New GDPR Guidelines for Video Surveillance Examined

By Charles Rollet, Published Jul 18, 2019, 07:03am EDT

The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines.

While GDPR has been in effect for more than a year, how it applies to video surveillance has often been unclear, as we explained in our original GDPR for Video Surveillance Guide.

Now, these new guidelines (though not final and subject to public comment for the next two months) provide good insight and clarifications to common questions about video surveillance GDPR compliance.

In this post, we explain and analyze the new guidelines, including:

  • EDPB's Background
  • Legal Impact of Guidelines
  • Public Signage: Example Provided
  • Signage Positioning
  • DPIAs Required for Large Scale Biometrics
  • Storage: Additional Justification Required for Over 3 Days
  • Some Analytics Not Considered Biometrics
  • VIP Recognition: Consent Required from Everyone, Not Just VIPs
  • Facial Recognition: Why Notification Via Signage Likely Not Enough
  • Data Requests/Anonymization
  • No Clarity on Types of Encryption Required
  • Certification Not Covered
  • Dummy Cameras Not Covered By GDPR

EDPB ********** *** ***** ******

*** ****** ** *** new ********** ** *********** **** ********** *****, ** ****, ***** is **** ** ** each ** *******'* **** protection ****** *** *** EU's *** ***, *********** **** ********** **********. **************** ******* ** ****** comment ***** ********* *.

**** *** *** ******* binding, *** **** ***** weight ** ** **** protection *********** **** ***** to **** **** ******** on ***** ************ *****.

****** *** ****'* ********** for ********** **** ** Video *******

EDPB ***** ******* ** ****** *******

***** *** *********** ****** of *********** ****** ** be *********, *** **** recommends *********** * ***-***** approach. *** ***** ***** is *** **** ****, with *** ***** **** - **** ** ** example ***** ** *** EDPB:

image

**** ***** ***** ****** include *** *** ******, EDPB ******, **** **:

  • ******* ******
  • ******* ** **********
  • ******** ** **********
  • ****** ** **** *******
  • ******* ******* ** **** protection ******* (** ***)
  • ******* *** **** **** be **** ** * third *****
  • ***** ** **** *** second ***** ** ***********

Sign ****** ** ************ "****** ******** *** ********* ****"

*** **** **** ***** details ***** *** *********** of *** ***** ***** sign, ******* ******* **** the **** ** ** position *** ****:

** **** * *** that *** **** ******* can ****** ********* *** circumstances ** *** ************before ******** *** ********* ****". The sign should thus be "approximately at eye-level", near the actual zone being monitored, and presented in "an easily visible, intelligible and clearly ******** ******. [emphasis added]

*** *******, ** ***** 2019, ***** *** ****** **** ********* *** ****** ****** the ***** *** *** visible ***** ** ***** monitored:

'Second *****' *********** *******

*** ****** ***** *********** can ** ** *** form ** ** "****** accessible *****" ** *** cashier/other ******* ******** ** simply * ******. **** information "**** ******* *** other *********** **** ** mandatory ************ **** *** ****" (**** can ** ******* "********* decision-making, ********* *********" ** being **** - ****** ******** ****).

Storage: **** ************* ******** ****** ** *****

*** ****, **** *** GDPR, **** *** **** specific ******* ****** *********** but **** *** **** more ******** ** ******* that:

*** ****** *** ******* period ** ***(especially **** ****** ** *****), the more argumentation for the legitimacy of the purpose and the necessity of storage has to be provided. [emphasis added]

**** ***** **** * significant ****** (** *** guidelines *** *** *******), as **** ***-***** ***** video **** **** ** hours,***** ***** ** ** to * *****. *** ****, *******, states **** ** ***** storage ** ****** "**********" for ******** ******:

**********, *** *** ***** storing ***** ****** **** 72 *****, **** ***** mean **** ***** '****** layer' ****** ****** ******* a ***** ************* *** the ****** ******* - such ** ***** ** a ****-***** ****, ******* to ****** **** ****** requests, ***.

Data ********** ****** ********** ******** *** ***** ***** ********** ***

*** **** ****** **** any "***** *****" *** of ********** ********** ******** a ****:

********, ********* ** ******* 35 (*) (*) **** a **** ********** ****** assessment ** **** ******** when *** ********** ******* to ******* ******* ********** of **** ** * large *****.

*******, *** **** **** not **** ********* ***** what ** ***** ** 'large *****', *** ******* does *** ****, ***** defines ** ********* ****:

********** ***** *** ** process * ************ ****** of ******** **** ** regional, ******** ** ************* level *** ***** ***** affect * ***** ****** of **** ******** *** which *** ****** ** result ** * **** risk [...] ** *** rights *** ******** ** data ********

*******, *** **** ******** little ********** ******** *** DPIAs.

Biometrics: ******/**********/*** ********* *** ********** **********, *** *** ******** *********** **

*** ****'* ******* * states **** "********* **** for *** ******* ** uniquely *********** * ******* person" *********** **********, **** * *** important ********** **** ** consent ** '*********** ****** interest'.

*******, *** ****** ***** of ********* ***** ******/**********/*** analytics *** *** **** to **** *** **** as ****, ** *** EDPB ********** ***** **** such ************ *** *** considered **********, ** **** as *** ********* *** not **** ** ******** unique ******:

*******, *** *** *********** by ************ ******* ** retail *******, **** ** VIPs **** ********** ********* to ***** **********, *** store **** ****** ******* or ******* ******* * justification "***************** ** *** ******":

**** **** **** **** not **** **** *** Dahua, ******* ***** * **** complaint ********** ***** ****** *********** on ******** ** ***** without ********* *******. *** Dahua **** *** **** clearly *** **** **** of *****-**, ***-***** ***********, identifying ****** ** '********':

image

********* ** *** **** guidelines, **** * ****** means*********** ******** ********** **** provide *******. *** *** the ***** ****** ****** stuck ** **** **********/***/****** analytics, ** ***** ****** not ** ********** ********** at ***.

Facial ***********: ************ *** ******* ****** *** ******

*** *************** ** ****'* recent **** ********* ******* Dahua ** **** ******* the **** *** ** a ***** ****** ** its *****, ** *********** obtained '*******' **** * passerby ** **** ******:

image

*******, *** **** ********** do *** ******* **** this *********** '*******'. **** it ***** ** *******, the ********** *** ***** strict; **** * ******* 'passageway' **** ***** ******* might *** ** ********** 'consent' ****** ******* ********** ***********, **** ******:

image

***********, *** ************* *********** *** ******* *** much ******* **** * simple ****** **** ******* of *** **********, ******* information, ***, ** ***** displayed ** *****. *** conditions, ** ****** ** the ****, *******:

  • *** **** ******* ***** have *** ***** ** withdraw *** ** *** consent ** *** ****
  • Prior ** ****** *******, the data subject shall be informed thereof. [emphasis added]
  • ** ***** ** ** easy ** ******** ** to **** *******.

*******, **** ** ***** conditions *** ********** *** a ****** ****** **** the *** ***** *** in *** *****. * passerby *** ** *** to ** ******** ** the ****** *********** ***** on **********, *** *** withdrawing ******* ** ******.

******: **** **** *** apply ** ****** ***** facial *********** ***** *** enforcement *** ** ********** is *** ***** ** Article *'* ******* ************* in *** ****, *** a ******** **********, ****** *********** *********, ***** ******* ** gives ****** ******* ********.

Data ********/*************

*** **** ********** *** some ******* ** **** requests **** ** ***** to ******* ** *********** filmed ** ***** ************, stating **** ******** ***** to ** ******** (******** down ** * * hour **** ******), *** any ******* ******* ***** people ****** ** **********:

image

************* ** ******** ***** is * ****** ***** in ***** ************ - IPVM *** ****** *** software ********* (***** **** *****************).

No ******* ** ***** ** ********** ********

*** ********** ** *** give *** ******* ******* as ** **** **** of ********** ******** ***** to ** **** ** comply **** ****.

Certification *** *********

*********, *** **** ********** do *** ******* *** certification *******. **** ** likely ** **** ******* legally, **** ************** *** meaningless, *** *** **** itself ****** **** **** schemes ** *** "****** the **************" *** ********** in *** ***. *** more, **** *** ******** report,***** ******** *** *** GDPR *********, ** ******** Can **.

Other: ***** ******* *** ******* ** ****

**** ******** ******* **- **** *** **** even ***** ** ***** cameras? ***** *** **** regulates ******** ****, ***, by **********, ***** ******* do *** ******* ***, the ****** ** **, EDPB ******* ****** - although ***** ******** *********** may ***** ****:

image

Update ** ****

** **** ****** **** report **** ***** ********** are *********, ****** *** changes ** ******* ***** this ****.

Comments (12)

Avatar

Morten Tor Nielsen

prescienta.com
07/20/19 03:24pm

IANAL, but there's the concept of the "letter and spirit of the law", and regarding your Dahua complaint I think you're focusing too narrowly on the the letter, and ignoring the spirit.

E.g. as I see it, the intent of the law is not to protect visitors at a video surveillance trade show from being involuntarily exposed to a demonstration of a facial recognition system. I believe the intent is to prevent data-hoarding and unwanted profiling for the small minority of regular people who care about such things as they go about their daily lives. That said, I suppose Dahua could have been more forthcoming and transparent about their data-collection (hopefully the data retention is <24 hours).

So, it might be that Dahua is in breach of the letter of the law, but I doubt they are in breach of the spirit.

My impression is that the purpose of GDPR is not to force users of video surveillance to use masking or post signage and offering opt-out options (how do you do that in the local Bauhaus?).  Instead, it seems to me that users of video surveillance need to be reminded to use a sensible and reasonable retention and data access policy, and not go on a crazy and hoard massive amounts of (unreliable) profiling data.

I see it as a (somewhat futile) attempt at letting people have some privacy and not being subjected to endless profiling, labeling and categorization (and the trade of such data). A recent example of the trend is the Florida DMV selling personal data with no apparent option to opt out.

I'd like to learn more about the minimum retention period a store would need on their video surveillance. It's a hard problem because shoplifting is detected and handled within 10 minutes, but fraud is harder to detect and is often detected long after the incident. The police may also have an interest in long retention times to help investigations.

Agree: 1
Disagree
Informative
Unhelpful
Funny

John Honovich

IPVM | In reply to Morten Tor Nielsen | 07/20/19 04:56pm

the intent of the law is not to protect visitors at a video surveillance trade show

Then the ICO can say that if that is their position and give clarity about where it is or is not applicable. Right now, there is no clarity nor cases on facial recognition (save for ours from last year and that said it was the responsibility of each exhibitor and not that exhibitors were exempt).

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

07/24/19 12:34pm

Interesting signs.
Will we see them on highways before entering UK cities or just once when entering the country?

No wonder they want to leave the EU. They'll save money on signage alone 😂

Agree
Disagree
Informative
Unhelpful
Funny: 1
Avatar

Simon Lambert

IPVMU Certified | 07/24/19 05:41pm

"stating clearly that the goal is to position the sign: … In such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area".

What has perplexed me for the past 19 years about this requirement, is that most CCTV owners can only mount signage on their property. Often their cameras, naturally, view the approach to their property, so the visitor is already under surveillance before they can feasibly read the sign.

Now, trying to bring solutions to the discussion, and not merely dumping problems here, how might the owner solve this? Mount their signage way down the street on someone else's property? Probably not allowed. So, we're left with the obvious answer which is to make the sign 6 feet tall so that it is legible from the distance of first approach.

"Aah!", I hear you cry, "What is that suitable distance? Is 6 feet big enough?" <geek_mode> Might it be the distance beyond which the visitor cannot be identified, thereby maintaining their anonymity? If so, should the sign be legible at the distance for which the CCTV can "recognise" the visitor? That is, where the image gathers 125 px/m ("recognition of a known person" according to IEC 62676-4). 

I'm not aware than in all this time, any relevant authority has satisfactorily explained to us the following inconsistency. Why does the owner of a CCTV system that, for instance, only goes so far as to achieve lowly "observation" (62.5 px/m) need to jump through the hoops associated with GDPR? Well, because it deems them to be "gathering personal data". But, by definition (IEC 62676-4 again), this image will contain less than 50% of the visual information required for recognition of a person. (At least, that's what we might expect a smart defence lawyer to tell the court when he's trying to get such video evidence against his client dismissed.) So, to resolve this inconsistency between the CCTV owner and the lawyer's case, shouldn't this low resolution image be accepted as maintaining the visitor's anonymity? Therefore, no signage required in this area. </geek_mode>

Ta-da! (Pauses to bow and bathe in the applause.)

Agree: 1
Disagree: 1
Informative
Unhelpful
Funny

Bas Poiesz

In reply to Simon Lambert | 07/24/19 06:26pm

Actually the answer is much more simple. It's a matter of camera projection and setting.

If the camera is aimed correctly there is no video of the area that is not protected. Next to this privacy settings in the camera allow you to blur/block part of the image.
Put the sign at the entrance and start filming there.

It takes more work which is good, it aids the real installer.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

Simon Lambert

IPVMU Certified | 07/25/19 03:42pm

Thanks for taking time to answer, Jonathan.

I suspect we're each thinking of different scenarios. If I understand yours correctly, then I don't disagree. FWIW, I've been using 3D CAD to model and previsualize CCTV fields-of-view since 2000, so very carefully designed layouts and lines-of-sight are clearly something you and I both take lots of time to get right.

My mental picture for the question involves, for example, a store owner whose frontage is immediately adjacent to a public street. Let's imagine they want CCTV to oversee their frontage because they've suffered vandalism, ram-raiding, etc. The cameras must, therefore, view the public on the street to have any useful view of their frontage. But where is the warning signage mounted? On their store front? If that's what they do, (because they have no realistic options other than on their own property) then anyone standing close enough to read the sign will already be in the field of view and, hence, already have their personal data recorded. Unavoidably.

As you know, of course, masking arranged on a 2D screen blocks the camera's projection, creating a block in the shape of 3D volume tapering outwards along the street. Thus, it obscures the region of primary interest, so doesn't provide the complete answer in this scenario.

Back to my original tongue-in-cheek proposal: 6-foot signs that can be read from beyond the cameras' view. But that's not a question. So, does the signage placement problem go away if the resolution of the images is sufficiently low? In my experience of the UK Data Protection regulations for CCTV then, no, owners must still deploy signage, despite 62676-4 stating that they are not sufficient to ID someone. This is a pivotal inconsistency, n'est pas? Secondly, how to mount signage so that its not already in the field-of-view? As above, often it cannot be avoided.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Charles Rollet

In reply to Simon Lambert | 07/30/19 06:35am

Good question and sorry for the delay, I was covering the conference in Sydney last week.

First of all, having your CCTV film public areas is risky in the EU. In France, a supermarket seeking to do so must make a detailed application to authorities, and private individuals are banned outright. Austria's first GDPR fine ever was for a betting shop that filmed public areas from security cameras placed at the entrance.

So if you're in a country under the GDPR , you probably shouldn't have cameras filming public areas in the first place. The EDPB guide says as much [emphasis added]:

However, the EDPB guide does recognize there may be some cases where filming public areas is necessary. In that case, using a face blurring tool or other privacy filter is important, the EDPB states:

In this scenario, in order to be GDPR compliant, you would not need to worry about having a huge sign that alerts all passerby, because if the privacy filter is working properly, none of the passerby's personal data is being collected. The GDPR only regulates the collection and processing of personal data. That's why dummy cameras are not regulated by the GDPR, as we mentioned earlier. Remember that the GDPR defines personal data as something that makes you an "an identifiable natural person", meaning you can be directly identified from it. A blurred out stick figure moving across a screen is not personal data.

In terms of the specific UK regulations, you may need to follow local sign positioning rules, but as far as GDPR compliance is concerned, again, you don't need to comply with the sign positioning rule if you're not collecting personal data in the first place.

Last thing: you mentioned low resolution as a stand in for a privacy filter. I think that's a risky strategy, since there's a chance people can still be properly identified from poor-res footage (something the police do all the time). Best to stick to a privacy filter or not filming public areas in the first place.

Does this make sense? Don't hesitate if you have more questions or concerns.

Agree
Disagree: 2
Informative
Unhelpful
Funny

Undisclosed #2

IPVMU Certified | In reply to Charles Rollet | 07/30/19 09:58am

That's why dummy cameras are not regulated by the GDPR, as we mentioned earlier...

interesting, so a hybrid kit of real cameras recording to the edge of the property, and then a few dummies pointed at the public, for deterrent value, is ok?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Charles Rollet

In reply to Undisclosed #2 | 07/30/19 10:15am
  • Dummy cameras are not regulated by the GDPR, period. So having them 'film' public areas is not a GDPR violation, correct. But there may be country-specific regulations about that so you should refer to your country's Data Protection Authority.
  • As for the real cameras, it depends what you mean by "the edge of the property". If that includes any public areas like a sidewalk, you need to be careful and consider using a privacy filter. And even if you're filming an area that's not public, you need to put up a sign to ensure people know the area is being monitored before they enter that zone.
Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Simon Lambert

IPVMU Certified | In reply to Charles Rollet | 08/14/19 04:55pm

No problem Charles. I'm a long time in replying too.

So if you're in a country under the GDPR , you probably shouldn't have cameras filming public areas in the first place.

"Legitimate interest" within GDPR surely includes security of your property.

...the EDPB guide does recognize there may be some cases where filming public areas is necessary.

Glad to see that they do, otherwise they would be hopelessly ignorant of the real world!

...using a face blurring tool or other privacy filter is important...

Agreed, but where a store frontage is immediately adjacent to the public sidewalk (as laid out the previous post) this completely undermines the cameras' purpose because the privacy masks drawn onto a 2D image unavoidably obscure everything in that projected 3D volume.

Best to stick to a privacy filter or not filming public areas in the first place.

If there exists a case of a pressing need where video surveillance is the only cost-effective way to address obvious security risks, then sensibly limited views into the public space must be acceptable to any sane person. Not least because they have the common sense to already know personal privacy is hardly a realistic expectation on a public street.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Charles Rollet

In reply to Simon Lambert | 08/15/19 06:31am

Hi Simon, thanks for following up!

Your point:

"Legitimate interest" within GDPR surely includes security of your property.

Security of your property, yes. But not public spaces, which are by definition not your property. That is why the EDPB recommends privacy filters, and why a small business in Austria was fined for filming a public thoroughfare.

Your other point:

but where a store frontage is immediately adjacent to the public sidewalk (as laid out the previous post) this completely undermines the cameras' purpose because the privacy masks drawn onto a 2D imageunavoidablyobscure everything in that projected 3D volume.

I see your concern from a technical standpoint, however, a Data Protection Authority is unlikely to accept that as an excuse. The GDPR does not contain any sort of exception to processing personal data just because it's technically too hard to avoid it.

You also write:

sensibly limited views into the public space must be acceptable to any sane person.

personal privacy is hardly a realistic expectation on a public street.

These are commonly-held views that helped get that Austrian small business into trouble. My goal is not to say what I think makes the most common sense or what the rules ought to be. It is to inform IPVM's readers about GDPR compliance.

Agree
Disagree
Informative: 1
Unhelpful
Funny
Avatar

Charles Rollet

09/17/19 06:30am

UPDATE: The deadline for public comments for the video surveillance guidelines finished on September 9 (I initially reported September 6, a mistake that's been fixed). The EU tells IPVM that they don't know when the video surveillance guidelines will be finalized:

At this stage, we cannot say with certainty when the process will be finalised. All contributions will now be reviewed by the relevant Expert Subgroup and the guidelines will be adapt where necessary. After this process is finalised, the guidelines will be up for adoption at the subsequent plenary session.

We will keep tracking this and update when the final guidelines are issued.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,092 reports and 940 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports