GDPR: CCTV, Video Surveillance & Facial Recognition

EU Guidance has recently been published on the processing of personal data and videos. In this article, we outline the rules, and offer some practical tips if you think you may be a data controller using CCTV or video surveillance technologies (including when using automated facial recognition technology).

CCTV and Facial Recognition

The chairman of the Metropolitan Police Service of London has recently applauded “fantastic” AI technology used in Chinese CCTV cameras and urged the United Kingdom to follow suit. The Chinese government has invested heavily in facial recognition and now uses it in the country’s huge network of CCTV cameras. 

However, the technology used in China has not been without scandal with some accusing the government of using it to racially target and discriminate members of the population. Human Rights Watch has described the system as “China’s algorithms of repression”.

The Metropolitan Police have been conducting public tests of live facial recognition since August 2016. The technology scans every face in a crowd to pick out wanted individuals, and it is apparently hoped that it could be used in the future to catch criminals. 

 Recent guidance on personal data processing through video

The European Data Protection Board (EDPB), established just over a year ago along with the introduction of the General Data Protection Regulation (GDPR), has published guidelines on the processing of personal data on video devices. It includes not only CCTV, but also dash cams, private security cameras and personal cameras like the camera on your mobile phone. 

The guidelines apply to video surveillance which involves personally identifiable information of a data subject- a person’s face, for example, or unique tattoos or birthmarks. It doesn’t strictly have to be a person: it could be a car registration plate, or ID documents. If a person sets up video surveillance where such personal data will be captured, they will be considered a data controller under the GDPR. 

 The guidelines explain that there must be a justified necessity for setting up video surveillance which could catch personally identifiable data.

Like all things under the GDPR, the level of risk will be balanced with the circumstances. For example, a shop keeper who can prove that there is a high risk of violence to shop owners in their area will be able to prove that there is a justifiable reason for them to set up video surveillance. 

The guidelines suggest considering whether there are possible alternatives to setting up video surveillance. So, if a business owner considers setting up video surveillance for their protection, they should first evaluate whether there are any alternative measures which could be implemented for security and which would be less intrusive on individuals’ right to privacy and data protection. Could the building be reinforced, or could security guards be hired?

If it is decided that cameras are necessary, they should only be set up in areas where surveillance is required- there is not a carte blanche right to film everywhere. This is the principle of data minimisation enshrined in the GDPR- only collecting data which is strictly necessary. 

Users of CCTV should also consider whether the people that will be captured on camera would reasonably expect to be recorded in the circumstances. Evaluate this objectively: your employees probably don’t expect you to be filming them in the workplace!

This is not to say that video surveillance cannot happen in a place where someone might not expect it- however, it means that there should be greater transparency and information provided to ensure that the data subject is aware of the recording. 

BUT - If you are in the UK, get ready for a new law…

A new Bill from the UK defines automatic facial recognition technology as any technology which can automatically detect and biometrically recognise facial images through data captured by still or moving image cameras. This is whether the identification takes place at the time that data is captured or at a later time.

The UK Parliament has now announced that its Automated Facial Recognition Technology Bill has passed first reading in the House of Lords. The Bill aims to impose a moratorium (or temporary pause) on the use of automated facial recognition technology in “public places”, which must be done by users of such technology within 2 months of the law being passed.

Indeed, this Bill aims to make it an offence for a person to operate, install, or commission the operation of automated facial recognition technology capable of biometrically analysing those present in any public place in the UK, pending a report into the use of such technology which must be commissioned by the Secretary of State. Once commissioned, the report must have regard to:

• the equality and human rights implications of the use of automated facial recognition technology

• the data protection implications of the use of that technology

• the quality and accuracy of the technology

• the adequacy of the regulatory framework governing how data is or would be processed and shared between entities involved in the use o facial recognition

• recommendations for addressing issues identified by the review, and

• whether the moratorium imposed by the law should be lifted.

For now, the meaning of “public place” is drafted in a wide manner, and should be interpreted to mean a place to which at which public or access, including where they have a access in return for a payment, and the location of the facial recognition technology equipment is immaterial.

It is worth noting that the legislation is still at draft stage, and is not yet binding law. You can follow the progress of the Bill here. Nonetheless, once the Bill is enacted, the Secretary of State has 3 months within which to commission the report, which must then be finalized within a year.

This means that the moratorium is likely to remain in force for up to 15 months.

Whilst seemingly undesirable for developers and users of automated facial recognition technology in public places, we think that the initiative by the UK Parliament is to be praised, since the outcome of the report will provide much welcomed certainty in this area - the aim of privacy laws should not be to hinder innovation, but we do need to balance individual privacy rights in what is quite an invasive processing technique.

Practical advice

Those using video surveillance, CCTV and automated facial recognition technology should create a privacy policy similar to ones that website providers must produce, which sets out:

• a warning that video surveillance is taking place;

• why the recording is taking place;

• the identity of the controller;

• the rights that the data subject has in relation to their personal data;

• the contact details of the person responsible for the data- such as a DPO;  

• where the data subject can find more information on their rights;

• if you use automated facial recognition technology, ensure that you have proper consents and information notices in place where required;

• if you are based in the UK in particular and use automated facial recognition technology in public places through CCTV or still images - follow the progress of the Bill and prepare to bring such activities to an end within the required timeframe; and

• even if you are not based in the UK, monitor the latest news from the UK Parliament to see if you can align practices and recommendations in your own country.

Advances in technology make it more important than ever for data controllers to be wary of their use of CCTV and the technology they are employing. It is good practice to apply additional features in cameras that promote privacy, such as scrambling areas in the camera’s range which are not required, or manually editing out images of third persons if any data subjects request a copy of the footage. 

Conversely, technological functions which are not strictly necessary should be avoided or deactivated, such as zoom capability, audio recording, or unlimited camera movement. 

Whether you are planning on installing a new system or have used CCTV surveillance for decades or are considering implementing automated facial recognition technology, these guidelines apply to everyone and should not be taken lightly!

If you think you may be a data controller utilising CCTV or conducting other forms of video surveillance especially if you are using automated facial recognition technology, or if you have any other data protection or legal queries, please don’t hesitate to get in contact. 

Article by Lily Morrison and Charlotte Gerrish @ Gerrish Legal, November 2019