Dahua Products Are Not GDPR Compliant, No Products Can Be

By Charles Rollet, Published May 29, 2018, 08:30am EDT

Dahua products are neither GDPR-compliant nor certified, contrary to their marketing.

*** ****** ** **** no ******** *** **, as *** ** **** not '*******' *** ******* products ** '*********'.

** **** ****, ***** on *** **+ **** **** *** Video ************ *****, ** ******* **** Dahua ** ***** ****, why ** ** ********** and *** ***** *** other ************* *** ****** support ****.

Announcement *** *****

*** *** ****** *** GDPR’s ******** ************** **** on *** **,***** ************* *** ** ******* and ***** ******** **** DVRs **** “*********” ** “comply **** *** ****” by*Ü* *********.  ***** ******* **** ********* who *** ***** “********* ** ********” ***** now “**** **** ******** [sic]."

Who ** ‘**********’ *****? 

*Ü* ** * *******, ***-****** company ** ******* **** provides *****-***** ************** *** inspections ** ***** **********. It ** *** **** of *** ** ********** or *** **** *********** mechanism. *Ü* *** ************ ****** ** China ** ******* *** revenues (**** ***** ***** media: *** ********* ***** ****** at ***** ******.)

***** ***** ******* ** was *** “***** ** global ***** ************ ********” to ******* **** ************* from*Ü*, ****** ******* ************ ************ Uniview **** ******* ***** * *** before ***** **** *** **** ******* TÜV.

'Derived ****' ****, *** ****

*Ü* ********* ****** **** *** ******* ************* schemes*** ******* **** *** EU ****,” ****** **** claiming **** ******* ****** proof ** **********, ** they ******.

GDPR *** *************

***** *** **** ********** certification ** *** ******* **, ** **** *** include *** ************ **** products ** ********* *** establish *** ****** ********** mechanisms. ************, ************* ** ***** for **** *********** *** processors ** **** "******* and *********** ***********" ********* "*********** safeguards" - ** ** not ***** *** ********.

******* **’* ******* * states **** *** ************* schemes **** ** “********* *** ********* *** a ******* **** ** transparent”. *******, *****’****** ******* [**** ** longer *********]** ******* ***** ** any ******* ***** ******* how ** ******** ************* plus ** *** **** minimal ******* **** *Ü* itself ** *** ******* and TÜV *** *** ********* to *** ******** ******** for ******* ** ****.

No ****** ** ***** ************** 

******** *Ü*'* ************* *** ******* ********* ***** no ***** ****** *** do *** ****** * firm’s ********* ** **** something **** ***** ********* **’* ******* *********:

 

False ***** ** ********

** ********* *** ******** GDPR *********, ***** ***** mislead ******* **** ******** they *** ********* ******* the ****’* *********** **** fines. 

*** **** ********* ***** ** ** to *% ** ****** revenue*** ********** ***** ** ***** to **** ******** *** rules. ** ********* ** IPVM’s**** *****, ***** ***** *** not ********* ********* *** broader ********** **** ********* authorities **** *****’* * breach ** ********* ****** with ***** ******** **** if *********. 

*** ***** *******, **’* not ******** *** * camera ** ** ‘****-*********.’ There *** ****** ** criteria ** ******** ****** to ********* ****. **** is ****** *** ***** reveals ****** ** ******* on ******* *** ***** products *** ****-********* ** the ***** *****.

Other ************ ******

***** ***’* *** **** firm ******* *****-***** **************. For *******,******* ********* **** **** that *** ***** ******* software ** “*********” ** “****-*****” b** ******* *** **** cautious ** *** ******, limiting ** ** * specific **** ******* ******* while ******** *** ***** ** *** ******** [**** no ****** *********], ****** *****,**** *** ******** **** “certified ** ****** **** the ****”.

***, ** ********* *****, Uniview ******** *********** *** same ***** ******* **** the **** ******* * day ******.

*******, ***** ** * reason ************* *** ** keen ** ******* ***** certifications. **’* ***** ********* and ********** *******, *** actual ********** **** *** GDPR ******.

What ** **** *** ** ******** ***** ****

******* ** ******** ** ‘certifying’ ******* *****, ** best *** ** ****** you *** ********* **** the **** ** ** ask * *** ***** questions **** **:

  • **** *** ******* ******* cybersecurity **** ********* *** encryption ******** ** ****** personal **** ******** *** avoided? (*** **** ********** ******* ****** ******’* ******** data ***’* ***********. ***** has * ******* ******* *****, ********* *** ** recently ****** *********, ***** * ******** allowing ****** ************ ***** access *** *********** *** ****** *******.)
  • ** *** ******* **** be ********* ***** ******* of ****** ***************, **** it **** **** ********/******* technology ************? (*** **** ********** “****************”** ***** ********** ** best ****** *******’ *******. This ********** ** *** a ****** ******* ** Dahua *******.)
  • ** **** ** * personal **** ******, ** there * ****** ** inform *********** *** ******* as **** ** ******** informed? (**** ********** **** inform ******* “******* ***** *****” ***** ******** ***** of * ******** **** breach. ***** ********** ************* ************ ******** *****.)
  • ** ***** * ********** public ******** **** ****** recognition ** ***** ********* techniques *** ***** ****? (Biometric ************* ********** **** * few ********* **********.***** ** **** ******* ** ****** recognition*** ************* **** * *** reporter ******* ******* * Chinese **** ** * minutes ** * *************.)

*********** *** *** ***** should ****** ********* **** they ******* **** ******* to *** ********* *****. It does *** ****** ** these *** “****-*********” ** someone.

 

Update, *** **:***** **** **** *** published, **** ***** *** following **** ** ********* that ***** *** ****, certification ** ******** *** **** *********** and ********** ****** **** actual ********:

"************, ************* ** ***** for **** *********** *** processors ** **** '******* and *********** ***********' ********* 'appropriate **********' - ** is *** ***** *** products."

 

******, *** **:*********** *** ** ***** blast ** *********** ******** ** ***** the "*****" ** ** certified ** *Ü* ** its *****.

Comments (17)

Undisclosed Manufacturer #1

05/29/18 02:08pm

Great read. Not just from a Dahua perspective but with relation to GDPR in general. It's not just what you buy, it's how you deploy it. 

Undisclosed Integrator #2

05/29/18 03:20pm

I've checked my emails but don't seem to have received IPVMs updated T&C's for my acceptance, that are required by GDPR. Could it be that IPVM are now contravening the GDPR? Surely not.....

On a practical note, the whole thrust of how GDPR affects CCTV is in regards to the protection of the data stored and the justification for gathering it and retaining it.

I'm sick of idiots claiming their equipment is GDPR compliant. My ashtray is compliant....so what? It's all about data, not about hardware.

 

Avatar

Niall Beazley

In reply to Undisclosed Integrator #2 | 05/31/18 07:09am

GDPR does not actually state that emails should be sent out with revised T&Cs. All it has done is drive a massive amount of additional 'almost spam' notification emails. Companies should have thought about this more carefully placing notices on websites confirming acceptance rather than cramming the Internet!

Undisclosed Integrator #2

In reply to Niall Beazley | 05/31/18 07:49am

That is only correct where the existing  T&Cs relating to the use of personal data are already 100% GDPR compliant. In the vast majority of cases, this has required changes to be made - hence the ridiculous amount of emails. I’m fairness GDPR has been on the way for many years so the last minute dash had been entirely unnecessary. It still leaves the question as to whether IPVM are ahead of the game or behind - only s bedtime read of the T&Cs will confirm this - or of course, Jon could confirm?

 

Avatar

Niall Beazley

In reply to Undisclosed Integrator #2 | 05/31/18 02:30pm

Who assesses if the GDPR is 100% compliant? The point i am making is that everyone has had over two years to get their act together. Yes, there is significant scaremongering, however, the plethora of emails requesting acknowledgement is ridiculous. in most cases i delete them as i know who i want to be registered with and unsubscribe if i do not. Simple as that. Let us all stop these bloody GDPR emails. Please. 

Undisclosed Manufacturer #1

In reply to Niall Beazley | 05/31/18 09:45am

Can't agree anymore. The number of emails flying in is simply ridiculous. The scaremongering with massive fines has definitely put the 'fear of god' in to may DPOs in the various organisations. When it comes to CCTV I am looking at this as GDPR 1.0 and I would imagine that GDPR 2.0 would not be far away after a few court cases go horribly wrong for example.

It's worrying though as we have been asked are your products GDPR compliant yes or no many times. It shows that there is a lot left to do when it comes to educating the market.

Undisclosed #3

05/29/18 05:07pm

It seems like every time these regulatory requirements come up there is a company willing to cash in on a false certification.

Avatar

Michael Gonzalez

Integrated Security Technologies, Inc.
In reply to Undisclosed #3 | 05/29/18 10:17pm

Agreed, they're banking on customers taking their word for it, rather than doing the kind of research we can be glad IPVM does.

It's like they're willing to lie to get in the door to sell their products, without any thought to what the backlash may be if the same customer finds out they aren't compliant after spending all of that money.

 

John Honovich

IPVM | In reply to Michael Gonzalez | 05/29/18 10:23pm

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor that they don't understand technical details or consider nuances in marketing, etc. 

When you look at TUV's marketing, it is pretty clear TUV understands that they cannot directly claim GDPR compliance or certification, so they use qualifications like 'derived from'. By contrast, Dahua misses it. My best guess it is a combination of incompetence and willful ignorance.

Undisclosed #5

IPVMU Certified | In reply to John Honovich | 06/01/18 05:42pm

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor...

Only with Dahua could calling a company “highly incompetent” be confused with making an excuse for them ;)

Undisclosed End User #4

05/29/18 09:31pm

Black image from the camera should be GDPR compliant, no?

Undisclosed #5

IPVMU Certified | 05/29/18 10:21pm

Genetec was more cautious in its claims, limiting it to a specific GDPR related feature while avoiding the claim in its headline, contra Dahua, that its products were “certified to comply with the GDPR”.

Still Genetec does make the compliance claim,

Additionally, this re-certification comes with the special distinction that the Privacy Protector software is 'GDPR-ready', meeting the highest certifiable compliance with the European Union (EU) privacy standards," added Meissner.

For a software or hardware product to obtain the 'GDPR-ready' European Privacy Seal, the source code is tested to ensure that there are no vulnerabilities that can be exploited or hacked to suspend privacy protection (destructive anonymization), assuring that product conformity with the GDPR is verified. It is crucial that the examination is conducted by an independent and impartial institution, and that all criteria are made public. The EuroPriSe seal is valid for two years and must be re-awarded after its expiration. This assures that the product always complies with the latest EU privacy laws and policies.

Minimizing Genetec’s culpability because they didn’t put it in the headline doesn’t seem to square with 

The reason is that no products can be, as the EU does not 'certify' nor endorse products as 'compliant'.

In any event, do you think that they purposefully avoided putting the claim in the headline for that reason?

 

John Honovich

IPVM | In reply to Undisclosed #5 | 05/29/18 10:27pm

Putting something in a headline is far more powerful than putting it midway through the body, simply because headlines get read 10x or more than sentences in the middle of an announcement.

Let's try another scenario. Dahua does not issue this press release but an RSM tells you personally at an ADI counter that they are GDPR compliant. Both are wrong but clearly this later scenario is far less serious / misleading than being the title of a marketing campaign.

Undisclosed #5

IPVMU Certified | In reply to John Honovich | 05/29/18 11:44pm

Putting something in a headline is far more powerful...

Agreed, more powerful.  Both were official corporate communications however.  Also, I don’t think that Genetec didn’t put it in the headline to be less misleading.

In any case, unless Genetec and Dahua, et al are to retract their compliance claims, there is simply no excuse for them to continue to dissemble.  

 

Avatar

Mick Brown

05/31/18 08:31am

Catch 22

gdpr still needs work to be cctv specific

if you request your image other people in frame are supposed to be masked out

the courts would view that as being able to tamper with evidence

Undisclosed #6

06/01/18 06:57pm

Undisclosed #3

In reply to Undisclosed #6 | 06/01/18 08:28pm

A funny vote is not enough for this one!

Read this IPVM report for free.

This article is part of IPVM's 6,735 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports