First Video Surveillance GDPR Fine In France

By Charles Rollet, Published Jul 08, 2019, 09:12am EDT (Info+)

The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing them and kept poor encryption practices. It marks the first ever GDPR video surveillance fine ever issued by the CNIL, France’s data protection agency, it has confirmed to IPVM.

first gdpr fine in france

In this post, we examine the case and what it means for GDPR compliance going forward, including:

  • France Video Surveillance Regulations Context
  • Company Background
  • CNIL Allegations
  • What GDPR Articles Were Violated
  • How the Fine Was Calculated
  • Broader Impact/Conclusion

For background, see our GDPR For Video Surveillance Guide.

Ultimately, the case shows the importance of GDPR compliance and working closely with data authorities to address issues. However, the evidence we found shows no stepped up GDPR violation enforcement for video surveillance.

Context: ******* ****** ***********

** ******, ***** ************************** ******* **** *********, *** **** was *** **** ********** *** ****. *** *******, ******* ***************** ******* ******* **** **** ****** property, **** * ******** ** ***** of ***** *** *****. ** *** workplace, ******** ************ ** ********* ** prohibited - *** **** ******* ****** by ******* ** *******:

***********:***, *** *** ******* ******** ******* in *** [******] ******* *** ******** purposes.**, ** ** ********* ** ******* employees ** **** *******.

Enforcement ***

*******, ****** *********** ** ***** ************ regulations ** ***, *** **** *** not ******* ***** *** **** *** passed. ** ****, **** *** ******* in *** ***** ******* *** ***** for ***** ************ ********** ***** ** employee ********** ** * ****** ******* her ****; *** **** *** *,*** euros ($*,***). *** * ****** ******* was ***** ** ****, *** **** the **** *** ******. **************, *** ****** ** **** ***** surveillance ******* ************** **** ******** **** 47 ** **, *** ****** ******* show.

************, **** ***** ************ ************** *** typically ***** ** **********, * ****** of**** *******************, ***** ***** *** **** ** not *********** ********** *** *** *****, integrators, ** ****** *** ******** **********.

Company **********

*** ******* **** *** ***** ** called*********, * *********** **** ***** ** Paris **** **** * *********. *** revenue ** **** *** ***** $* million *** ** **** ****** ** over $***,***, *** ******** ***********.

CNIL ***********

*** **** ********* **** ** ***** its ************* ***** ** ******** ********** about *********’* ************ ******: * ***** of *, ******** *** *** *** back ** ****. ** **** ******* letters ** ********* *** ******** ** response.

****’* ***** ****** ********** **** ***** in ******** ****, *******:

* ****** ****** *** ***** *** a ******… ********* **** ***** ******** notified

******* *** ****** *** ****** **** company ******

******** ** ***** ** ****** ******* information *** [*****] ******* *** *** ensure **** ******** *** *************** (********'* computers *** *** ******* ********* *** employees ****** * ****** ***** *******)

** ****, *** **** **** ********* two ****** ** *** *** ***** issues. ** *********, ********* ******* ** a ****** **** ** *** ********* them, *** * ****** **** ********** a ***** ***** ***** ****:

*** ****** ******* ********* *** **** doing ** ********** *** ******* ************ since *** ******* ********** ** ********

** *********** *** **** ******* ** the ********* ***** *** ***** ************, which ****** ************ **** *** ******* of *** **********, ******** ** *******, and ****** ********** *** ****

*** * ****** ******** ****** *** been *** ** ***** *** *** employee's ********* *** ** ******** **** been ***** ** ****** ************ ** [who ** *****] *** ***** *****

***** *** ****** **********, ********* ******* it *** ******** **** *** *** by ******* ******* **** ** *** security ******, ******* ** * ****, and ************ ******** ********. *******, *** CNIL ********** **** *** ****** *** still ******* *** ******** ****.

**********, *** **** ****** **** ******* Uniontrad *** *** ****** ********* ****** the *** ***** ****** ** ****, and *** ******* ************** ***** ** that, * *********/****** ******* ***** *****.

What **** ******** **** ********

************, *** **** ****** **** **** GDPR ******** **** ******** ** *********:

******* *, **:******** **** ***** ** ********, ******** and ******* ** **** ** ********* in ******** ** *** ******** *** which **** *** ********* (‘**** ************’). **** ******* ******** ** *** constant ***** ************ ** *********'* *********. French ******* **** (**** ***-****) ** not ****** ****, ****** *** **** the **** ***** "*********** *************", **** as ****** ********* ************, *** * translation ******* **** *** *******, *** CNIL ******. *** **** ***** ****** laws ** ********** ********** *********, *******'* ************ *** **** *********** * $*.* million **** ** * ****** *** "excessive ***** ************."

******* **:*********** ***********, ************* *** ********** *** the ******** ** *** ****** ** the **** *******". *.*. ********* *** *** *********** to *** ********* ***** *** ***** surveillance ****** *****.

******* **:*********** ** ** ******** ***** ******** data *** ********* **** *** **** subject.******* ** ******* **. ********* *** not *** ** * ******* ******* sign ********* ********* ** *** **** processing ****** *****, *** ****** ** contacted *** **** *******, ******* ********, etc. *** ****'***** *** ***** ************ ******** **** ***** **** **** ** information ****** ** *** ** ** such *****.

******* **:******** ** **********: *** ********* ***** implement *********** ********* *** ************** ******** to ****** * ***** ** ******** appropriate ** *** ****. **** ****** ** *********'* **** of ********* ** ******* *********, ***** CNIL ****** "*** *** ****** *** security ** ******** ****".

How *** **** *** **********

***** *******'* ******* **,* ******* **** ** ** ******* euros ($**.* *******) ** *% ** global ****** ******* ** *********, ********* is ******. ***** **** ** "effective, *************, *** **********".

*** **** ********* ********** * **** of **,*** ***** ($**,***). ****** **********'* ***** ***** ************ **** ****,*** **** *** *** ***** * breakdown ** *** **** **** ********* cost. *** **** ****** *** ******* attributed ** *** ******** ********** ***** Uniontrad ***** **** *** *** ******* to **** **** **** ************* ** fix *** ******, **** *** **** stating:

*** ******* - ******** ** **** it ****** - ***** ******** ************ with *** **** ***** *** ****** process *** ******* ***** ***.

*******, ********* **** **** * **** was "****************" ***** ******* ** *** to *** *******'* **** ********* *********. The **** ****** *** ******* ** fine ********* **,*** ***** (***** $**,***). Part ** *** ********** *** *** the **** ** ** **** ****** - **** ** *** * *** practice, ** *** ** **** **** this **** ********** **** *****.

Broader **** ************

*** ********* **** ********* *** ********** of **** **********. **,*** ***** *** a *****, *****-****** ******* ** * big *** *** ** *** ******* video ************ **** *** **** *** issued ***** ** ***** ****, ********* to ********* ******** ** *********.

*** **** **** ** **** ********** that ********* *** ******* ** ***** how *** *** *** ***** **** protection *********** * *** *** **** sophisticated ******* ** ****** ******* *********; prior ** *** ****, ***** ************ violations **** ******* ****** *************'* ***** **** ** *** *** personal *******.

*******, *** ****'* ******* ****** *** be *****. *********** ** *** **** stringent. ** ********* *******, **** ***** surveillance ***** **** **** *** **** the **** ******, *** *** ****** of ***** ************ ************** ******** ************* (47 ** **) **** **** ** 2018.

**** ***** *** **** ******** ** it *** ******** ** *** *********** of ***** ************ *********** *** ** the ****. **** **** ** - the **** ****** ****** ** *** GDPR (** *********** *****) ** *** maximum ********* **** ***** ****** ** 20 ******* ***** ** *% ** global ****** ******* - ********** * big ******, *** ********** *** ******* players, ********** ***** *** **** ****** mandates **** ***** ** "*************".

Comments (15)

Ouch.  I have been asked many times lately how likely it is that the US or Canada adopts something similar to GDPR.  In my opinion under the current administration, this is unlikely.  However, should the bar shift slightly toward the left in the next few years it is a possibility.

Another question that has come up that I do not have an answer for - if EU residents visit a corporate headquarters in the US does GDPR apply to that EU resident?

Agree
Disagree
Informative
Unhelpful
Funny

If they find a way to make money a GDPR implementation it will definitely have a use case in the US.

Agree
Disagree
Informative
Unhelpful
Funny

My understanding of GDPR is that it applies to EU citizens wherever they are. However, they can only impose a fine on a non-EU company if they also operate in the EU.

The result being that bigger companies are adopting privacy guidelines that are broadly in line with GDPR regardless of what is adopted in the US.

Bill

Agree
Disagree
Informative: 1
Unhelpful
Funny

However, they can only impose a fine on a non-EU company if they also operate in the EU.

they should change that right away.  

imagine the potential targets and associated revenue stream possible if they could fine, for example, a Japanese company doing business in Egypt ;)

Agree
Disagree
Informative
Unhelpful
Funny

Another question that has come up that I do not have an answer for - if EU residents visit a corporate headquarters in the US does GDPR apply to that EU resident?

Would they not fall under the local laws? An American traveling to an EU office would have GDPR apply, but not the other way around as it's a European law.

At least that's how I understand it. Otherwise I, a Canadian, should be able to smoke pot in any country I want, since it's legal in Canada.

Agree
Disagree
Informative
Unhelpful
Funny: 2

Hi everyone, this is a good question that comes up often. Do I have to comply with the GDPR for every EU citizen/resident, no matter where they are? If my pizza parlor in New York City has a security camera that filmed a Belgian tourist, does that tourist now have the right to submit a GDPR complaint?

The answer is no. The GDPR does not mention "EU citizens" or "EU residents" anywhere. The GDPR "applies to the processing of personal data of data subjects who are in the Union [emphasis added]", according to Article 3 ('Territorial Scope'). So that means people - regardless of citizenship or residency - within the EU are protected by the GDPR. If they leave the Union, they are not.

 

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

So a manager can stand and look at the desks but can't see it via video, can't see the difference. With 9 employees I would suggest something else must have been going on here like a vendetta of some kind.

Still even more odd is why would you not just disconnect it. Leaving it there. The employees think it's working and the CNIL are happy.

 

Agree
Disagree: 2
Informative
Unhelpful: 3
Funny

Even before RGPD, the law were really harsh for any security System in France, or any data connection database or information, in fact the CNIL was created in 1978 with the mission of protecting personnal data and enforcing the law about data protection, protecting public privacy and so forth...

Anyhow, in France a lot of company are thinking of GDPR as a buff up of the previous 1978 law  (ie: "loi  informatique et libertées" which translate as "law on Information Technologies and Liberty") , with more capacity for fine. 

 

In this case, even if the camera were physically present but non working the company would have to tell their personnel that the camera is working or not if they request the information else they still would have the right to contact the CNIL for a real check on those. 

 

Agree
Disagree
Informative
Unhelpful
Funny

In this case, even if the camera were physically present but non working the company would have to tell their personnel that the camera is working or not if they request the information else they still would have the right to contact the CNIL for a real check on those.

so can GDPR apply to dummy cameras? 

wow.

Agree
Disagree
Informative
Unhelpful
Funny

GDPR does not apply to dummy camera, but in enterprise installation the local law apply (therefore the  employees has the right to know if he's being watched or no.

So in this particular setting the efficiency of a dummy camera to make the employees think they are under surveillance is close to 0.

 

 

Agree
Disagree
Informative
Unhelpful
Funny

would this likely be another French GDPR violation?

(Not the cheating, which is a FIDE violation, but just the image).

Agree
Disagree
Informative
Unhelpful
Funny

I read a few of the articles on this topic but could not find who took this photo. Did you?

Agree
Disagree
Informative
Unhelpful
Funny

No.  I would guess it’s a picture taken by someone who suspected the Grandmaster was cheating, and then posted it anonymously because they knew it was likely illegal to capture.

question: does GDPR apply to the actions of a single person, taking a still photo?

Agree
Disagree
Informative
Unhelpful
Funny

Any kind of personal data being processed within the EU falls under the GDPR. So yes, the GDPR 'applies' to a still photo of a person, as long as that person is identifiable and is in the EU. However, that doesn't mean the photo of the grandmaster is somehow banned by the GDPR. The GDPR is very broadly-worded, and article 6 gives a number of situations where processing is permitted, including:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. [emphasis added]

So the argument now becomes whether the "fundamental rights and freedoms" of the data subject overrides the "legitimate interest" of taking the photo, i.e. showcasing cheating.

That is a such a broad debate that any question regarding the legality of the grandmaster's photo would be resolved not by interpreting the GDPR but by referring to France's existing privacy laws. France already has tough laws about publishing images of someone without their consent. For example, after the Paris concert hall massacre of 2015, a man pictured fleeing the aftermath sued the photojournalist who took the picture, citing French privacy laws; the case was dismissed, as the photo was considered part of legitimate newsgathering.

So basically, any legal case made by the grandmaster (if he sued) would most likely rest on interpretations of existing French privacy laws - which already addresses these types of situations - rather than the GDPR itself.

 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Charles, very helpful!

At least from the American perspective, I think the question / concern would be setting up a camera in a bathroom stall, at all, where it is generally, at least, perceived to be off limits. For example, who else was in that bathroom and what else did this camera recorded? I am not sure this will come into play in this case, give the admission of cheating, but it is a pretty stunning tactic to set up a camera of someone inside a bathroom stall.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports