The use of CCTV cameras is increasingly popular, especially for security reasons. However, such surveillance practices must be balanced against the privacy rights of those subject to the surveillance. While CCTV operators generally rely on a legitimate interest to interfere with the data subjects’ privacy rights, the Court of Justice of the European Union (CJEU) has now finally assessed criteria on how to use surveillance cameras in times of stricter data protection regulations.
CCTV and the CJEU judgement
As video-surveillance footage often contains images of people that allows identifying these people (directly or indirectly), it qualifies as personal data. While CCTV cameras prove to be a powerful tool used in the interest of the public and of security, it does intrude with individual privacy rights. Therefore, in a recent decision, the CJEU was asked to consider whether the processing carried out by CCTV cameras was necessary for and proportionate to the legitimate interests pursued by the controller. The judgement provides companies with a line of reasoning for a justified interest in interfering with privacy rights.
In the case of TK v Asociaţia de Proprietari bloc M5A-Scara, the CJEU reinstates that a surveillance camera in which the device allows person-identifying data, such as images, to be recorded and stored, is characterised as the automatic processing of personal data. Given the date of the facts of the proceedings, the previous EU data protection regime (Data Protection Directive (95/47)) was applied in the case. The CJEU’s reasoning, in this case, is still significantly relevant for the interpretation of the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) because in general terms, similar reasoning and conclusions would apply to the privacy principles.
In this case, the CJEU’s reasoning still gives a clear direction for how the use of surveillance cameras should be interpreted from a data protection point of view. In particular, the CJEU examines how the data subject’s fundamental rights and freedoms balance against the legitimate interest of the operators of CCTV cameras. This balancing of opposing interests always depends on the individual circumstances of the case and the context that must be considered when regarding the data subject’s rights. Thus, companies should individually assess the necessity of placing each specific CCTV camera.
In particular, the CJEU pointed out that for the use of CCTV cameras, there must be a present and active interest. Accordingly, the use of surveillance devices for no real purpose cannot justify an intrusion with the right to privacy. In the case before the CJEU, previous instances of theft and vandalism amounted to such a present and active interest to put the area under surveillance. Furthermore, the CJEU re-emphasised that the reason for monitoring requires the processing of personal data only as far as is “strictly necessary”. Subsequently, there may not be any other less intrusive means available to achieve the respective interest effectively. Due to the “data minimisation” principle, operators of surveillance cameras should assess whether the devices must necessarily record at all times or if there are less intrusive means, such as only to record at certain times of day.
In practice, in carrying out the balancing exercise, several factors should be considered. Above all, one should account for the nature of the data (i.e. whether it concerns sensitive data), the methods of processing, who has access to the data, who are the data subjects (i.e. minors) and the data subject’s reasonable expectation of their data being processed.
Companies using CCTV cameras
The CJEU judgement guides in assessing the legitimacy of surveillance practices. Presuming that video surveillance cameras are necessary to protect a legitimate interest, companies wishing to use CCTV cameras must still inform data subjects of the processing of their data, as required under Article 13 GDPR. In this context, the European Data Protection Board (EDPB) recommends a notification sign telling data subjects about the controller (and possibly provide information about the data protection officer) and the purpose, legal basis and length of time for which the footage is kept and by whom. Additionally, a sign should also provide the data subjects with information about his/her rights under the GDPR. While informational bullets on the sign are sufficient, it is perfectly acceptable to reference a website or link to the information; however, information signs must be easily found by individuals.
You can use our free generator to create your own CCTV sign, informing the data subjects adequately and sufficiently as required by the GDPR.
Furthermore, UK companies should seek further advice on the application of the GDPR in the Information Commissioner’s Office (ICO) guidance.
Recommendations for companies
Companies that wish to use CCTV cameras are advised to balance their interest to process personal data by using surveillance cameras against the data subject’s privacy interests. In doing so and in line with data minimisation obligations, companies should particularly consider whether a limited use of the cameras, for instance, at night time only, would also fulfil the desired legitimate interest.
If any less intrusive means than camera surveillance are available, proportionate and equally effective, companies are advised to resort to such alternatives. The EDPR suggests in its guidance on video surveillance possible alternative security measures. For instance, options include fencing the property, installing regular patrols of security personnel, using gatekeepers, providing better lighting, installing security locks, tamper-proof windows and doors, and so on. Those measures can be as effective as video surveillance against theft and vandalism while being less intrusive of personal privacy rights.
In summary, companies should consider these questions:
- Which legal basis allows me to use video surveillance?
- Is there a real necessity to have video surveillance in place?
- Are there any specific risk factors, such as sensitive data or the data of minors?
- Are the information and transparency obligations sufficiently fulfilled?
- For how long is the data stored and is it necessary to store the data for this amount of time?
- Should a Data Protection Impact Assessment be performed?