French data protection authority CNIL calls for caution in the use of smart and thermal cameras, due to the fact that certain proposed systems do not comply with the legal framework for the protection of personal data.
The preservation of anonymity in public spaces is an essential part of exercising personal freedoms like the right to privacy and the protection of personal data, freedom to come and go, freedom of expression and the right to demonstrate, etc. Capturing images of people in these public spaces undoubtedly carries the risk of hindering their fundamental rights and freedoms. The rampant deployment of surveillance devices would involve the systematic collection and analysis of data from individuals circulating in public spaces. There is the view that the massive deployment of these devices, systematically monitoring people, presents the risk of normalizing a feeling of surveillance among citizens, resulting in a modification – intended or suffered – of their behaviors. It can also lead to a phenomenon of addiction and trivialization of intrusive technologies, constant surveillance.
More generally, the specific use of smart cameras in the context of the current state of health crisis raises important issues. CNIL had previously called for democratic debates on new video uses in September 2018 and more specifically on facial recognition in November 2019. Regarding thermal imaging cameras, however, it should be noted that the health authorities questioned by CNIL expressed reservations about these devices. They pose the risk of not identifying infected people since some are asymptomatic and it can also be bypassed by taking antipyretic drugs (which reduce body temperature without treating the causes of fever).
The rights of individuals must be respected, including in the context of a health emergency.
The possible implementation of such surveillance systems must comply with the applicable legal framework (GDPR, French Data Protection Act,Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities ) and must also be accompanied by a commitment to preserve individual freedoms and particularly the right to privacy. It is for these reasons in particular that surveillance devices are subject to specific legislative framework in the Internal Security Code. CNIL recalls that the use of “smart” cameras, however, is not currently and specifically provided for in any text. Their usefulness, based on specific circumstances, could not be assessed or debated at a more than general level, by the organizations deciding to set them up.
The CNIL insists on the need to provide an adequate textual framework.
The CNIL insists on the need to provide an adequate textual framework, which is required when sensitive data is processed; or the right of objection cannot be applied in practice in public spaces. They also call for this framework to be applied to all the assurances that these smart camera devices must provide in terms of the GDPR – demonstration of their necessity and proportionality, limited retention period, pseudonymization or anonymization measures, lack of individual monitoring, etc.). In addition, the deployment of thermal cameras, which process health data (body temperature), should be given special attention.
The EDPB states; “For video surveillance based on legitimate interest (Article 6 (1) (f) GDPR) or for the necessity when carrying out a task in the public interest (Article 6 (1) (e) GDPR) the data subject has the right – at any time –to object, on grounds relating to his or her particular situation, to the processing in accordance.“ It also goes on to mention that unless the controller demonstrates compelling legitimate grounds that overrides the rights and interests of the data subject, the processing of data of the individual who objected must stop and requests from data subjects must be answered without undue delay or at the latest within one month.
A call for caution in the deployment of irregular devices.
The fight against the COVID-19 pandemic has led some parties to consider deploying smart cameras intended in particular to measure temperature, detect fevers or even ensure compliance with social distancing or wearing a mask. While CNIL recognises the legitimacy of the objective of flattening the curve of this global pandemic, they consider it necessary to warn that, based on a case-by-case analysis, it appears that most of these devices do not comply with the legal framework applicable to the protection of personal data.
When it comes to automated processing of personal data which falls under the GDPR, such devices most often result either in the processing of sensitive data without the consent of the parties concerned (in particular the temperature), or in the waiving of the data subject’s right to opposition. In both cases, these devices must then be subject to a specific regulatory framework, which will require officials to question the proportionality of the use of such devices and the necessary assurances.
