Smart cameras and privacy: the right balance?

Legal Watch No. 33 – March 2021

Smart cameras and privacy: the right balance?. Since March, cameras installed in public transport are intended to verify that users are complying with mask wearing. These measures are part of the arsenal deployed to stop the spread of the Covid-19 epidemic.

Numerous surveillance measures adopted in recent months (anti-Covid applications, employee testing, drones, vaccine passports, etc.) have sparked debate and reactions, both from the CNIL and within parliamentary bodies or before the courts.

The control system mentioned here, on the other hand, passed without a hitch under the yoke of the Data Protection Commission, and the reasons are simple: Unlike the video surveillance systems developed in 2020 which collected a lot of personal data, and which it had interrupted, these process the strict minimum of data necessary to verify that masks are being worn.

More specifically, the system does not process biometric data or implement facial recognition, and the data is not used to prosecute offenses.

The primary goal is to produce statistical information and tailor public awareness.

These guarantees are all the more important since any video surveillance device constitutes an infringement of fundamental rights, and the persons concerned are rarely able to oppose the processing.

In this regard, the CNIL has considered in the past that shaking one's head "no" in front of a camera could not be considered a realistic and sufficient means of opposition.

Due to these violations, smart camera systems must be regulated by law, which was the case with the decree published on March 10 concerning the wearing of masks in public transport.

The guarantees provided by the decree, as well as the objectives of public health and the protection of individuals, appear sufficient to the CNIL to justify a limitation of the right to privacy, and in particular to set aside the right to object.

The Commission, however, underlines the danger of addiction individuals given the increase in current surveillance measures.

She therefore insists on thedetailed information people and over a period of use of the device limited in time and directly linked to the context of the epidemic.

And also

France:

• Destruction of personal data : the CNIL reminds, on the occasion of the fire which destroyed an OVH data center on March 10, the steps to be taken by the data controller with the persons concerned.

It specifies that the unavailability and destruction of data constitute data breaches within the meaning of the GDPR, which must be notified to it under certain conditions.

The CNIL also refers to the website cybermalveillance.gouv.fr which provides advice on how to manage such incidents.

• The CNIL has also published its control priorities for 2021These include issues of website cybersecurity, health data security, and the use of cookies, all highly topical topics.

Let us recall that the CNIL has updated its guidelines on cookies, and that in April it will begin an extensive audit of their collection conditions.

• Data transfers outside the European Union: The Council of State decided on March 12 not to suspend the partnership between the Ministry of Health and Doctolib in the context of the current vaccination campaign, despite the risks cited by the American authorities of access to data, Doctolib having partial recourse to an American subsidiary of Amazon for data hosting.

The Council of State is satisfied, in particular, in the case of requests for access by an American authority, of the existence of a specific procedure which provides for the contestation of any general request or one which does not comply with European regulations.

The hosted data is further secured through an encryption procedure based on a trusted third party located in France in order to prevent the data from being read by third parties.

• Professional data : On March 9, the Paris court refused to grant a dentist's request to have his profile and reviews removed from Google My Business.

The court confirms the personal nature of this data but considers that the balance of rights leans in favor of freedom of expression and information for Google and Internet users, by providing information relating to the practice of the dentist's profession and the experiences of the patients concerned.

• In a similar context, the Court of Cassation, in a judgment of 17 February, insisted on the need for this balancing of the rights and interests at stake, concerning the publication on the Internet of a criminal conviction linked to the complainant's professional activity.

The fact that this information is public and of a professional nature does not imply that it can be published on the Internet without prior verification of the invasion of the complainant's privacy.

The balancing of the rights and interests at stake must take into account the possible "contribution of the incriminated publication to a debate of general interest, the notoriety of the person concerned, the subject of the report, the previous conduct of the person concerned, the content, form and repercussions of said publication".

In this case, the Court considers that this balancing was not carried out and refers the parties to the Court of Appeal.

Europe:

• The GDPR, two years later: 

On March 25, the European Parliament adopted a Resolution on the European Commission's evaluation report on the implementation of the GDPR.

It supports the need to pursue this implementation more effectively, particularly in the context of coordinated actions by European supervisory authorities.

In this regard, we note the recent spats between the German authority and the Irish data protection authority, the latter being accused of not sufficiently controlling the "big techs" established on its territory.

The European Parliament identifies as priorities the issues related to data processing carried out by the main platforms and digital services, in particular in the area of online advertising, micro-targeting, profiling based on algorithms and the risks related to the dissemination and amplification of information on networks.

It also appears essential to develop tools for a wider audience, particularly VSEs and SMEs, as highlighted by the European Data Protection Board (EDPB) in its 2021-2022 work programme. It should be noted that Belgium has just published a series of practical tools for small and medium-sized enterprises to this end.

• Europe: Adoption of two documents by the EDPB:

Concerning on the one hand the issues of data protection concerning the connected cars, and on the other hand the voice assistants.

• Belgium:  

As part of a new publication, the Free University of Brussels is organizing an online event on April 22 on " the society of algorithms : technology, power and knowledge”. Registration is open on the university website.

International :

• UNITED STATES :

In addition to the bills currently being adopted in several states, a text has just been presented to the American parliament at the federal level, under the name "Information Transparency and Personal Data Control Act (ITPDCA)".

This law provides in particular the conditions under which consumers must be able to consent to or object to the processing of their data, the transparency of transfers to third parties, and the obligation to submit their processing to regular audits.

The Federal Trade Commission would be responsible for overseeing compliance with the law.

• Korea:

A data protection adequacy procedure is being concluded, which will facilitate data exchanges between Korea and the European Union. The Commission's conclusions will soon be submitted to the European Data Protection Board for its opinion.

• UN:

The UN Special Rapporteur on Privacy, Joseph Cannataci – whose mandate is coming to an end – has just published a report on artificial intelligence and children's privacy.

• GAFA:

Google announces that it is ending the use of cookies for a new data collection model – Federated Learning of Cohorts (FLoC), which targets groups rather than individuals, based on common interests.

This announcement has sparked various reactions, with some pointing out that the new collection system, while changing the techniques used, will not prevent advertising targeting Internet users.

Data on over 500 million accounts Facebook, including the phone numbers of many users, were put up for sale online over the Easter weekend. The data is believed to have come from a security flaw discovered and patched in 2019. 

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.