Dahua Products Are Not GDPR Compliant, No Products Can Be

Published May 29, 2018 12:30 PM

Dahua products are neither GDPR-compliant nor certified, contrary to their marketing.

*** ****** ** **** ** ******** can **, ** *** ** **** not '*******' *** ******* ******** ** 'compliant'.

** **** ****, ***** ** *** **+ **** **** *** ***** ************ Guide, ** ******* **** ***** ** doing ****, *** ** ** ********** and *** ***** *** ***** ************* can ****** ******* ****.

Announcement *** *****

*** *** ****** *** ****’* ******** implementation **** ** *** **,***** ************* *** ** ******* *** ***** products **** **** **** “*********” ** “comply **** *** ****” ***Ü* *********.  ***** ******* **** ********* *** *** their********* ** ********” ***** *** “**** GDPR ******** [***]."

Who ** ‘**********’ *****? 

*Ü* ** * *******, ***-****** ******* ** Germany **** ******** *****-***** ************** *** inspections ** ***** **********. ** ** not **** ** *** ** ********** or *** **** *********** *********. *Ü* *** ************ ****** ** ***** ** bolster *** ******** (**** ***** ***** media: *** ********* ***** ****** ** ***** Market.)

***** ***** ******* ** *** *** “first ** ****** ***** ************ ********” to ******* **** ************* *****Ü*, ****** ******* ************ ************ ******* **** the**** ***** * *** ****** ***** **** *** **** ******* *Ü*.

'Derived ****' ****, *** ****

*Ü* ********* ****** **** *** ******* ************* ******* “*** ******* **** *** ** ****,” rather **** ******** **** ******* ****** proof ** **********, ** **** ******.

GDPR *** *************

***** *** **** ********** ************* ** *** ******* **, ** **** *** ******* *** requirements **** ******** ** ********* *** establish *** ****** ********** **********. ************, ************* ** ***** *** **** controllers *** ********** ** **** "******* and *********** ***********" ********* "*********** **********" - it ** *** ***** *** ********.

******* **’* ******* * ****** **** any ************* ******* **** ** “********* *** ********* *** * ******* that ** ***********”. *******, *****’****** ******* [**** ** ****** *********]** ******* ***** ** *** ******* about ******* *** ** ******** ************* plus ** *** **** ******* ******* from *Ü* ****** ** *** ******* and TÜV *** *** ********* ** *** multiple ******** *** ******* ** ****.

No ****** ** ***** ************** 

******** *Ü*'* ************* *** ******* ********* ***** ** ***** weight *** ** *** ****** * firm’s ********* ** **** ********* **** wrong ********* **’* ******* *********:

 

False ***** ** ********

** ********* *** ******** **** *********, Dahua ***** ******* ******* **** ******** they *** ********* ******* *** ****’* potentially **** *****. 

*** **** ********* ***** ** ** ** *% of ****** ********** ********** ***** ** ***** ** **** violated *** *****. ** ********* ** IPVM’s**** *****, ***** ***** *** *** ********* standards *** ******* ********** **** ********* authorities **** *****’* * ****** ** providing ****** **** ***** ******** **** if *********. 

*** ***** *******, **’* *** ******** for * ****** ** ** ‘****-*********.’ There *** ****** ** ******** ** official ****** ** ********* ****. **** is ****** *** ***** ******* ****** no ******* ** ******* *** ***** products *** ****-********* ** *** ***** place.

Other ************ ******

***** ***’* *** **** **** ******* third-party **************. *** *******,******* ********* **** **** **** *** image ******* ******** ** “*********” ** “****-*****” *** ******* *** **** ******** ** its ******, ******** ** ** * specific **** ******* ******* ***** ******** the ***** ** *** ******** [**** ** ****** available], contra *****,**** *** ******** **** “********* ** comply **** *** ****”.

***, ** ********* *****, ******* ******** effectively *** **** ***** ******* **** the **** ******* * *** ******.

*******, ***** ** * ****** ************* are ** **** ** ******* ***** certifications. **’* ***** ********* *** ********** clients, *** ****** ********** **** *** GDPR ******.

What ** **** *** ** ******** ***** ****

******* ** ******** ** ‘**********’ ******* lines, ** **** *** ** ****** you *** ********* **** *** **** is ** *** * *** ***** questions **** **:

  • **** *** ******* ******* ************* **** practices *** ********** ******** ** ****** personal **** ******** *** *******? (*** **** ********** ******* ****** ******’* ******** **** ***’* compromised. ***** *** * ******* ******* *****, ********* *** ** ******** ****** *********, ***** * ******** ******** ****** unauthorized ***** ****** *** *********** *** ****** *******.)
  • ** *** ******* **** ** ********* large ******* ** ****** ***************, **** it **** **** ********/******* ********** ************? (*** **** ********** “****************”** ***** ********** ** **** ****** peoples’ *******. **** ********** ** *** a ****** ******* ** ***** *******.)
  • ** **** ** * ******** **** breach, ** ***** * ****** ** inform *********** *** ******* ** **** as ******** ********? (**** ********** **** inform ******* “******* ***** *****” ***** ******** ***** ** * personal **** ******. ***** ********** ************* ************ ******** *****.)
  • ** ***** * ********** ****** ******** when ****** *********** ** ***** ********* techniques *** ***** ****? (********* ************* ********** **** * *** ********* exceptions.***** ** **** ******* ** ****** ************** ************* **** * *** ******** ******* through * ******* **** ** * minutes ** * *************.)

*********** *** *** ***** ****** ****** equipment **** **** ******* **** ******* to *** ********* *****. ** **** *** matter ** ***** *** “****-*********” ** someone.

 

Update, *** **:***** **** **** *** *********, **** added *** ********* **** ** ********* that ***** *** ****, ************* ** ******** *** data *********** *** ********** ****** **** actual ********:

"************, ************* ** ***** *** **** controllers *** ********** ** **** '******* and *********** ***********' ********* '*********** **********' - ** ** *** ***** *** products."

 

******, *** **:*********** *** ** ***** ***** ** Europe***** ******** ** ***** *** "*****" to ** ********* ** *Ü* ** its *****.

Comments (17)
UM
Undisclosed Manufacturer #1
May 29, 2018

Great read. Not just from a Dahua perspective but with relation to GDPR in general. It's not just what you buy, it's how you deploy it. 

(7)
UI
Undisclosed Integrator #2
May 29, 2018

I've checked my emails but don't seem to have received IPVMs updated T&C's for my acceptance, that are required by GDPR. Could it be that IPVM are now contravening the GDPR? Surely not.....

On a practical note, the whole thrust of how GDPR affects CCTV is in regards to the protection of the data stored and the justification for gathering it and retaining it.

I'm sick of idiots claiming their equipment is GDPR compliant. My ashtray is compliant....so what? It's all about data, not about hardware.

 

(3)
(10)
Avatar
Niall Beazley
May 31, 2018

GDPR does not actually state that emails should be sent out with revised T&Cs. All it has done is drive a massive amount of additional 'almost spam' notification emails. Companies should have thought about this more carefully placing notices on websites confirming acceptance rather than cramming the Internet!

(1)
UI
Undisclosed Integrator #2
May 31, 2018

That is only correct where the existing  T&Cs relating to the use of personal data are already 100% GDPR compliant. In the vast majority of cases, this has required changes to be made - hence the ridiculous amount of emails. I’m fairness GDPR has been on the way for many years so the last minute dash had been entirely unnecessary. It still leaves the question as to whether IPVM are ahead of the game or behind - only s bedtime read of the T&Cs will confirm this - or of course, Jon could confirm?

 

(1)
Avatar
Niall Beazley
May 31, 2018

Who assesses if the GDPR is 100% compliant? The point i am making is that everyone has had over two years to get their act together. Yes, there is significant scaremongering, however, the plethora of emails requesting acknowledgement is ridiculous. in most cases i delete them as i know who i want to be registered with and unsubscribe if i do not. Simple as that. Let us all stop these bloody GDPR emails. Please. 

UM
Undisclosed Manufacturer #1
May 31, 2018

Can't agree anymore. The number of emails flying in is simply ridiculous. The scaremongering with massive fines has definitely put the 'fear of god' in to may DPOs in the various organisations. When it comes to CCTV I am looking at this as GDPR 1.0 and I would imagine that GDPR 2.0 would not be far away after a few court cases go horribly wrong for example.

It's worrying though as we have been asked are your products GDPR compliant yes or no many times. It shows that there is a lot left to do when it comes to educating the market.

UI
Undisclosed Integrator #3
May 29, 2018

It seems like every time these regulatory requirements come up there is a company willing to cash in on a false certification.

(4)
Avatar
Michael Gonzalez
May 29, 2018
Confidential

Agreed, they're banking on customers taking their word for it, rather than doing the kind of research we can be glad IPVM does.

It's like they're willing to lie to get in the door to sell their products, without any thought to what the backlash may be if the same customer finds out they aren't compliant after spending all of that money.

 

(5)
JH
John Honovich
May 29, 2018
IPVM

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor that they don't understand technical details or consider nuances in marketing, etc. 

When you look at TUV's marketing, it is pretty clear TUV understands that they cannot directly claim GDPR compliance or certification, so they use qualifications like 'derived from'. By contrast, Dahua misses it. My best guess it is a combination of incompetence and willful ignorance.

(8)
(1)
U
Undisclosed #5
Jun 01, 2018
IPVMU Certified

Our experience with Dahua is that they are highly incompetent. I am not excusing what they did with this press release but that's certainly a factor...

Only with Dahua could calling a company “highly incompetent” be confused with making an excuse for them ;)

(4)
UE
Undisclosed End User #4
May 29, 2018

Black image from the camera should be GDPR compliant, no?

(5)
U
Undisclosed #5
May 29, 2018
IPVMU Certified

Genetec was more cautious in its claims, limiting it to a specific GDPR related feature while avoiding the claim in its headline, contra Dahua, that its products were “certified to comply with the GDPR”.

Still Genetec does make the compliance claim,

Additionally, this re-certification comes with the special distinction that the Privacy Protector software is 'GDPR-ready', meeting the highest certifiable compliance with the European Union (EU) privacy standards," added Meissner.

For a software or hardware product to obtain the 'GDPR-ready' European Privacy Seal, the source code is tested to ensure that there are no vulnerabilities that can be exploited or hacked to suspend privacy protection (destructive anonymization), assuring that product conformity with the GDPR is verified. It is crucial that the examination is conducted by an independent and impartial institution, and that all criteria are made public. The EuroPriSe seal is valid for two years and must be re-awarded after its expiration. This assures that the product always complies with the latest EU privacy laws and policies.

Minimizing Genetec’s culpability because they didn’t put it in the headline doesn’t seem to square with 

The reason is that no products can be, as the EU does not 'certify' nor endorse products as 'compliant'.

In any event, do you think that they purposefully avoided putting the claim in the headline for that reason?

 

(1)
(1)
JH
John Honovich
May 29, 2018
IPVM

Putting something in a headline is far more powerful than putting it midway through the body, simply because headlines get read 10x or more than sentences in the middle of an announcement.

Let's try another scenario. Dahua does not issue this press release but an RSM tells you personally at an ADI counter that they are GDPR compliant. Both are wrong but clearly this later scenario is far less serious / misleading than being the title of a marketing campaign.

(1)
U
Undisclosed #5
May 29, 2018
IPVMU Certified

Putting something in a headline is far more powerful...

Agreed, more powerful.  Both were official corporate communications however.  Also, I don’t think that Genetec didn’t put it in the headline to be less misleading.

In any case, unless Genetec and Dahua, et al are to retract their compliance claims, there is simply no excuse for them to continue to dissemble.  

 

(2)
Avatar
Mick Brown
May 31, 2018

Catch 22

gdpr still needs work to be cctv specific

if you request your image other people in frame are supposed to be masked out

the courts would view that as being able to tamper with evidence

(1)
U
Undisclosed #6
Jun 01, 2018

(7)
UI
Undisclosed Integrator #3
Jun 01, 2018

A funny vote is not enough for this one!

(1)