GDPR For Video Surveillance GuideBy: Charles Rollet, Published on Apr 12, 2018
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on exactly how these new regulations will impact the video surveillance industry.
We have compiled the following guide, based on our own research into the primary sources for the regulation as well as numerous discussions, covering the following:
- GDPR basics
- Surveillance industry concerns
- New regulations / no legal precedent
- GDPR terms defined
- Public signage requirements
- Design concerns
- Impact on recording video
- Usage of biometrics / facial recognition / gender / age recognition
- Dealing with data requests from people
- Dealing with cybersecurity / vulnerabilities
- Who has 'exceptions' to the GDPR
- Do I need to get certified?
- Do I need to hire a Data Protection Officer?
- Do DPOs need a certification or some sort of qualification?
When finishing this guide, you should be able to answer our 10 question quiz on GDPR.
GDPR Basics And Industry Concerns
The GDPR regulates all companies processing the personal data of people in the EU, regardless of where the company might be based. Because video footage of someone is considered their data, the video surveillance industry is directly impacted by the GDPR.
The GDPR gives data subjects in the EU significant new rights to access and remove their data while imposing restrictions on how this data can be collected. But the GDPR itself makes no mention of how it applies to video surveillance and threatens tough penalties on misconduct.
Surveillance Industry Concerns
That has led to a significant amount of uncertainty and fear for video surveillance, an industry where unprepared companies could find themselves subject to big fines. GDPR provisions like the right of people to request their data be removed or the need to obtain consent from data subjects also raise significant logistical hurdles in video surveillance, especially in areas like Artificial Intelligence / AI / Deep Learning where attempts are made at categorizing people by face, age, gender and ethnicity.
Warning - Regulations New / Imprecise / No Legal Precedent
Before reading this guide, you should be aware of the following factors:
- GDPR regulations are imprecise and can be interpreted in a number of ways. Most importantly, the GDPR makes no explicit mention of video surveillance, so we have yet to see exactly how GDPR regulations will be applied to the security industry.
- The GDPR only goes into effect on May 25th, so there are no legal precedents we can refer to in order to interpret its regulations.
- Despite 1 and 2, manufacturers, consultants, and many others often claim to provide fully accurate insights GDPR compliance, something which can require paying them substantial fees. Taking their advice at face value may present risks, so we have compiled our guide using primary EU documents to the fullest extent possible rather than the opinions of third parties.
First, to get a better idea of how the GDPR affects video surveillance, here are some key GDPR terms, discussed in more detail below:
- Data controllers
- Data processors
- Data subjects
- Biometric data
Data Controllers - Video Surveillance End Users
Data controllers are the companies most directly affected by the GDPR; most of the GDPR’s compliance burden falls on data controllers. But what is a data controller? According to the GDPR, they “determine the purposes and means of the processing of personal data.” In the video surveillance context, data controllers are end users: a shopping mall equipped with a security camera system, for example, is the controller of the video surveillance data it collects. (Note: Companies that keep personal data on their employees are also considered data controllers of this specific data too, so many if not all companies are “data controllers” in this narrow respect.)
Data Processors - Cloud / VSaaS, Possibly Integrators
Data processors are the companies that process personal data on behalf of data controllers. In video surveillance, cloud providers storing personal data on behalf of an end user are likely to be considered data processors. Integrators or manufacturers could also be considered data processors if they directly handle video recording data on behalf of the end user. For example, if an integrator accesses an end user’s video recording data for maintenance purposes, the integrator may be considered a data processor under the GDPR.
Data Subjects - People
These are the people being recorded on camera. The GDPR creates a host of new rights for data subjects.
Biometric Data Defined
Any techniques which “uniquely [identifies] a natural person”. Video analytics techniques like facial or age recognition fall under this category.
Surveillance Design / Technology Considerations
Below, we outline the GDPR's likely impact on these key areas:
- Public signage
- Data Protection Impact Assessments
- Storage durations
- Use of biometric data (face/gender/age)
- Data requests
- Cyber security/vulnerability reporting
- Anonymization/privacy masking
- Encryption requirements
Public Signage More Important
Because the GDPR strengthens existing EU privacy laws regarding transparency guidelines mainly in Articles 12 and 13, it is more important than ever for surveillance companies to inform the public if they are recording video of them. This can be done with a sign telling people that they are being watched by cameras with any relevant contact information so data subjects can follow up.
While consultants are advising that end users at the very least put up signs indicating that video surveillance is taking place, in Article 13 the GDPR actually goes further and says the following details should also be included (“Information to be provided where personal data are collected from the data subject”):
- The identity and contact details of the data controller
- “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”
- “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”
- Informing data subjects of their “right to lodge a complaint with a supervisory authority”
- The existence of the right to request access, rectification, and removal of the data
And, if applicable, also state:
- The contact details of DPO, if you have one
- If the data will be transferred to another country, the relevant safeguards in place
- Recipients of the personal data (if other than the end user)
- “the existence of automated decision-making, including profiling... and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” (this would likely apply to things like facial recognition or other biometric techniques)
End users should also ensure all this is all clearly visible and in plainly written.
Additional Design Requirement / Data Protection Impact Assessment
The GDPR imposes new design requirements as well. In the case of “systematic monitoring of a publicly accessible area on a large scale,” Article 35 of the GDPR requires that a “data protection impact assessment” (DPIA) to be conducted before any system is installed, including:
- “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller”
- “an assessment of the necessity and proportionality of the processing operations in relation to the purposes”
- “an assessment of the risks to the rights and freedoms of data subjects”
- “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
DPIAs must be conducted by data controllers prior to any processing operation takes place. The EU’s Article 29 Working Group has specified that although there is no requirement for DPIAs to be published by data controllers publicly, it recommends publishing at least a summary of the DPIA as a best practice. Exactly where it should be published is undefined (publicly posted, website, local newspaper, etc).
Additionally, “where a DPIA reveals high residual risks, the data controller will be required to seek prior consultation for the processing from the supervisory authority”.
No Defined Storage Durations
The GDPR has no set limits on how long data should be stored but states that data should not be kept any longer than is necessary for its original purposes. The GDPR only allows longer storage periods for “public interest, scientific, or historical research purposes” (Article 5) An end user that indefinitely stores its video recordings is likely in violation of the GDPR unless it can prove it is acting according to these reasons.
Usage Of Biometric Data Generally Prohibited (Face/Gender/Age)
All of these are considered highly sensitive data gathering techniques and are prohibited by Article 9 of the GDPR.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. [emphasis added]
The Exception to Biometric Prohibition
However, the GDPR recognizes a number of exceptions to this prohibition. For video surveillance, the relevant exception is the vaguely-termed “reasons of substantial public interest.” Individual EU member states are currently defining what these public interest reasons actually mean. So far they are mostly related to law enforcement and crime prevention.
For example, under the GDPR, a shopping mall would likely be prohibited from using facial recognition on its cameras to identify ever shopper walking through their mall. A shopping mall could conceivably use facial recognition technology installed generally as long as it is deemed by the EU member state to be:
- “necessary for reasons of substantial public interest”
- “proportionate to the aim pursued”
- respectful of the “the essence of the right to data protection”
- provides “suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
So a shopping mall using face recognition to catch shoplifters only may or may not be deemed to be within GDPR constraints depending on the EU state’s interpretation of the aforementioned points. However, a mall using face recognition on all shoppers with no particular public interest goal would likely be in breach of the GDPR. (All quotes are from section 2(g) of Article 9)
Dealing With Data Requests From Subjects
Articles 12-22 of the GDPR gives data subjects extensive rights to their own data, including the right to obtain all personal data collected about them and the right to request that this data be deleted (“the right to be forgotten”) These services must be provided by companies free of charge. Video surveillance companies, in particular, must be careful not give away others' personal data when they comply with such requests, for example by providing video to a data subject that identifies other people as well.
Given the huge scope of video recording, there are understandable concerns from the surveillance industry that these rights will be impossible to comply with in practice.
However, these rights have important qualifications that would likely apply in the case of video surveillance, explains Jon Baines, chair of the National Association of Data Protection and Freedom of Information Officers and Data Protection Advisor at Mishcon de Reya LLP. For one, the GDPR states that if the request is too vague and the end user “is not in a position to identify the data subject” it is not obligated to comply. Companies can also deny or charge fees for requests that are “manifestly unfounded or excessive.” End users are also not obligated to comply if the data was collected in the public interest, something likely to apply to video surveillance of public places. Any denial of a request to a data subject must be explained.
Companies also have one month to respond to such requests from data subjects. Since most video surveillance data is kept for less than a month, this means many requests for video surveillance data will likely be impossible. The one month period is also a potential loophole that end users can exploit to deny information requests. Exploiting such a loophole may be risky since it could be interpreted as violating the spirit of the GDPR, but that has not stopped some we have spoken to from saying they plan on using it.
Dealing With Cyber Security / Vulnerabilities
The GDPR strictly regulates data breaches. Breaches must be reported if they “pose a risk to an individual’s rights and freedoms." It does not matter if those freedoms are actually breached or not, the risk just needs to be there.
Data controllers have 72 hours to inform their country’s data protection authority about the breach and if the breach directly affects certain data subjects, it must inform them as well. However, if the data controller has effective encryption measures in place or ensures the risk is no longer likely to materialize, it is not obligated to inform data subjects of any risk to their personal data. If informing every data subject of a breach is logistically difficult, the GDPR also allows “a public communication or similar measure” to be issued.
Data processors also must report data breaches to their data controllers, although the GDPR does not specify a time limit in those cases.
It is unclear if manufacturers that have suffered data breaches before would be affected by these provisions of the GDPR. The breach regulations only apply to data controllers and processors, and we do not know yet if manufacturers (who do not directly handle the personal data of people in the EU) will fall under those categories, except for cloud providers, which is likely considered data processing.
The GDPR has no provisions stating whether data breaches will be publicly announced by supervisory authorities or not. At the very least, this information will likely be available for people to request according to EU freedom of information guidelines.
When Is Anonymization/Privacy Masking Required?
The GDPR’s Article 25 mandates the “pseudonymisation and encryption” of data to ensure that data protection is “by design and by default.” Because of these caveats, it seems the GDPR more encourages than mandates this. In video surveillance, pseudonymisation (i.e. anonymization) would most likely mean masking or blurring the faces of data subjects.
The GDPR does not explicitly state when anonymization is required. However, as explained in Article 25, the goal of the GDPR is that “only personal data which are necessary for each specific purpose of the processing are processed”. This means that subjects outside of the specific, original intent of the camera should not be recorded (e.g., subjects walking in the background of a scene) or should be anonymized.
What Encryption Is Required?
The GDPR describes effective encryption methods as “those that render the personal data unintelligible to any person who is not authorized to access it.” However, it is unclear exactly what this means in video surveillance. It likely implies users should employ very basic security methods, such as complex passwords, account lock out, etc, to avoid unauthorized access. More advanced methods such as streaming video via HTTPS or TLS tunnels are likely not required, but applicable.
Do I Need To Hire A Data Protection Officer?
There is some concern that every company which processes the data of people in the EU will need to hire a full-time Data Protection Officer to independently ensure the company’s data policies are GDPR-compliant.
The EU Commission has stated that if a company’s “core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals” it should have a DPO. A DPO is mandatory, for example, for “a security company responsible for monitoring shopping centres and public spaces,” the EU Commission states.
It thus seems quite likely that end users which monitor large public spaces will need DPOs. However, neither the EU Commission nor the GDPR defines what “large scale” actually means. Additionally, DPOs can be outsourced from other companies and can even be a staff member from the firm’s own ranks; they can work part-time as well.
Do DPOs Need Certification Or Other Qualifications?
Nowhere in the GDPR is it stated that DPOs need any sort of formal certification or qualification.
The EU's Article 29 Working Party (an official EU advisory body) published some guidelines on DPOs in December and stated that "DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.” It also notes that "the required level of expertise [of a DPO] is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes."
So far, Spain’s Data Protection Authority is the first and only EU country to release a detailed DPO certification scheme which includes a four-hour exam and a minimum amount of work experience (or, if the DPO has no work experience, at least 180 hours of training.)
Do I Need To Get Certified?
Under the GDPR, any seal or certification schemes are entirely voluntary (Article 42, section 3). Companies like Genetec are currently touting that some of their products are certified as GDPR compliant by third party schemes like EuroPriSe, but such certifications are not mandatory. These certifications are carried out chiefly to reassure clients and for PR purposes. Do not be fooled into thinking any kind of certification is mandatory to be considered GDPR compliant, for end users, integrators, or manufacturers.
Are There Exceptions To The GDPR?
Article 23 of the GDPR grants EU member states the right to restrict many of core GDPR provisions, including the right to be forgotten, the right to obtain information gathered on a data subject, and the need to give detailed and transparent information about what sort of processing is going on. These exceptions include national security, defense, public security, ongoing legal cases, and crime prevention.
It is possible that monitoring of public spaces will be considered as providing public security, exempting surveillance providers from significant burdens. However, we just do not know yet to what extent “public security” applies to video surveillance.
What is clear from Article 23 is that, for example, someone charged with robbing a bank cannot request that the bank remove all video surveillance footage of him under the right to be forgotten, and an individual cannot request counter-terrorism agencies to obtain any video recordings they have of her.