** *** GDPR *** *******. **** is ******* ***** ** the ****, ******* ***** surveillance ***** **** ******* by ***** ***********, *** the ***, *** ****** told ****.

List ** **********

*** *** ****** **** the ******* **** ********* four ******** ******* **********:

  1. *** ******** ******* ******* at *** ****’* ******** monitored * ****** ******* lot *** ******* *****, recording ****** ******* ** and ********’ ******* ******.
  2. *** ******* **** *** registered **** ***********.
  3. ***** ************ ******* *** kept *** ** ********** time ****** **** ** justification ********. (******** ******* law ******** ***** ************* for *** ***** ************ storage ******* ****** **** 72 *****.)
  4. ***** *** ** ****** sign ********** **** ***** surveillance *** ***** ****.

*** ******* **** *** unnamed ** *** *** does *** **** **********, although *** ******* *** mention ** *** **** of * *****. 

GDPR ** ***-**** **********

*** ***** ********* – filming ****** ***** – was *** **** ****** listed ** ********* *** GDPR, **** *** *** highlighting *** ******** ******** of *** ***:

  • ******* *, ***** ****** **** the ********** ** ******** data ** “******* ** **** ** necessary ** ******** ** the ******** *** ***** they *** *********”. *** DSB ***** **** *** betting ****’* ********** *********** *** *** cameras’ ******** ******* ** surveilling *** ********.
  • ******* *, ***** **** *** the ********** *** ****** processing, **** ** “*******” and “********** ********”. *** DSB ***** **** *** betting ****’* ******* ********* none ** ***** **********.

*** ***** ***** ******* were *** ********** *********’* ******** ******* ***, ***** *** ****** in ****.

*** ****** ****** *** GDPR ** ***-**** ***** is **** “*** ******** of *** ******* ******* occurred ****** ** *** 2018” *.*. *** **** the **** *** *******. Therefore ********** *, *, and * **** ******* under ******** ******* *********** while *** ***** *** charged ***** *** ****.

How *** ***** **** **********

*** *** **** *********, the **** *** ***** 2,400 ***** ($*,***). *** other *****, ***-**** ********** received ***** ** *** euros **** ($***), ** laid *** ** ******** Austrian ******* ***. *** ***** ** ***** was **** *,*** ***** ($5,435). * **% ***** fee *** *****, ******** the ***** ** *,*** euros ** $*,***.

(**********: “**** ** *****”, “Penalty ** **** ***** are *** *********”, “************ period”, “[*****] *********”)

GDPR ****** ****** *****

*** **** **** *** GDPR ********* *** ***** was *,*** ***** ***** the ***-**** ***** **** only *** ***** ** not * ***********.

*** ***'* ****** **** Matthis ******* ********* ** IPVM (******** *****):

********* ********, *** **** allows ****** ****** **(*) *** (*)significantly ****** **** concerning the determination of the total amount of an imposed fine in relation to prior legal provisions in force before the GDPR.

************, ******* **** ************* ********************* **** ***** **** ** proportional ** *** **** of *** ********; * small ******* **** ***** not ** ******* **** the ******* **** ****, which *** ***** ** million ***** ** *% of ****** ****** *******.

*** **** ** ** proportionate. *** *******, * cannot **** * ******** who *** ** ****** income ** **,*** ***** [$45,300] **** * **-*******-**** fine [$** *******].

Frequency ** ***** ************ ***** ** *******

**** ** *** *** first **** ******* ***** surveillance ** ***** ** Austria. ******** ** *** not ******* **********, ******* told **** **** ***** are * "****** **********", before *** ***** *** GDPR:

*** ******** ** *** fining ***** ******* *** presumed ******* *** ** CCTV.

Timing/Gravity ** *******

*** ****** ************* ** the ******* **** ***** in ***** **** *** the ***** **** ********* in ********* ****. *** shop *** ******** *** case *** *** *** to *******’* ******* *****, which *** *** ** rule ** **, *** DSB ********* ** ****.

*** *** **** ********* that **** ** *******’* first **** ****. *** months-long ***** ** **** fines ***** **** *** fact **** **** ********** are ***** ******* * backlog ** ***** ***** began **** ****** *** GDPR’s *********.

*** *** ****** *** shop’s ******* ** ** “negligent” ****** “**********” ** “aggravating”. **** ** ******* the ******* **** ****’* have *** ******** ****** of **********, ******* *** illegal *** ******-**** ***** surveillance.

**********

**** **** ******** * particularly ************ ******* ** how ***** *** ** higher ****** ** *** GDPR. * $*,*** **** *** a ****** ***** **** can ** ***** * significant ******, *** ** is ****** **** *** total **** ***** **** been ****** *** *** the ********** ***** ***** after *** ****’* ********* on *** **. 

**** ** ********* *** users, ***********, *** *** others ********** ***** ************ data ****** ****** **** in ****.

Comments (34)

Good piece. 

Agree: 2
Disagree
Informative
Unhelpful
Funny

A fine for "Filming Public Areas"???

"The cameras were not registered with authorities"

How Lame!

Agree: 3
Disagree: 3
Informative
Unhelpful
Funny: 1

Maybe to the US, however EU privacy laws have for a long time regulated video surveillance much more stringently (and this predates the GDPR.) For example in France the government explicitly bans homeowners from installing security cameras that film public areas, "even if they want to ensure the security of their vehicle parked in front of their home.”

Agree: 1
Disagree
Informative: 4
Unhelpful
Funny

"Nanny State" at its best....

Agree: 3
Disagree: 5
Informative
Unhelpful
Funny

Understandable sentiment, but there are plenty of other unknown “nannies” tracking millions of people every moment. Out of sight out of mind...

Agree
Disagree
Informative
Unhelpful
Funny

The reason behind the GDPR vs non-GDPR split is that “the majority of the alleged conduct occurred before 25 May 2018” i.e. the date the GDPR was enacted. Therefore violations 2, 3, and 4 were charged under previous privacy legislation while the first was charged under the GDPR.

this implies that had the conduct only occurred after May 25 2018 that just the GDPR fine of $2,400 would have been levied; and conversely, had it only occurred before May 25 2018, that just the 3 $800 fines would have been imposed.

If this is so, why do you say that

it was the GDPR-related fine that was by far the highest.

when it they appear to both be $2400, just with the non-GDPR spread over three items, but both for the same conduct?

 

 

Agree
Disagree
Informative
Unhelpful
Funny

Sure, let me explain. What I'm saying is that had all the alleged misconduct taken place after May 25, all 4 violations would have been categorized as GDPR violations, rather than only 1. Since the GDPR gives authorities significantly more leeway in imposing fines, each of the violations could have been fined, for example, 2,400 euros - so that's 2,400 x 4 = 9,600 euros total in fines, or almost $11,000.

Also the non-GDPR violations were not "spread over three items"; each one was a standalone violation of privacy regulations.

I made sure to check my interpretation that fines for GDPR violations are generally higher with the deputy head of the Austrian data protection agency Matthias Schmidl. He confirmed this to me, stating in full (emphasis added):

"generally speaking, the GDPR allows within its Art 83 (4) and (5) significantly higher caps concerning the determination of the total amount of an imposed fine in relation to prior legal provisions in force before the GDPR. In addition, in this particular case, the Austrian DPA had to take transitional provisions into account, which allowed for lower fines based on the national legal framework prior to the GDPR in which the infringing action started before the 25th of Mai 2018."

Agree
Disagree
Informative: 2
Unhelpful
Funny

What I'm saying is that had all the alleged misconduct taken place after May 25, all 4 violations would have been categorized as GDPR violations, rather than only 1.

So are you saying that after May 25, the only illegal conduct was the filming of private areas?

And that therefore, sometime before May 25, they had registered the cameras, put signs up, remedied the retention period etc?

That seemed unlikely to me, but it’s possible.

On the other hand, if all of the 4 offenses occurred in both periods and all 4 are illegal under both statutes, it would seem a bit arbitrary to assign them capriciously and asymmetrically, just because they were committed over a longer or shorter time period.

Hope that made sense :)

I did try to check myself, but the link you gave returned the dreaded  “Die Seite wurde nicht gefunden”...

Agree
Disagree
Informative
Unhelpful
Funny

So are you saying that after May 25, the only illegal conduct was the filming of private areas?

And that therefore, sometime before May 25, they had registered the cameras, put signs up, remedied the retention period etc?

The case reads that "most of the alleged misconduct occurred before May 25." So violations 2, 3, and 4 were found by authorities before the GDPR, but violation 1 was only confirmed afterwards. Because violations 2-4 were already being investigated prior to GDPR, the shop can't be prosecuted for the same offense post-GDPR. There is no mention of the shop registering cameras, putting up signs, etc.

I did try to check myself, but the link you gave returned the dreaded “Die Seite wurde nicht gefunden”...

My bad, I fixed the link in the article. You can also click here.

Agree
Disagree
Informative
Unhelpful
Funny

I have a LPR camera that covers all cars that drive by my offices, if people don't like it they drive another way. The cops loved the video when some teenagers smashed up one of our cars.

Agree: 1
Disagree: 2
Informative
Unhelpful
Funny

How do you inform the person driving there? Also, can you ensure the data can not retrieved by some outdated firmware vulnerability or built in backdoor in the switch?

I would not appreciate a random company or person tracking and storing where I drive.

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

built in backdoor in the switch?

Or the camera... :)

Agree: 2
Disagree
Informative
Unhelpful
Funny: 1

Haha yes built in the switch or camera :)

I really don't understand the negative reception to GDPR. Most non-EU members seem to find it nothing more than a hassle.

To me I see two major positives

- more consideration to data
- less space for trunkslammers

Especcialy the second reason should be applauded. This makes a better space for the industry and better and a higher level of knowledge for installation.
Ultimately this should been a better quality and higher margin.

Agree: 1
Disagree
Informative: 2
Unhelpful
Funny

Private road, proper network design, and just like the supermarket answer, (look up and see it). 

I have a camera that's setup on my driveway as LPC, I see the side of cars driving by, but no plates till they turn down my driveway. It doesn't see any of their pools, driveways, or front yards. It's a "fancy neighborhood" so if I changed the angle to grab plates driving by they wouldn't mind.

2 houses down one of my neighbors has a ptz mounted 30' off the ground on the side of their house, normal rule of don't be a duck comes into play. Someone just outside of my neighborhood had a cheap wifi camera got them in trouble when they decided to post pictures of a honor role student walking through their backyard that could identify them. The kid shouldn't of been there, but posting it to the towns parents Facebook group (over 4k parents to see) was enough to get them in trouble for that.

Agree
Disagree
Informative
Unhelpful
Funny

I have a LPR camera that covers all cars that drive by my offices, if people don't like it they drive another way.

I judged from this message it was capturing all LPR, there was no exclusion of only driveway entering being captured.

If it's your property you are within you rights, same goes for the PTZ example. No argument there.

It's the matter of not having a choice of being filmed, so public roads or cameras looking in to your private property. When you enter someones private property you don't have any say in there camera choices. Legislation says you need to be aware though... I don't fully agree with that part

Agree
Disagree
Informative
Unhelpful
Funny

My offices have an odd design, a private road that just happens to be on our property goes between two of our buildings, if someone felt the need to drive that way vs the other 2 entrances to get where they want to go that's their choice.

As for my house, my LPC camera shoots on a public road, I get the side of every car, but only the plate of the ones that turn down my driveway, even if it'd just to turn around. Having a PTZ off a second story that can zoom into seeing a bedroom isn't the same as a fixed camera that sees a driveway only. 

But as the person who post up video/pictures of people in their backyard on facebook, if my neighbor or I felt the need to shame people online we would be running into issues of our own. I'm not part of the UK, but in the states, cctv is intended to be kept private, not published online to everyone.

Agree
Disagree
Informative
Unhelpful
Funny

Intended and required by law are two entirely different things.

Agree
Disagree
Informative
Unhelpful
Funny

Google, Apple and Microsoft already know everything about us.

Agree
Disagree
Informative
Unhelpful
Funny

  With the required camera registration, it just sounds like a way for the govt to have knowledge and access to all cameras with a view of the public without having to pay/install themselves. Or there is crooked dealings going on in the streets that the govt is wanting to hide.

  Also, I would think a sign is unnecessary if the cameras are in plain view.  Call me pessimistic if you want

Agree: 1
Disagree: 2
Informative
Unhelpful: 1
Funny

Your view is understandable on a practical basis, however, there's no exception anywhere in the GDPR or previous EU privacy laws that signs denoting video surveillance are not required as long as the cameras are in plain view. (You can see why: a supermarket may claim their cameras are easily visible when many shoppers don't even bother to look up and notice them).

Agree
Disagree
Informative
Unhelpful
Funny

Put a sign at eye level and they won't even see it.

Rule of thumb, "You're on camera".

 

Agree
Disagree
Informative
Unhelpful
Funny

I can understand you feel this way, but what happens when your not so friendly neighbour installs cameras on his house, pointed at the road but also looking at your garden and private pool?

GDPR is a hassle, but a good thing for the end user

Agree: 3
Disagree
Informative: 1
Unhelpful
Funny

...but what happens when your not so friendly neighbour installs cameras on his house, pointed at the road but also looking at your garden and private pool?

this?

Agree
Disagree
Informative
Unhelpful
Funny: 1

I support strict enforcement of GDPR rules where they exist, and I advocate for compliant practices in areas where the laws do not exist.  The encroachment of ubiquitous surveillance on everyday life is offensive in a notionally free country.

Agree: 1
Disagree
Informative
Unhelpful
Funny: 1

I'm really glad that we don't have such laws in Australia, where private cameras in shops that happen to film the footpath in front of the shops have been largely responsible for the apprehension of 2 rapist/murderers, and solving a number of other crimes.  The police regularly call on private CCTV video.

We do have some other stupid laws around encryption though.

 

Agree
Disagree
Informative: 3
Unhelpful
Funny

Alf, good point. A similar practice exists in the US with regards to using private cameras to help solve public cases. Indeed, in the US, a number of local police departments build databases of private cameras to help solve crimes. It is is an interesting tradeoff amongst privacy, security, and cost (i.e., those private cameras are much less expensive than building out comparable public systems).

Agree
Disagree
Informative: 2
Unhelpful
Funny

Informative article, please keep them coming as you learn about GDPR violations and fines.  Also any knowledge of GDPR like privacy laws and fines in the United States and other countries.

reference: 

Senate discusses a federal privacy law

States leading the way on privacy

Agree
Disagree
Informative
Unhelpful
Funny

Another brilliant example of the government wasting time and resources.  Do they really think that bad people doing bad things are going to comply with rules and regulations.  I'm all for best practices, personal privacy and controlling my personal data, but people have to be realistic about what makes sense and rules are only for the ones that follow them.

Agree
Disagree: 2
Informative
Unhelpful
Funny

UPDATE: less than two weeks after this betting shop fine was issued, Austria's data protection authority imposed a $2,700 fine on a man for violating the GDPR after he installed security cameras in his apartment that filmed common areas in the complex.

On December 20, 2018, the Austrian DPA found that a man named Mr. Rudolf - his first name was not disclosed - installed 2 cameras (one at his doorway, the other at his window) that also filmed "areas of the property intended for general use" such as:

Rudolf also "published in social media" at least some of the footage and didn't put up a sign indicating the video surveillance.

The DPA found all this violated Articles 5 and 6 of the GDPR, just like the betting shop case, and fined Mr. Rudolf 2,420 euros or about $2,700:

The main takeaway from Rudolf's case: common areas in apartments like parking, walkways, etc are also considered "public"; to be GDPR compliant, residents can only film their own property.

Agree
Disagree
Informative: 1
Unhelpful
Funny

a man named Mr. Rudolf - his first name was not disclosed...

because of GDPR? ;)

Agree
Disagree
Informative
Unhelpful
Funny

ha, no, I think this is just longstanding policy (that predates the GDPR) of authorities not naming suspects/people involved in court cases/etc. Many European countries have similar policies.

Agree
Disagree
Informative
Unhelpful
Funny

though, i think only his last name is not disclosed, right?

Agree
Disagree
Informative
Unhelpful
Funny

UPDATE: Fine Overturned Following Appeal

In April 2020, Austria's highest court overturned the fine based on a legal technicality unrelated to video surveillance. The high court determined that the DSB had not sufficiently tied the shop's illegal video surveillance to a specific person, i.e. the manager:

this decision was canceled without replacement and the proceedings were discontinued, because it was a fine against a GmbH [limited liability company] and insufficient acts of persecution against a natural person ("leader" within the meaning of Section 30 DSG ) in the administrative proceedings of the DSB (at least name will appear in the penal; out the method for a concrete form individual) set were.

Below is a legal analysis of the high court's move from Austrian law firm Schima Mayer Starlinger:

According to Austrian jurisdiction, the Data Protection Authority can impose administrative fines on a legal entity for violations of the GDPR and the Austrian Data Privacy Act respectively, if the violations are committed by individuals who hold a leading position in the legal entity concerned or if the violations are caused by lack of supervision or control by a person in a leadership role. However, neither the decision nor any other procedural act of the Data Protection Authority indicated what behaviour by which individual had led to the infringements and was therefore attributable to the legal entity and could therefore be used as a basis for the administrative fine imposed. As the leading individual required was never named and thus never specified by the Data Protection Authority within the statutory time limits for prosecution, the Federal Administrative Court had to annul the administrative penalty imposed on the company.

Agree
Disagree
Informative
Unhelpful
Funny

Just to be clear, there is no loophole where companies can get away with a violation if it wasn't the manager/leader specifically who committed one. If a regular employee commits a violation, the manager can still be held responsible:

The criminal liability of the legal person [...] is based on the accusation that the executives named there that had violated the "obligations" listed or that they had made an "employee act" possible through lack of control or monitoring

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,898 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports