Dahua Products Are Not GDPR Compliant, No Products Can Be

By: Charles Rollet, Published on May 29, 2018

Dahua products are neither GDPR-compliant nor certified, contrary to their marketing.

*** ****** ** **** no ******** *** **, as *** ** **** not '*******' *** ******* products ** '*********'.

** **** ****, ***** on *** **+ **** **** *** Video ************ *****, ** ******* **** Dahua ** ***** ****, why ** ** ********** and *** ***** *** other ************* *** ****** support ****.

Announcement *** *****

*** *** ****** *** GDPR’s ******** ************** **** on *** **,***** ************* *** ** ******* and ***** ******** **** DVRs **** “*********” ** “comply **** *** ****” by*Ü* *********.  ***** ******* **** ********* who *** ***** “********* ** ********” ***** now “**** **** ******** [sic]."

Who ** ‘**********’ *****? 

*Ü* ** * *******, ***-****** company ** ******* **** provides *****-***** ************** *** inspections ** ***** **********. It ** *** **** of *** ** ********** or *** **** *********** mechanism. *Ü* *** ************ ****** ** China ** ******* *** revenues (**** ***** ***** media: *** ********* ***** ****** at ***** ******.)

***** ***** ******* ** was *** “***** ** global ***** ************ ********” to ******* **** ************* from*Ü*, ****** ******* ************ ************ Uniview **** ******* ***** * *** before ***** **** *** **** ******* TÜV.

'Derived ****' ****, *** ****

*Ü* ********* ****** **** *** ******* ************* schemes*** ******* **** *** EU ****,” ****** **** claiming **** ******* ****** proof ** **********, ** they ******.

GDPR *** *************

***** *** **** ********** certification ** *** ******* **, ** **** *** include *** ************ **** products ** ********* *** establish *** ****** ********** mechanisms. ************, ************* ** ***** for **** *********** *** processors ** **** "******* and *********** ***********" ********* "*********** safeguards" - ** ** not ***** *** ********.

******* **’* ******* * states **** *** ************* schemes **** ** “********* *** ********* *** a ******* **** ** transparent”. *******, *****’****** ******* [**** ** longer *********]** ******* ***** ** any ******* ***** ******* how ** ******** ************* plus ** *** **** minimal ******* **** *Ü* itself ** *** ******* and TÜV *** *** ********* to *** ******** ******** for ******* ** ****.

No ****** ** ***** ************** 

******** *Ü*'* ************* *** ******* ********* ***** no ***** ****** *** do *** ****** * firm’s ********* ** **** something **** ***** ********* **’* ******* *********:

 

False ***** ** ********

** ********* *** ******** GDPR *********, ***** ***** mislead ******* **** ******** they *** ********* ******* the ****’* *********** **** fines. 

*** **** ********* ***** ** ** to *% ** ****** revenue*** ********** ***** ** ***** to **** ******** *** rules. ** ********* ** IPVM’s**** *****, ***** ***** *** not ********* ********* *** broader ********** **** ********* authorities **** *****’* * breach ** ********* ****** with ***** ******** **** if *********. 

*** ***** *******, **’* not ******** *** * camera ** ** ‘****-*********.’ There *** ****** ** criteria ** ******** ****** to ********* ****. **** is ****** *** ***** reveals ****** ** ******* on ******* *** ***** products *** ****-********* ** the ***** *****.

Other ************ ******

***** ***’* *** **** firm ******* *****-***** **************. For *******,******* ********* **** **** that *** ***** ******* software ** “*********” ** “****-*****” b** ******* *** **** cautious ** *** ******, limiting ** ** * specific **** ******* ******* while ******** *** ***** ** *** ******** [**** no ****** *********], ****** *****,**** *** ******** **** “certified ** ****** **** the ****”.

***, ** ********* *****, Uniview ******** *********** *** same ***** ******* **** the **** ******* * day ******.

*******, ***** ** * reason ************* *** ** keen ** ******* ***** certifications. **’* ***** ********* and ********** *******, *** actual ********** **** *** GDPR ******.

What ** **** *** ** ******** ***** ****

******* ** ******** ** ‘certifying’ ******* *****, ** best *** ** ****** you *** ********* **** the **** ** ** ask * *** ***** questions **** **:

  • **** *** ******* ******* cybersecurity **** ********* *** encryption ******** ** ****** personal **** ******** *** avoided? (*** **** ********** ******* ****** ******’* ******** data ***’* ***********. ***** has * ******* ******* *****, ********* *** ** recently ****** *********, ***** * ******** allowing ****** ************ ***** access *** *********** *** ****** *******.)
  • ** *** ******* **** be ********* ***** ******* of ****** ***************, **** it **** **** ********/******* technology ************? (*** **** ********** “****************”** ***** ********** ** best ****** *******’ *******. This ********** ** *** a ****** ******* ** Dahua *******.)
  • ** **** ** * personal **** ******, ** there * ****** ** inform *********** *** ******* as **** ** ******** informed? (**** ********** **** inform ******* “******* ***** *****” ***** ******** ***** of * ******** **** breach. ***** ********** ************* ************ ******** *****.)
  • ** ***** * ********** public ******** **** ****** recognition ** ***** ********* techniques *** ***** ****? (Biometric ************* ********** **** * few ********* **********.***** ** **** ******* ** ****** recognition*** ************* **** * *** reporter ******* ******* * Chinese **** ** * minutes ** * *************.)

*********** *** *** ***** should ****** ********* **** they ******* **** ******* to *** ********* *****. It does *** ****** ** these *** “****-*********” ** someone.

 

Update, *** **:***** **** **** *** published, **** ***** *** following **** ** ********* that ***** *** ****, certification ** ******** *** **** *********** and ********** ****** **** actual ********:

"************, ************* ** ***** for **** *********** *** processors ** **** '******* and *********** ***********' ********* 'appropriate **********' - ** is *** ***** *** products."

 

******, *** **:*********** *** ** ***** blast ** *********** ******** ** ***** the "*****" ** ** certified ** *Ü* ** its *****.

Comments (17)

Great read. Not just from a Dahua perspective but with relation to GDPR in general. It's not just what you buy, it's how you deploy it. 

I've checked my emails but don't seem to have received IPVMs updated T&C's for my acceptance, that are required by GDPR. Could it be that IPVM are now contravening the GDPR? Surely not.....

On a practical note, the whole thrust of how GDPR affects CCTV is in regards to the protection of the data stored and the justification for gathering it and retaining it.

I'm sick of idiots claiming their equipment is GDPR compliant. My ashtray is compliant....so what? It's all about data, not about hardware.

 

GDPR does not actually state that emails should be sent out with revised T&Cs. All it has done is drive a massive amount of additional 'almost spam' notification emails. Companies should have thought about this more carefully placing notices on websites confirming acceptance rather than cramming the Internet!

That is only correct where the existing  T&Cs relating to the use of personal data are already 100% GDPR compliant. In the vast majority of cases, this has required changes to be made - hence the ridiculous amount of emails. I’m fairness GDPR has been on the way for many years so the last minute dash had been entirely unnecessary. It still leaves the question as to whether IPVM are ahead of the game or behind - only s bedtime read of the T&Cs will confirm this - or of course, Jon could confirm?

 

Who assesses if the GDPR is 100% compliant? The point i am making is that everyone has had over two years to get their act together. Yes, there is significant scaremongering, however, the plethora of emails requesting acknowledgement is ridiculous. in most cases i delete them as i know who i want to be registered with and unsubscribe if i do not. Simple as that. Let us all stop these bloody GDPR emails. Please. 

Can't agree anymore. The number of emails flying in is simply ridiculous. The scaremongering with massive fines has definitely put the 'fear of god' in to may DPOs in the various organisations. When it comes to CCTV I am looking at this as GDPR 1.0 and I would imagine that GDPR 2.0 would not be far away after a few court cases go horribly wrong for example.

It's worrying though as we have been asked are your products GDPR compliant yes or no many times. It shows that there is a lot left to do when it comes to educating the market.

It seems like every time these regulatory requirements come up there is a company willing to cash in on a false certification.

Agreed, they're banking on customers taking their word for it, rather than doing the kind of research we can be glad IPVM does.

It's like they're willing to lie to get in the door to sell their products, without any thought to what the backlash may be if the same customer finds out they aren't compliant after spending all of that money.

 

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor that they don't understand technical details or consider nuances in marketing, etc. 

When you look at TUV's marketing, it is pretty clear TUV understands that they cannot directly claim GDPR compliance or certification, so they use qualifications like 'derived from'. By contrast, Dahua misses it. My best guess it is a combination of incompetence and willful ignorance.

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor...

Only with Dahua could calling a company “highly incompetent” be confused with making an excuse for them ;)

Black image from the camera should be GDPR compliant, no?

Genetec was more cautious in its claims, limiting it to a specific GDPR related feature while avoiding the claim in its headline, contra Dahua, that its products were “certified to comply with the GDPR”.

Still Genetec does make the compliance claim,

Additionally, this re-certification comes with the special distinction that the Privacy Protector software is 'GDPR-ready', meeting the highest certifiable compliance with the European Union (EU) privacy standards," added Meissner.

For a software or hardware product to obtain the 'GDPR-ready' European Privacy Seal, the source code is tested to ensure that there are no vulnerabilities that can be exploited or hacked to suspend privacy protection (destructive anonymization), assuring that product conformity with the GDPR is verified. It is crucial that the examination is conducted by an independent and impartial institution, and that all criteria are made public. The EuroPriSe seal is valid for two years and must be re-awarded after its expiration. This assures that the product always complies with the latest EU privacy laws and policies.

Minimizing Genetec’s culpability because they didn’t put it in the headline doesn’t seem to square with 

The reason is that no products can be, as the EU does not 'certify' nor endorse products as 'compliant'.

In any event, do you think that they purposefully avoided putting the claim in the headline for that reason?

 

Putting something in a headline is far more powerful than putting it midway through the body, simply because headlines get read 10x or more than sentences in the middle of an announcement.

Let's try another scenario. Dahua does not issue this press release but an RSM tells you personally at an ADI counter that they are GDPR compliant. Both are wrong but clearly this later scenario is far less serious / misleading than being the title of a marketing campaign.

Putting something in a headline is far more powerful...

Agreed, more powerful.  Both were official corporate communications however.  Also, I don’t think that Genetec didn’t put it in the headline to be less misleading.

In any case, unless Genetec and Dahua, et al are to retract their compliance claims, there is simply no excuse for them to continue to dissemble.  

 

Catch 22

gdpr still needs work to be cctv specific

if you request your image other people in frame are supposed to be masked out

the courts would view that as being able to tamper with evidence

A funny vote is not enough for this one!

Read this IPVM report for free.

This article is part of IPVM's 6,298 reports, 840 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

UK ICO Approves Unconsented Facial Recognition At Security Conferences on Feb 05, 2020
The UK's data protection agency has declined IPVM's GDPR complaint against Dahua for using face recognition without consent at IFSEC last year,...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully compliant GDPR company" after IPVM reporting (Arcules CEO Threatens...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...
Milestone "GDPR-ready" Certification Claim Critiqued on Aug 12, 2019
Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'. However, our investigation raises significant...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
First Video Surveillance GDPR Fine In France on Jul 08, 2019
The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing...
GDPR / ICO Complaint Filed Against Dahua on Jun 27, 2019
IPVM has filed a GDPR complaint against Dahua UK's facial recognition conducted at their booth during this year's IFSEC show. In this post, we...
Nortek and SDS Fight Over Failed Settlement on Jun 05, 2019
Distributor SDS said they reached a deal with Nortek but Nortek says no settlement was reached and the suit is still on. In this post, based on...
Congressman Visits Hikvision USA, Admits Unaware of "Company's Background" Before Backtracking on May 31, 2019
A newly-elected US congressman visited Hikvision USA's office in April, posing for a photo with Hikvision's staff: A sitting US congress...
UK Camera Commissioner Calls for Regulating Facial Recognition on Apr 15, 2019
IPVM interviewed Tony Porter, the UK’s surveillance camera commissioner after he recently called for regulations on facial recognition in the...

Most Recent Industry Reports

LIVE NOW "Fever Camera" Show on Jun 02, 2020
IPVM is excited for the world's first "Fever Camera" show, to be held today Tuesday, June 2nd and Wednesday the 3rd from 11am to 4pm EDT, giving...
Smart Entry Systems Presents Cloud Multi-Tenant Access Control on Jun 02, 2020
Smart Entry Systems presented Cloud Multi-Tenant Access Control at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
Genetec Drops Support for Dahua and Hikvision on Jun 01, 2020
Genetec has dropped support for Dahua and Hikvision, citing US blacklisting and ONVIF conformance blockage, the company informed partners in an...
Dotty "Hot Or Not" Elevated Body Temperature App Tested on Jun 01, 2020
What if you could take an existing phone or tablet and transform it into "fever camera"? That is what DottyAR is doing with their strangely named...
Optris "Fever Screening Systems" Examined on Jun 01, 2020
German manufacturer Optris has been building temperature measuring instruments for industrial manufacturing for over 15 years, and thermal cameras...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how much are integrators selling them? 220 integrators answered the...
Proxy Presents Mobile Credentials For BLE Devices and Access on May 29, 2020
Proxy presented Mobile Credentials For BLE Devices and Access at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
ISC West 2020 Moves To The Basement on May 29, 2020
The twice cancelled/postponed show will now not only be held in a different month (October) but on a different floor, moving down to the...
Integrators Avoiding Coronavirus Air Travel on May 29, 2020
IPVM asked integrators if air travel is part of their 2020 plans to see how significantly Coronavirus will impact future...
Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...