In July 2019, The European Data Protection Board (EDPB) adopted draft Guidelines on processing personal data through video devices (the Guidelines). The Guidelines provide guidance on how to apply the EU General Data Protection Regulation (GDPR) in the event data is processed due to video surveillance. The Guidelines are currently open for consultation until 9 September 2019. The final version of the Guidelines is expected later this year.
The scope of the Guidelines encompasses the use of video devices that collect personal data. Video devices used to process personal data by EU competent authorities for the purposes of prevention, detection or prosecution of criminal offenses, or the execution of criminal penalties or for household purposes do not fall under the scope of the Guidelines.
The household exemption determines that purely personal or household activities are out of scope of the Guidelines. Video surveillance activities that process personal data in the course of the private or family life of individuals and is not made publicly accessible falls under the household exemption.
The Guidelines reiterate that a legal basis under GDPR must be determined in order for controllers to process personal data specifically related to video surveillance. However, the Guidelines highlight some subtle differences as to how a legal basis may be applied.
Firstly, video surveillance based on the mere purpose of "safety" is no longer sufficient or specific enough. The purpose of using video surveillance must be explicit and documented.
Secondly, controllers who claim to have a legitimate interest and necessity under Article 6 (1) (f) GDPR must (as always) consider whether their legitimate interest is compelling enough to override the interests and rights and freedoms of the data subject. The reasonable expectations of data subjects will play a role in this balancing test. For instance, it is reasonable for a data subject to not expect to be under surveillance in a sanitary facility, but it is reasonable for the data subject to expect to be under surveillance at an ATM machine or a bank.
Likewise, the video surveillance must be necessary. Consequently, other means (that are less intrusive) would not suffice. This includes the necessity of the video surveillance usage, but also storage of the data and what data is captured (i.e. are clips taken from the footage, faces blurred, etc.). The Guidelines stipulate that controllers must have taken (or at least considered) other measures before reverting to video surveillance. Examples the EDPB gives include fencing the property, installing regular patrols of security personnel, using gatekeepers, providing better lighting, installing security locks, tamper-proof windows and doors or applying anti-graffiti coating or foils to walls.
Thirdly, the EDPB Guidelines determine that there must be an existing issue to process personal data through video surveillance. Essentially, real life threats/situations will or may dictate whether video surveillance may be used by a controller. Not only will controllers have to specify the purposes for processing data under GDPR, but controllers will also have to make a case for processing personal data using video surveillance before any processing takes place (i.e. there have been previous robberies or presenting statistics on crime in or around the area).
Especially criteria one and two above are a clear step up...