Concerns over individuals’ right to privacy outweigh capturing footage by dashcam or helmet camera to provide evidence in the event of a road traffic collision, according to the independent body set up by the European Union last year to police the General Data Protection Regulation (GDPR).
That’s one of the draft guidelines adopted last week by the European Data Protection Board (EDPB) after it examined the “intensive use of video devices” whether for surveillance, marketing, monitoring employee performance or other purposes, warning that “data protection implications are massive.”
But writing on Twitter yesterday, Neil Brown, a telecoms, tech and internet lawyer who runs the law firm Decode Legal, warned that guidelines have profound implications for people using dashcams or action cameras, which have become hugely popular in recent years.
He wrote: “Got a dashcam or helmet cam, to collect evidence in case of an accident? According to new (draft) guidance, you must ensure it is “not constantly recording”. You also need to tell everyone who gets recorded that you are doing so. Good luck.”
He added to his tweet a screenshot of the following example given in the EDPB’s Guidelines 3/2019 on processing of personal data through video devices, adopted on 10 July 2019 and published as a “Version for public consultation.”
Example: If a dash cam is installed (eg for the purpose of collecting evidence in case of an accident), it is important to ensure that this camera is not constantly recording traffic, as well as persons who are near a road. Otherwise the interest in having video recordings as evidence in the more theoretical case of a road accident cannot justify this serious interference with data subject’s rights.
Helmet and handlebar mounted cameras have proven hugely popular with cyclists in recent years and often used not only to ensure that footage is captured in the event of a collision, but also to highlight instances of poor driving such as close passes, as our Near Miss of the Day series attests.
A number of police forces are willing to accept such video footage and often take action against the driver concerned including referring the case to prosecutors if deemed appropriate.
The EDPB is inviting comments on its draft guidelines, and its consultation is open until 9 September 2019.
While the draft guidelines do not have the force of law in themselves, the EDPB says they are designed to “clarify how the GDPR applies to the processing of personal data when using video devices and aim to ensure the consistent application of the GDPR in this regard.”
In other words, the draft guidelines are designed to sit alongside the GDPR, and if not adhered to could perhaps give rise to a legal challenge about the admissibility of evidence gathered on video by a private individual.
With the Metropolitan Police, for example, requiring that video evidence of, say, a close pass, show the recording from two minutes before to two minutes after the incident, would that fall foul of the stipulation not to record continuously, as well as failing to obtain consent from any people who could be identified in the footage (whether the alleged perpetrator or a passing pedestrian, for example)?
Likewise, there are strict guidelines on the use of and positioning of CCTV cameras.
Take the recent Swain’s Lane hit and run case, where a cyclist left seriously injured managed to track down footage of the incident and presented it to police, resulting in a successful prosecution; the camera angle, with the collision happening across the road from the premises the CCTV was protecting, appears to go beyond what is permitted by the guidelines. See the following example from the draft guidelines.
Example: A bookshop wants to protect its premises against vandalism. In general, cameras should only be filming the premises itself because it is not necessary to watch neighbouring premises or public areas in the surrounding of the bookshop premises for that purpose.
Ultimately, of course, the implications for people in the UK may depend on what happens with Brexit.
However, according to UK regulator the Information Commissioner’s Office (ICO), “As a European Regulation, [the GDPR] has direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.”
The ICO adds that the Data Protection Act 2018, which like the GDPR came into effect on 25 May 2018 and replaced the Data Protection Act 1998, “sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions.
“It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.”
Under the draft guidelines, uploading a video to the internet without obtaining the subject’s consent is also beyond the scope of what is permitted under the GDPR.
The draft guidelines do contain, however, a “household exemption,” giving the following example, among others.
Example: A downhill mountainbiker wants to record her descent with an actioncam. She is riding in a remote area and only plans to use the recordings for her personal entertainment at home. This would fall under the household exemption.
No need for every cyclist to consign their action camera to the attic just yet, then …
Add new comment
44 comments
CCTV recording us all over the place & they come up with this B.S.?
Just wear a Shirt/Cycling top with "You're being recorded" if that makes them happy.
There is understandably a lot of misunderstanding about GDPR, and I don't profess to get it all myself, but the key principles are that personal data (information which identifies a living individual) must be:
1. processed lawfully, fairly and transparently
2. collected for specified and legitimate purposes
3. relevant and limited to the purpose for which it is being collected
4. accurate and kept up to date
5. kept for no longer than necessary
6. processed in a way that ensures security of personal data
It can apply to an individual collecting data, not just organisations - e.g. the ICO has guidance on domestic CCTV recordings (some of which is helpful by analogy to using a headcam) - https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-...
EDIT: Oh, and re: Brexit (a) the Data Protection Act 2018 (which supplements GDPR) is already UK law; and (b) the government plans to incorporate the remainder of GDPR into UK law. There has been a huge legislative exercise over the last few years to ensure that existing EU law is incorporated into UK law when we leave the EU.
I can't make head-nor-tail of this.
Does it or does it not only apply to corporations/state bodies?
And where does this leave journalism?
"Under the draft guidelines, uploading a video to the internet without obtaining the subject’s consent is also beyond the scope of what is permitted under the GDPR."
So if someone videos a Rodney King situation, where the cops say beat someone up, or, like a few cases in the US, shoots someone without justification, they can't show it to the public unless the cops involved give their consent?
So much the EU does is completely opaque.
I'm pretty sure journalism would also be covered as a suitable reason for collecting data.
The general idea is that you should have a specific purpose to capture the data (not just gathering it because you can) and that you only use the data for that specific purpose.
With the Rodney King situation, the individuals involved could complain about their privacy being infringed upon, but there would be a clear legal reason to keep the footage (e.g. identifying criminal brutality amongst the police).
I would argue that the GDPR introduces transparency to a lot of processes as you now have the right to see what data that companies are collecting about you, the reasons why and the right to challenge incorrect data and/or have it deleted.
1. This is a draft guideline and so is not guaranteed to come into force. It will have to be fought because of its unintended consequences.
2. Mr Loophole is reaching for the tin of Glee. Victims are now going to struggle to get video enterred as admissible in court. Even before this comes into force we are going to have Magistrates and Judges not admmitting video on the off chance that their decision will be overturned at a later date.
3. Biased Police Officers reviewing submitted evidence are even more likely to throw out videos submitted.
If we are not careful this could become a bad day. Anyone else feel the hand of the motoring lobbies?
wow, what a storm in a teacup!
The spirit behind the proposed draft is only to ensure that recordings, when presented as evidence to security or judiciary authorities, preserve the identity of persons who have nothing to do with a particular incident.
We've probably got to make clear that GDPR applies to companies and public administration bodies primarily - other privacy laws apply to individuals, including national laws.
That said, we've also got to remember that the primary scope of a camera is to record a live action. These "safety" cameras (a good way to generate revenue out from a device which is in its simplest form just an action camera with good resolution) are not different in their use and considerations to privacy as any other device (a mobile phone for example) when used by an individual in relation to, for instance, the recording of an incident.
Privacy is a must. No ifs, no buts, no maybes.
The idea behind "non continuous recording" is purely to preserve the identity of individuals. But that in itself doesn't preclude an individual to record live from their phones for example. A violation of privacy laws is committed when these recordings are made public only (having a video of a party with your mates at the pub is not a violation of privacy even if consent hasn't been specifically obtained - if someone had a problem being on video they would have had their opportunity to make it to be noted by the "camera man" and their grievance would have been resolved.
To be honest, I'm among the unhappy ones when I see someone with a camera stuck to their helmets filming me.
At present there is, in any case, technology to a certain state of advancement which could be used to achieve the same objective. I can mention two at least:
1) recordings activated by events or distance
2) software which could be used to blur faces and number plates
So, a message to the technology providers: Get on with it.
Is this legislation yet or just draft guidelines that will be bashed and honed into legislation that will not look much different from current legislation? I think I'll wait until it become law before getting too excited.
Eventually will make it into an EU Guideline (a supplement to the respective EU Directive).
Guidelines do not replace Directives.
Surely for those of us running GoPros or Cycliq cameras that record max 2/3 hours before being loop recorded over, this is fine? Unless there are psychos out there that download all the footage of all their rides and keep them forever?
The article states also that the dashcam would be within this, and what about the Tesla Sentry cam (and others) - that can record when no-one is in the vehicle? I would hope that with the GDPR approach - it is all about handling, processing. Does that mean we might need to have a sticker on the helmet stating "Camera in use" etc. Oops really must put one up for my Ring Doorbell. (Own goal there)
This regulation surely scuppers the new Police " Face Recognition" programmes that are set to come into force ??????
No. See, this is a common misconception about GDPR.
The security forces have a purpose, where they need to use that technology in order to safeguard the security of individuals. If they misuse it, they'd be breaking the law.
In other words, in general you must have a purpose before revealing the identity of an individual to the public domain. If you haven't got such purpose then you are breaking the law.
By the way, you in the United Kingdom have an already blatant breach of GDPR in front of your eyes: Go and visit the Companies House website and you'll find names, addresses and all sort of information to identify persons.
Companies House responded that these individuals are directors or persons with significant control over companies as a reason for not backing down from this breach of GDPR. In reality, they could and should comply with the requirements of UK law and GDPR at the same time:
- They could make the website accessible only by having the requestor to be logged and declare their purpose,
- They don't necessarily (or they shouldn't) show the details of directors and persons with significant control over public or private companies in the UK, they should/could only show the ones for which a "meaningful purpose" would exist, i.e. only individuals with a court indictment against them (which by the way are not shown on the website!)
To be fair with Companies House, not many of the listed 'people' are necessarily real people. They do exactly zero checks to determine whether the owner is actually a real person.
From:
https://www.theguardian.com/world/2019/jul/05/how-britain-can-help-you-get-away-with-stealing-millions-a-five-step-guide
doesn’t really matter - one is one too many.
incidentally the ones who fall under the fraudsters are the legit. If Companies House doesn’t have any meaningful way to verify their own information then the website needs to go as there is no meaningful purpose to show all that information to the open public
Companies House has a clear purpose - make it look like everything is above board and yet allow an obscene amount of money laundering.
It reminds me of the spectacular fallout from the Panama Papers - oh wait, everyone got distracted by Brexit, didn't they?
Well? Why shouldn't the Crash Test Dummies hold company directorships?
I think they'd need to make some pretty huge changes to the Companies Act if they were to restrict access to that information and not make it publicly available.
UK company law says yes you can set up a company and be granted all sorts of limited liability, and in return you have to make some information about yourself publicly available.
Less than used to - the current registers don't necessarily show your usual residential address, and they don't show your day of birth (only month and year).
It means that - in theory - people involved in a UK limited company can be independently searched/verified, unlike in many (other ?) "tax haven" jurisdictions...
The Germans already can't show people faces in their Youtube footage. On a motorbike idiots channel I watch, the German's always have to pixelate those they're arguing with.
Personally I think we should have never developed beyond about 2008, when digital cameras were good enough to replace film but phones didn't have the 4k snapchat dog face filters and the like. It's been the downfall of normality and the rise of narcissism ever since. Boo technology.
So how does Google Streetview comply with this draft guidance? It can’t, surely.
It blurs out faces, house numbers and number plates.
Anybody can object to their house being seen on streetview and google has to take it out. Germans are paranoid, millions objected and google had to fuzz out the building in question. Bad press convinced people that gangs of thieves would be able to surf the net looking for suitable premises to rob!
5 minutes isn't enough when some forces require 2 minutes before and 2 minutes after.
What if you have another incident on the same journey - swap out the card?
Not many helmet/dash cams actually recording continuously though? Hardly any will be recording for the majority of the day when the car/bike is not on the road I would have thought?
motion activated cameras will be recording while a car is parked
Recording is one thing, storing and processing quite another. We certainly do need strong protections in place to prevent large datasets of private vehicle (or individuals by face / biometric recognition technologies) locations and movements being retained and mined for big corp benefit or unwarranted government surveillance.
Non continuous recording? What does that even mean? Skip a frame every now and again? Only turn it on 2 minutes before you are going to crash? Automatically turns off after 2 minutes and you have to turn it on again? What has been lost in translation between the thinking behind this idea and what got written down?
One thing that might change is the current freedom to upload video of other people without getting their permission. Whilst I enjoy the sight of a gammon getting roasted as much as anyone, is it fair or responsible?
I know that the first thing that I’d do after having an accident is remember to press a button to stop something recording over the footage of the accident.
Hmm, as this is ‘guidance’ I’m not sure how enforceable it is.
Check out para 102. It gives you the right to be forgotten, the example is, you go to the supermarket, then ask them to delete any video of you from their system. They then have 1 month to comply. I guess a cctv system with a 30 day retention would fulfil that. But who's checking?!
Inevitably these cameras are going to switch from memory card storage to streaming footage to corporate-owned cloud storage. It is appropriate that the consequences of such devices be considered.
This is mostly a non-story.
For most of us, the GDPR is irrelevant as it only applies to companies/organisations, so if you've got a helmet/dash cam on your private bike/car it doesn't apply at all (in the same way that you don't need to seek permission if recording a video or picture in public).
What I'd imagine the EDPB are seeking to stop here is dash cams that run non-stop so create huge logs of the locations of people captured on those films. For companies with a fleet of vehicles, or more likely the providers of dashcams that have cloud backup that data could prove saleable/hackable and could be large scale privacy concern.
The EDPB should be applauded for outlawing that sort of data capture, it's exactly the sort of thing the GDPR is supposed to do and speaks well of how the new regs have been drafted that they can be applied to this scenario without needing to be revised.
I imagine the 5 min looping of most dash cams will prove to be acceptable to the EDPB for allowing dash cams to be continued to be used by companies as that removes the collection of large, searchable sets of individual's locations - as long as those recordings aren't being cached and processed in the cloud.
Pages