EDPB Guidelines on "video surveillance": suggested measures on biometric data processing

The European Data Protection Board (EDPB), the grouping of national privacy regulator, issued yesterday a guidance document to tackle the evolution of video surveillance systems. The EDPB points out that, due to the growing implementation of intelligent video analysis, the data protection issues raised in different environment and situation may differ. The document proposes an interpretation of the GDPR for specific cases.

Video surveillance and analysis entail heightened risks for data subjects’ right.

The European Data Protection Board (EDPB) explains that video surveillance affects citizens’ behavior and should only be used when there are no other means to achieve the same purpose. “Video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the data subject”.

Biometric data vs. personal data as defined in the GPDR

To qualify as biometric data as defined in the GDPR, processing of raw data, such as the physical, physiological or behavioural characteristics of a natural person, must imply a measurement of this characteristics. The video footage of an individual cannot however in itself be considered as biometric data.

In order for it to be considered as processing of special categories of personal data (Article 9) it requires that biometric data is processed “for the purpose of uniquely identifying a natural person”.

Several criteria must be taken into consideration:

Nature of data :data relating to physical, physiological or behavioural characteristics of a natural person,

Means and way of processing: data “resulting from a specific technical processing”

Purpose of processing: data must be used for the purpose ofuniquely identifying a natural person.

Category identification and template creation are not considered as a personal identification

When the purpose of the processing is for example to distinguish one category of people from another but not to uniquely identify anyone the processing does not fall under Article 9.

The document explains that Article 9 applies if the controller stores biometric data (most commonly through templates that are created by the extraction of key features from the raw form of biometric data (e.g. facial measurements from an image)) in order to uniquely identify a person.

Suggested measures to minimize the risks when processing biometric data

Data controllers must ensure that data extracted from a digital image to build a template will not be excessive and will only contain the information required for the specified purpose

Data controller must consider the most appropriate location for storage of the data. In an environment under control (delimited hallways or checkpoints), templates shall be stored on an individual device kept by the user and under his or her sole control (in a smartphone or the id card)

If the storage is done in a centralized database, data controller must usean encrypted form with a key/secret solely in the hands of the person to prevent unauthorised access to the template or storage location.

The document also provides a list of complementary “precautions”. In addition, data controllers should proceed to the deletion of raw data (face images, speech signals, the gait, etc.) and ensure the effectiveness of this deletion.