Author: Marko Djuric
It would be an understatement to say that much has changed since the first surveillance camera in history was set up in Germany in 1942 to monitor missile launches during the war. With the rapid development of technology over the next 79 years, we have come to a point where an estimated one billion surveillance cameras are watching us in the world (IHS Market report published by The Wall Street Journal) that have a variety of use and technologies. Given this prevalence, most of us take video surveillance systems for granted when we enter a bank, cafe, store, pharmacy, workplace, or walk past someone's video-monitored home.
Today, video surveillance systems have the potential to be used for more than just enhancing security, and they serve, among other things, for marketing purposes, consumer analysis, monitoring employee efficiency, protection of life and health, etc.
The increasing use of video analytics makes video surveillance systems highly efficient. However, there is also a potentially much greater invasion of the privacy of recorded individuals whose data are consequently processed, especially in more complex systems that use biometric technologies.
In recent years, we have witnessed the growth of popularity and availability of such technology, with the tech entering private homes, combined with smart devices, drones, and camera portability; consequently, the risk of invading individuals' privacy is growing. In contrast, the necessity of responsible and lawful application of such technologies comes to the fore.
Therefore, it is, above all, essential that data controllers take all the necessary measures to ensure legal and transparent processing of personal data and measures aimed at preventing the misuse of such systems, while data subjects whose personal data are being processed are advised to be well acquainted with their rights.
I want to set up video surveillance in my home or my business property. Which legal sources apply in this particular case?
The processing of personal data through video devices is regulated by the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), while in the Republic of Croatia the Act on the Implementation of the General Data Protection Regulation is in force, which ensures the implementation of the Regulation in question, which, among other things, contains special provisions on the processing of personal data through video devices, provisions on video surveillance of residential buildings, public areas and processing for statistical purposes, and provides for administrative fines when provisions are breached.
In addition to the GDPR and the Implementing Act, an important legal source is provided by the European Data Protection Board, an independent European body established to monitor and ensure consistent application of the GDPR, which issued Guidelines 3/2019 on the processing of personal data through video devices adopted on 29 January 2020 (“the Guidelines”), and there are naturally opinions and recommendations of the Croatian Personal Data Protection Agency (AZOP), an independent public supervisory body in Croatia, as well as the European Court of Justice.
General Data Protection Regulation Scope of Application and the so-called "household exemption"
It is important to emphasize that the GDPR does not apply to the processing of personal data that has no reference to a person, e.g., if an individual cannot be identified, directly or indirectly. Thus, for example, the Guidelines state that the GDPR "is not applicable to fake cameras," and high-altitude footage falls under the scope of the GDPR only "if the data processed can be related to a specific person."
Also, the processing of personal data by a natural person in the course of a purely personal or household activity is out of the scope of the GDPR (Article 2 (2) (c)). However, this provision of the so-called household exemption must be interpreted narrowly in the context of video surveillance, relating only to activities carried out in the context of the private or family life of individuals. Namely, this is clearly not the case with the processing of personal data, which involves their publication on the Internet in such a way as to allow access to such data to an indefinite number of people or if the video surveillance system covers (even partially) a public space. Such processing cannot be regarded as a purely personal or household activity (European Court of Justice, Cases C-101/01 and C-212/13).
Therefore, video devices that monitor people's homes can fall under the scope of the so-called household exemption. However, the user of the video device must, according to the Guidelines, consider whether he has a personal relationship with the data subject, whether the scale or frequency of the surveillance suggests professional activity on his side, and whether surveillance can potentially have an adverse impact on the data subjects.
For instance, if you set up video surveillance at home to monitor your yard, which is fenced, and only you as the data controller and your family members regularly stay in or enter the yard, such a situation falls under the scope of the household exemption. In doing so, no part of the public space or adjacent property may be covered by surveillance (even partially or for a limited period).
For what purpose do you want to set up video surveillance?
Before processing data, it is crucial to determine its purpose, which must be specific, explicit, and lawful, and the data must not be processed for a purpose that is not in accordance with the established purpose. In this particular case, the purpose of setting up video surveillance will most often be to protect the property of an individual or a legal entity and to gather evidence for the purpose of initiating private lawsuits.
For instance, each cafe or restaurant must specify a specific purpose for the data processing for each surveillance camera in use in writing, and according to the Guidelines, simply stating a general term such as "security" is not a sufficiently specific purpose.
As for the legal basis for data processing, it will most often be the legitimate interest of the data controller or the necessity to perform a task of public interest or in the exercise of official authority, while only in exceptional cases the legal basis of processing will be consent.
Do you have a legitimate interest in setting up video surveillance?
Video surveillance will be lawful if it is necessary to meet the purpose of the legitimate interest of the data controller (e.g., restaurant, shop), except when these interests are overridden by the interests or fundamental rights and freedoms of data subjects in need of personal data protection, especially if the data subject is a child (Art. 6 (1) (f) of the GDPR).
It is important to emphasize that a legitimate interest must really exist and relate to a problem that really exists, i.e., it may not be speculative. In other words, setting up video surveillance must be justified, and this will be, for example, if in the past a specific restaurant, cafe, or shop has been damaged, or there has been theft, vandalism, and the like in the immediate vicinity. The European Board's Guidelines in this regard recommend that data controllers record such incidents, as they are the critical evidence of the existence of a legitimate interest. The need for supervision needs to be re-evaluated periodically, and according to the Guidelines, the mere presentation of crime statistics without analyzing the relevant area and the dangers that threaten a particular business entity is not enough. On the other hand, it could be said that shops selling expensive goods are in a situation of imminent danger, which may constitute a legitimate interest in video surveillance. Thus, a case-by-case assessment is always required.
Is video surveillance setup necessary?
Before setting up video surveillance, each data controller must go through a process of critically questioning whether video surveillance is appropriate to achieve the desired goal and whether this surveillance measure is reasonable and necessary to achieve the established purpose (e.g., theft protection).
The European Board's Guidelines in this regard state that "video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the data subject."
For instance, if you primarily want to prevent property-related offenses, you could also take alternative security measures that you need to consider, such as hiring a security guard, setting up a fence, lighting, security doors, alarms, etc.
Also, video surveillance for property protection purposes is generally considered necessary only within the property boundaries. However, there are certain exceptions when surveillance can be extended to the property's immediate surroundings, which implies the use of technical means such as blocking out these areas or pixelation.
If you want to protect the premises of your cafe from vandalism, the cameras you set up should be aimed exclusively at the facility itself because, for this purpose, it is not necessary to record public space in the immediate vicinity or any neighboring facilities.
Balancing interests is always necessary!
In any case, video surveillance may be set up only if the data controller's legitimate interests prevail over the fundamental rights and freedoms of the data subjects. Therefore, it is crucial that in each specific situation, the data controller considers the extent to which video surveillance affects individuals' fundamental rights and freedoms and whether this leads to a violation of their rights.
For example, it is not allowed to install video surveillance in a toilet or locker room to control the tidiness, i.e., to maintain hygiene, because in that case, the rights of the data subject, without any doubt, override the interest of the restaurant, cafe, or gym as data controllers.
Be transparent
The Guidelines emphasize that data subjects must always be informed of the video surveillance being in operation and of the areas under video surveillance by using a multi-layered approach in accordance with which methods to ensure transparency can be combined.
Namely, Article 29 Working Party’s “Guidelines on transparency under Regulation 2016/679 (WP260) state that “…in light of the volume of information which is required to be provided to the data subject, a layered approach may be followed by data controllers where they opt to use a combination of methods to ensure transparency”. Furthermore, “layered privacy statements/notices can help resolve the tension between completeness and understanding, notably by allowing users to navigate directly to the section of the statement/notice that they wish to read.” (WP260, par. 35).
The most important information should be highlighted on the warning sign, which will usually be provided in combination with the camera icon/photo. It should also convey essential information such as the purpose of processing, the identity of the data controller, the existence of data subjects’ rights, and information on processing effects. In addition, they must refer to a more detailed second layer of information in a digital and non-digital form and where and how to find it (leaflet, QR code, or website). The warning sign should also include, for example, information on data transfer to third parties.
For a store owner, this means they must place a warning sign with the information of the first layer in a visible place at the entrance. In addition, they must display a leaflet at the cash register containing the information of the second layer and possibly a link to their website.
Better Safe Than Sorry!
Suppose you introduce video surveillance to your home or commercial property. In that case, you must additionally consider the regulations governing the disclosure of video footage to third parties, processing of special categories of data, rights of data subjects, data storage, the obligation of erasure, and special provisions prescribed by the Act on the Implementation of the General Data Protection Regulation. Otherwise, in case of breach of these provisions, you risk administrative penalties in the amount of approx. EUR 6,700,00.
Therefore, following the saying "better safe than sorry," whether you are considering installing cameras, i.e., video surveillance in your home or as part of your business, be sure to consult with experts and familiarize yourself with the regulations governing this issue for the processing of data to be lawful, transparent, and exclusively for permitted purposes.
